How to implement a Web Application Firewall (WAF)


You can implement a Web Application Firewall (WAF) by using either a cloud-based service, a physical web firewall device or using your own custom rules to filter malicious traffic. For this solution, we will focus on cloud-based firewall services from Cloudflare and Sucuri.

Note: Although it’s called a Web Application Firewall, you can use it to protect a website. Some websites are directly running on an application, such as a CMS like WordPress, Joomla, Drupal or Moodle.


Cloudflare and Sucuri


Cloudflare expresses their WAF service as “enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.”




Sucuri describes their service as “The Sucuri Firewall is a cloud-based WAF that stops web application/ website hacks and attacks. Our constant research improves our detection and mitigation of evolving threats, and you can add your own custom rules.”



Other notable web firewall providers:

Cloud-based vs physical (on-premise) firewall vs writing your own firewall rules.

  • Cloud-based firewall – Ideal for web application/ website owners not running their own IT department, maintenance (such as continuously updating security rules) is done by the cloud service provider and is easy to implement for non-technical people.
  • Physical firewall – Is a physical device that the owner must buy and keep, usually costly and targeted to companies with technical IT staff, not easy to implement for non-technical people, and often requires a lot of technical maintenance by the owner (even if the vendor offers updates).
  • Writing your own firewall rules – Can be implemented using the web server’s configuration rules. There are some down-sides to this approach, mainly because you have to update your own rules to handle changes in malicious data. This approach filters traffic at the time it reaches the web server, puts more load on the web server, can be excessively time-consuming to update which is not very scalable as a web application/ website grows compared to an automated firewall setup with good vendor updates.

Setting up Cloudflare and Sucuri

Cloud-based Web Application Firewalls typically work like this:

  1. Sign up online for a recurring subscription plan with the Web Application Firewall provider.
  2. The provider will ask you to make some minor changes (DNS configuration) in your hosting account so that when users visit your web application/ website, it goes through their firewall solution first.
  3. You can enable or disable additional security settings such as (HTTPS, Security Headers, creating allow/deny lists, caching and more)
  4. When users visit your web application/ website address, the firewall solution receives the request before your web server, checks it for malicious content then passes it on to your web server. The user would not see anything unusual, and there often isn’t a noticeable delay.

Note: You should choose a Web Application Firewall that fits well with your web application/ website’s platform, provides more benefit than cost, and meets your security requirements.

How to verify your Web Application Firewall (WAF) is implemented

  1. Inside your account, with the cloud service provider, it should state whether your web application/ website is correctly connected.
  2. If it says it’s properly connected, browse to your web application/ website to confirm it loads correctly.

Why implement a Web Application Firewall

A Web Application Firewall helps to block numerous attacks towards your web application/ website by using a network of intelligence about global threats. A WAF reduces the likelihood of your web application/ website accepting malicious traffic.

Link(s) for additional information on this topic

Link(s) for Penetration Testers