Beyond packet filtering
A network firewall judges packets by their headers, but it cannot see that an HTTP request carries an SQL injection string. A web application firewall, or WAF, operates at the application layer, inspecting full HTTP requests and responses to catch attacks aimed at the app itself.
What a WAF inspects
- Request bodies and query parameters for injection patterns.
- Headers and cookies for tampering or malformed values.
- URLs and methods to enforce allowed endpoints.
- Response content to catch data leakage in some setups.
WAFs use two broad strategies. A negative model blocks traffic matching known attack signatures, which is easy to deploy but misses novel attacks. A positive model allows only traffic matching a known good profile, which is stronger but harder to tune without blocking legitimate users. Many WAFs combine both and add rate limits. Because a WAF terminates and parses HTTP, it can also enforce TLS and add request logging.
Key idea
A web application firewall inspects full HTTP traffic to block application layer attacks a packet filter cannot see.