WAF 在 Web 应用程序与 Internet 之间创建防火墙；此类防火墙有助于缓解很多常见攻击。
A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
通过在 Web 应用程序前端部署 WAF，可在 Web 应用程序与 Internet 之间形成一道屏障。虽然代理服务器通过中介保护客户机的身份，但 WAF 是一种反向代理，引导客户端通过 WAF 到达服务器，从而防止暴露服务器。
A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
基于黑名单（消极安全模型）运行的 WAF 可防范已知攻击。您可以将黑名单 WAF 想象为俱乐部保镖按指示拒绝接待不符合着装要求的客人。相反，基于白名单（积极安全模型）的 WAF 仅允许接受预先批准的流量。类似于奢华派对保镖，只接待出席名单列出的客人。无论黑名单还是白名单，二者都有各自的优缺点，因此很多 WAF 提供混合安全模型，综合实施两种方法。