← Lessons

quiz vs the machine

Platinum1850

Networking

The Edge Proxy and WAF

How the outermost proxy filters and protects traffic before it enters the system.

5 min read · advanced · beat Platinum to climb

The outermost gate

The edge proxy is the first thing inbound traffic touches, sitting at the network boundary close to users. It terminates TLS, applies rate limits, and forwards clean traffic inward to gateways and services.

Because it sees raw, untrusted traffic, the edge is the natural place to put a web application firewall, or WAF. The WAF inspects requests for malicious patterns and blocks them before they reach application code.

What the WAF defends against

  • Injection attempts such as SQL or command injection in parameters.
  • Cross site scripting payloads in inputs.
  • Bad bots and abuse, often combined with rate limiting and bot scoring.
  • Known exploit signatures for common vulnerabilities.

Rules and their limits

A WAF runs rules in two styles: a negative model that blocks known bad patterns, and a positive model that allows only known good shapes. Negative rules are easy to deploy but can be bypassed by novel payloads and can raise false positives that block real users. So WAFs are tuned carefully, often run first in a monitoring only mode, and are treated as one layer of defense rather than the only one.

Key idea

The edge proxy is the outermost gate where a web application firewall filters malicious traffic, tuned carefully as one layer of defense in depth.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is the edge proxy a natural place for a web application firewall?

2. What is a limitation of a negative model WAF that blocks known bad patterns?

3. Why are WAFs often run in monitoring only mode first?