Back to Blog
Guide9 min read2026-07-07

Web Application Firewall (WAF) Explained

A WAF sits between the internet and your app, filtering malicious requests before they reach your code. Here is how WAFs work, what they catch, their limits, and how to tune one without breaking real users.

Ajay Kumar
Ajay Kumar
Founder & DevOps, PandaStack

# Web Application Firewall (WAF) Explained

A traditional network firewall decides which ports and IPs can talk to your servers. It knows nothing about HTTP. A Web Application Firewall (WAF) works one layer up — it inspects the actual HTTP requests and responses flowing to your application and blocks the malicious ones. This guide explains what a WAF does, what it catches, and where its limits are.

Where a WAF sits

A WAF is a reverse proxy in front of your application. Every request passes through it:

Client → CDN/Edge → WAF → Load balancer → Your app

Because it terminates and parses HTTP, it can read headers, query strings, cookies, and bodies — and decide to allow, block, challenge, or log each request before your code ever runs.

What a WAF protects against

The canonical reference is the OWASP Top 10. A WAF is particularly good at catching:

  • SQL injection — requests containing ' OR 1=1-- and similar payloads.
  • Cross-site scripting (XSS)