Best Web Application Firewalls Reviewed

A Web Application Firewall (WAF) solution offers protection for web servers.

Your WAF will monitor traffic between the Internet and your web application; it then filters or blocks traffic based on a set of rules/policies.

Web application firewalls protect from attacks including SQL injection, cross-site-scripting (XSS) and cookie poisoning and are an essential component of your defensive strategy.

Choosing a WAF solution can seem daunting which is why we’ve created this guide. Our experts have put the leading application security firewalls to the test assessing things like; features, reliability and ease of setup.

Here is our list of the best cloud-based web application firewalls:

  1. AppTrana Managed Web Application Firewall EDITOR’S CHOICE A Fully Managed WAF provided by Indusface with bundled application scanner, CDN and managed custom security rules with Zero WAF False-positive assurance backed with SLA and 24×7 support.
  2. StackPath Web Application Firewall (FREE TRIAL) A Cloud-based firewall that is part of an “edge” solution.
  3. Sucuri Website Firewall (LEARN MORE) Part of a suite of offsite application security services that also includes DDoS protection.
  4. MS Azure Web Application Firewall A cloud-based WAF that can protect web servers anywhere. This is a metered service.
  5. Cloudflare WAF Cloud-based solution that can be combined with DDoS protection.
  6. Akamai Kona Site Defender Combines an offsite WAF and DDoS protection.
  7. Amazon Web Services WAF Front end for those who operate Amazon Web Services, including Application Load Balancer and the Amazon content delivery network.

Here is our list of the best hardware-based web application firewalls:

  1. Imperva SecureSphere A firewall hardware device that caters to small businesses.
  2. Barracuda Web Application Firewall A complete edge service that provides caching and DDoS protection as well as traditional firewall activities.
  3. Citrix Netscaler Application Firewall A choice of hardware device or cloud-based edge service, this firewall also acts as a load balancer.
  4. Fortinet FortiWeb A web application firewall, SSL off-loader, and load balancer aimed at mid-sized businesses.
  5. F5 BIG-IP ASM Handles SSL management as well as performing WAF functions. This device is designed for large businesses.

What Attacks do WAFs protect against?

A web application firewall, or WAF, needs to protect your web server and its content from the following categories of attacks:

  • Cross-Site Scripting (XSS)  – malicious HTML code inserted into a web page input field by a hacker
  • Hidden field manipulation – hackers rewrite the source code of a web page to alter values held in hidden fields and then post the amended code back to the server
  • Cookie poisoning  – altering parameter values held in cookies to corrupt data passed between web pages
  • Web scraping  – automated data extraction from web pages
  • Layer 7 DoS attacks – overwhelming a web server by recursive application activity
  • Parameter tampering – altering values in the parameters to a web page call
  • Buffer overflow – user input that overwrites the code in memory
  • Backdoor or Debug options – developer feedback reports for web page testing that can be used by hackers for access to the processor
  • Stealth commanding – an attack on the operating system of a web server
  • Forced browsing – the hacker gains access to backup or temporary folders on the webserver
  • Third-party misconfigurations – manipulation of content inserts provided by other companies
  • Site vulnerabilities / SQL injections – queries entered in user authentication fields

Although a WAF works as a front end to a website, a number of essential access control functions that your web host needs are not provided by this technology. WAFs focus on HTTP code and the request procedures for other internet applications, such as FTP. In these cases, the secure versions of these application protocols, HTTPS and SFTP, are also covered.

Here’s how do WAFs Work

web application firewall diagram

WAFs look for irregularities contained in incoming requests and block malformed or devious constructs. A WAF is not responsible for load balancing between a cluster of servers. Although some types of DDoS attacks use HTTP, most use lower-level methods. So, a WAF will protect you against HTTP and FTP application-level/layer 7 DDoS attacks, but not those carried out by other strategies.

WAF configurations

A WAF needs to be a part of your web hosting protection strategy. It can be implemented as a hardware solution or as software.

Proponents of software WAFs argue that you already have sufficient hardware available, you just need to extend the capabilities of your existing equipment in order to get a Web application firewall. However, the ideal location for the WAF is in front of your servers, and most software solutions are installed directly on the Web server.

WAF Placement

The best place to put your WAF is on the router that acts as a gateway between your network (and thus, your server) and the internet. This strategy implies that the best option would be a router that has an integrated WAF. This would be a standalone piece of equipment and it would prevent damaging traffic or hacker exploration reaching your precious server.

Software vs Hardware WAF Considerations

So, which should you choose to control costs? Software WAFs are cheaper than hardware solutions. However, don’t think that there are no hardware costs to installing WAF software on your servers. You probably planned your server hardware capacity and so adding on an extra function will take up disk space, use memory and tie up CPU processors. You may have to extend your server capacity in order to host a WAF, so there are hardware costs involved.

Onsite skill sets are also a consideration. It is probable that your system administration staff are all familiar with your server’s operating system, but would be clumsy around a new device’s firmware. Users of hardware WAF tend to treat them as black boxes and intervene in their operations a lot less than they do with software WAFs — which could be a good thing.

Both hardware and software WAFS come with patches and update support. However, updating the software versions usually requires your consent and management for each install, whereas hardware WAFs tend to get updated directly by the provider, leaving you without time-consuming patch management issues.

Generally speaking, both hardware WAF and software WAFs perform the same tasks. Hardware WAFs keep extra load off your servers and they can continue to work even when you want to take one of your servers down. A hardware WAF is more reliable and can be left alone to do its job. Although hardware WAFs are probably better options than software WAFs, administrators tend to prefer the accessibility and customizability of software WAFs.

Web application firewall functions

Not only should you scan all user activity when a web page is live, but you need to check the code of your web pages, including off-the-shelf plug-ins provided by external companies. Coding errors and validation oversites are known as zero-day vulnerabilities. They are non-standard paths that could allow a hacker access to your web server. If hackers discover these security flaws before you or the provider of inserted code sees the problem, you will be subjected to a zero-day attack that might not be covered by your WAF.

The value of a WAF lies in the rules that it applies to user responses. These rule settings execute validation procedures that protect your web server from malicious activity by laying out activities to spot and dictating actions to take when an exploit is discovered. Rules will be written to specifically block well-known attack strategies. However, extra, more flexible rules in the WAF’s routines are useful for identifying zero-day threats.

See also: Best free port scanners

Related: Best intrusion detection security tools

WAF vs next-generation firewalls vs intrusion prevention systems

Hackers are getting increasingly more sophisticated and, thankfully, so are cyber defense systems. However, you might be confused about the different categories of network protection that are now available.

The distinction between an intrusion prevention system (IPS) and any type of firewall is very easy to spot. The firewall defends the boundary of a system, whereas the IPS monitors traffic within the network. An IPS is an advanced form of an Intrusion Detection System (IDS). While an IDS spots suspicious activity, an IPS includes procedures to shut it down.

Next-generation firewalls usually include many of the techniques used by IPSs. That is, they record all activity rather than just examining each packet as it passes through the gateway. However, NGFWs sit at the gateway between the network and the outside world, while IPSs focus on traffic within the network. A WAF specifically examines Web traffic, carried through the HTTPS and SSL protocols. In short, the NGFW looks at traffic entering the network, while the WAF guards the webserver.

The Best Cloud-based WAF Solutions

Most software WAFs are now implemented as cloud services. These services charge a monthly rate with different plans to suit different websites. Here is a run-down of the best cloud-based WAFs on the market today:

1. AppTrana Managed Web Application Firewall (FREE TRIAL)

AppTrana Dashboard
AppTrana from Indusface provides a fully managed Web application firewall bundled with content acceleration and CDN over the cloud. All you will have to do is route your traffic via the AppTrana Service hosted in multiple regions in AWS data centers by Indusface.

AppTrana comes out of the box with optimized core managed rule sets that can be put in blocked mode instantly based on the optimized core rule set Indusface has developed by doing security assessments of thousands of other websites. Once onboarded, customers can do an on-demand automated security assessment of the website and get instant visibility into whether they are already protected by WAF or require custom security rules.

Those requiring custom rules can be requested from the centralized portal and the 24×7 MSS team from Indusface will create a custom rule with Zero WAF false-positive assurance and protect them. Website performance is enhanced via a bundled CDN included in the service.  AppTrana plan is available as a subscription service along with a 14-day free trial.  Free Trial registrations are automatically enrolled into a free forever Basic plan which includes automated security scanning twice a month for your website.


AppTrana Managed Web Application Firewall is our top choice in this roundup because it includes the services of a team of experts that excel in the field of network protection. The service includes many other security services in addition to the usual web application firewall functions. The technical team of Indusface that works on this service filter out the chatter of security device reporting, taking a great load off the technical managers of client companies.

The location of this service in the cloud also removes the need for you to buy in and manage specialist hardware on-site to protect your network.

Start 14-day Free Trial:

OS: Cloud-based

2. StackPath Web Application Firewall (FREE TRIAL)


The Web Application Firewall is one of a suite of cloud-based services offered by StackPath who specialize in “edge technology.” This term refers to the technique of pushing connected services out to the edge of your network, and then and little beyond. StackPath is a subscription-based Cloud service that captures all of your traffic before it reaches your Web server.

The offsite configuration of StackPath provides extra protection for your Web server as any malicious code doesn’t even get a chance to touch your resources.

The Web traffic heading to your website gets diverted to arrive at the StackPath server first. The three fundamental defenses offered by this service are: IP address assessment, browser validation, and the use of content based routing rules. This methodology focuses on the likelihood of incoming requests coming from dubious sources. The source filtering also shuts down any DDoS attack attempts.

Only validated traffic gets forwarded on to your Web server. All of that processing takes place so quickly that regular users don’t experience any connection speed impairment. StackPath offers the Web Application Firewall for free for the first month of service.

StackPath Web Application Firewall First Month Free

3. Sucuri Website Firewall (LEARN MORE)

Sucuri Website Firewall

The Sucuri Web Application Firewall is part of a suite of website protection measures. The Sucuri cloud-based protection system is an online service. Your website’s address is hosted at Sucuri’s server, also all of your Web traffic goes there first.

The Sucuri service filters out malicious traffic through a range of techniques. The company maintains a database of attack signatures, which is constantly updated, so your website benefits from protection strategies learned by Sucuri when it is defending other sites.

The service package includes performance optimization and DDoS protection. The Sucuri server blocks malicious traffic and forwards all bona fide requests onto your Web server. This process happens so quickly that visitors will not notice any slowing in the delivery of your Web pages.

Delivery performance is enhanced by caching, which means even if your site is down for maintenance, visitors will still be able to access your Web pages. The Sucuri Web Application Firewall is available as a subscription service, and pricing starts from $9.99/month for their basic package. View plan details on their website.

Sucuri Web Application Firewall View Plan Details

4. MS Azure Web Application Firewall

MS Azure security-overview-dark-large

Microsoft Azure is a well-known hypervisor system that is one of the most successful cloud platforms available. Like AWS, the Azure division of Microsoft doesn’t just offer the platform system for cloud services, it also produces a range of software that provide utilities to other systems. The Web Application Firewall is one of these products.

As with any WAF, this service acts as a proxy. All of your inbound traffic flows through the Azure server first, it is inspected, and suspicious traffic gets blocked, with all other traffic passed on to your web server. This edge service model also makes the Azure WAF an excellent facility for DDoS protection and load balancing. All outbound traffic from your web server also gets routed through the WAF, which examines traffic for data loss events. So, this is a complete two-way web traffic security service.

The system automatically tracks for the top ten vulnerabilities as logged by the Open Web Application Security Project (OWASP). It has standards rules embedded in it, but your server administrator can adjust these and add on custom rules as well.

What makes Azure different from the other edge services in this list is that it isn’t charged for by subscription. Instead, it has a metered charge rate. This fact and the absence of set up charges makes this an excellent service for startups and small businesses as well as the largest corporations in the world.

The price tariff of Azure WAF is calculated on a combination of an hourly rate and a data throughput rate and charged monthly in arrears. That’s a much lower upfront cost than other cloud-based subscription WAFs, which expect the subscription fee to be paid in advance. What’s even better is that the first 10 TB of data per month is free for all but the lowest traffic levels and businesses with a lot of traffic gets up to 40 TB of throughput per month for free. The Azure Web Application Firewall can be examined as part of a 12-month Azure free trial.

5. Cloudflare WAF

Cloudflare WAF

Cloudflare has become very successful at protecting web hosts from DDoS attacks and they extend their protection with a web application firewall. This is an online service that is very widely used. Their servers manage 2.9 million requests every second on behalf of their large customer base.

The benefit of subscribing to a widely-used cloud WAF like Cloudflare is that the company can apply economies of scale to its threat research. An attack attempt on one customer instantly ripples through to a blacklist entry for all web servers protected by Cloudflare. If you have a cloud-based server central to your enterprise or as a content delivery system included in your web presentation, then Cloudflare can cover that as well. Integrating full Cloudflare DDoS protection alongside your WAF subscription is a very simple task.

6. Akamai Kona Site Defender

Kona Site Defender

Akamai is a world leader in DDoS mitigation and it integrates full DDoS protection with its web application firewall in a cloud service called Site Defender. A great benefit of combining both of these services in one security product is that you won’t need to have your traffic routed through two different companies in order to get genuine requests arriving at your web server.

As one of the leaders in online security products, Akamai often is the first to discover new exploits. As a customer of Site Defender, you benefit from this “ahead of the curve” information immediately with tighter and smarter blocks on hacker traffic.

7. Amazon AWS WAF

Amazon AWS web application firewall

The Amazon AWS web application firewall (or AWS WAF) is only available to customers of the company’s Web Services. These include the Application Load Balancer and the Amazon content delivery network.  As Amazon Web Services are cloud-based, this WAF is an add-on to your existing subscription. The price model is very tempting. You don’t pay a lump sum each month. Instead, you get charged for each security rule that you set up and for the number of web requests that your server receives in a month.

The Best Hardware-based WAFs

The hardware solution to web application firewalls involves a piece of network equipment that needs to go in front of the web infrastructure.

As all application traffic in both directions will pass through this appliance first, you need to make sure that the model you choose has the capacity to handle your web server’s typical request throughput rate. When assessing WAF appliances, you should first measure the demand on your server in terms of both data throughput in Mbps and the number of transactions. As SSL transactions take more processing, you should look at the maximum number of SSL transactions per second (TPS).

1. Imperva SecureSphere

Imperva SecureSphere

This WAF is aimed at smaller businesses with units that have a throughput of 100 Mbps dealing with 440 SSL TPS, going up to a model that can process 10 Gbps and 9,000 SSL TPS. As an example of the range, take a look at the X2020, which gives you a throughput of 500 Mbps for a price of $4,200. This unit can deal with 2,200 SSL TPS.

The higher models in the range are mutually compatible. You can buy the X85210, which has a throughput rate of 5 Gbps, and then upgrade it later via a software patch to turn it into the X10K model, which allows a 10 Gbps throughput. You can also opt for a cloud-based version of SecureSphere.

2. Barracuda Web Application Firewall

Baracuda web application firewall

Barracuda is a good solution for a small- to mid-sized web-based business. This appliance is a little pricey, but the purchase price includes a full year of system updates. The Barracuda box is automatically updated when the company detects new threats and exploits. The Barracuda box has some extra features, which include caching for faster content delivery and load balancing. You can add on full DDoS protection for a fee.

The Barracuda WAF is available in a range of sizes, each with different capacities. For example, the Model 360 will give you a throughput of 25 Mbps and it can handle 2000 SSL TPS. Your purchase of the 360 will set you back $6,350, including that first year of virtual patching. Support for subsequent years costs $1,350 per year.

3. Citrix Netscaler Application Firewall

Citrix Netscaler

The Netscaler MPX range comes with capacities ranging from 500 Mbps up to 200 Gbps. The cheapest model is the MXP 5550, which gives you a throughput of 500 Mbps and can cope with 1,500 SSL TPS. This unit costs $4,000, but that price doesn’t include a virtual patching contract, which is an added extra.

The Citrix Netscaler appliance also acts as a load balancer for small enterprises. Netscaler is also available as a connected service via the cloud.

4. Fortinet FortiWeb

Fortinet FortiWeb

If you have a small web enterprise and you are shifting up to the mid-size league, you will need to upgrade a lot of your equipment. This could be a good chance for you to check out the Fortinet FortiWeb appliance. This device integrates the WAF with a load balancer and an SSL offloader. If you are expanding out to multiple servers, you are going to need a load balancer anyway, so while you are in the market for a new bit of kit, it makes sense to get the web application firewall off your list of things to buy as well and get both built into the same box.

The FortiWeb range includes eight models with increasing throughput capacity. The entry-level model is 100D. This has a throughput rate of 25 Mbps. The top-of-the-range model is the 4000E. This has a throughput of 20Gbps. FortiWeb also operates a cloud version of its web application firewall service.



The BIG-IP ASM is aimed at large companies. Unfortunately, F5 doesn’t give an SSL TPS rate for its models, but an HTTP one instead. The 10200 model can process 75,000 HTTP TPS and has a throughput of 5 Gbps.

BIG-IP ASM helps your server perform faster by dealing with the SSL encryption of HTTPS and SFTP. This function is known as “SSL offloading.” The F5 package includes threat protection that benefits from deep threat analysis and dynamic learning, so you don’t have to invest too much time in reading through reports to work out which addresses to blacklist because the appliance will do that for you.

Hardware-based vs Cloud-based WAFs: Pros and Cons

The choice of your own piece of equipment or a cloud infrastructure solution can often come down to your own preferences for each configuration. For example, some people are uncomfortable outsourcing elements of their network and the security functions of a web host are particularly sensitive topics.

Cloud-based WAFs Cons

The WAF stands in front of all of your other devices and so it has to be the target of your URL. That means that you no longer have direct control over your traffic because all DNS records will direct website visitors to the cloud infrastructure first.

Where cloud WAFs are offered by companies that include other front-end security services, combining these into one package makes sense. For example, if your chosen WAF provider doesn’t have a DDoS protection service, you will need to forward your traffic to a second cloud service in order to get fully covered from all threats. Taking out a WAF cloud service can lock you into one online security company for all of your online protection and limit your options.

WAFs examine the contents of packets, so they have to strip off all encryption protection first before they can perform their main task. This means that you have to hand over your SSL certificate to the cloud WAF provider, effectively surrendering all of the data security functions that protect your web host, your content, and the safety of your customers.

You need to have a lot of faith in your cloud WAF provider in order to be prepared to let this third party stand in between you and your customers.

Cloud-based WAFs Pros

On the other hand, the reputation and expertise of the top cloud WAF providers means that you don’t need to be worried about being let down. The companies on our list specialize in networking and security services. Their accumulated expertise is a lot greater than you could get for your own company in-house. There is probably more risk to your website’s availability and security if you try to cover all of the complicated tasks that these issues involve.

Cloud-based solutions can be paid for on a monthly basis, spreading the cost of your web application security. In some cases, you only get charged for your web throughput, so you can defer paying for your protection until the end of the month when the service level has been calculated and invoiced.

If you already outsource parts of your operation, you have already come to terms with the cloud-based method of operation and so it would not be too difficult to outsource your WAF as well. You may need to switch from existing providers if combining other services, such as DDoS protection and load balancing, with your new WAF makes better logistical and economic sense.

Hardware-based WAFs Cons

When considering the cost of a hardware WAF, you need to add on the expenses of installing, housing, protecting, and maintaining it. Online WAFs get updated automatically, so they are always up-to-the-minute and ready to tackle the latest emerging threat. Getting that level of preparedness on your own WAF device can be expensive.

Most hardware WAF vendors offer an update service. The fixes to new threats are sent to your WAF device over the internet automatically and it will renew its firmware without your intervention. In the case of some new threats, other equipment and software on your network may need updating, and the support service of your WAF provider will give you those, too.

This process is called “virtual patching” and it is the WAF version of classic firewall database updates. However, although all of the hardware suppliers in our list provide virtual patching, not all of them include that service for free. Where the update service is included, it is usually only free for the first year. After that, you must pay extra for support of your in-house WAF.

The upfront cost of buying a hardware WAF can be an inconvenient expense when struggling to get your new web company operational. If you forgo this application security solution initially, you may get lulled into the belief that it is an unnecessary extra even when you get to the point where you have cash to spare. This is a dangerous scenario, because you will only realize that you need WAF protection once you have been hit by an attack. By then, your website will be blocked by search engines for containing malicious code and you will be sent out of business.

Hardware-based WAFs Pros

If you are running your own web server, you probably already know a lot about networking and internet systems. You may need a load balancer once you put on extra servers to deal with demand. If that is the case, you could buy a combined web cache, load balancer, and WAF combined and get all of your front-end requirements dealt with by one device.

Having your own WAF means you don’t have to surrender your web address to a third party. If at some point you do need extensive DDoS protection, then your URL will have to go to the DDoS mitigation provider. However, in this case, you won’t need to limit your choice of DDoS protection to that provided by your cloud WAF company. You won’t be committed to directing your URL to provide your WAF.

Choosing a web application firewall solution

Whether you prefer to have your own WAF on your network, or you think it would be better to go for a cloud-based WAF solution, this review has given you five options to consider. Selecting new equipment, software, and services for your company can be very time-consuming. In this guide, we have taken care of that first phase for you.

Your next task is to narrow down your options. The added extras that each of these WAF vendors offer will direct you towards that choice. The capacity of each service is also an important consideration and you should factor in scalability so that your future expansion plans are accounted for.

Make the decision on whether to go for a dedicated hardware or cloud-based WAF and then check out each of the five listed in that category. Overlooking the protection that a dedicated web application firewall offers your organization would be a mistake. Don’t wait until it is too late and your site has already been attacked. Get a WAF in place now to keep your website online.

Web Application Firewall FAQs

💻What is the difference between a normal firewall and a WAF?

Network and endpoint firewalls operate at a lower stack level than web application firewalls. As the name suggests, WAFs examine attributes at the Application Layer (Layer 7), whereas typical firewalls work at the Network Layer (Layer 3). So, each looks at different characteristics of incoming traffic. Another major difference between these two services is that a typical firewall integrates into the architecture of a network gateway (or computer network interface) but WAFs have a reverse proxy configuration.

📜What are WAF rules?

WAF rules are a list of things that the firewall needs to look out for. They are specific characteristics in web traffic and the specific places to look for them in the data stream. Rules are also called “policies.” They include the action to take on detection of an attack attempt, which usually just involves not passing that traffic on to the server being protected.

3️⃣What are the 3 types of firewalls?

The three types of firewalls are packet filters, stateful packet inspection, and proxy server firewalls.

  • Packet filters look at the technical features of all packets traveling in and out of a network and drop those that don’t match a given pattern or do match a list of blacklisted characteristics.
  • Stateful packet inspection (SPI), also, known as dynamic packet filtering, also operates at the Network Layer, but it records individual packet characteristics so it can spot attacks that are split across several packets.
  • A WAF is a proxy server firewall because all traffic is directed through the WAF on its way to the server. It operates at the Application Layer and substitutes the protected server’s IP address with its own. 

Image: Firewall by frankieleon via  Licensed under CC BY 2.0