WAF 在 Web 應用程式與網際網路之間建立一個護盾；此護盾可協助緩解多個常見攻擊。
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
在 Web 應用程式前端部署 WAF，即可在 Web 應用程式與網際網路之間設定一個護盾。盡管 Proxy 伺服器能透過使用中繼服務來保護用戶端機器的身分識別，但 WAF 是一種反向 Proxy，可使客戶在到達伺服器前通過 WAF，從而避免伺服器暴露。
A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
基於封鎖清單 (負面安全性模型) 運作的 WAF，能抵禦已知攻擊。將一個封鎖清單 WAF 設想成一名接收命令的俱樂部保鏢，他可以拒絕讓不符合著裝規範的客人進入。相反，基於白名單 (正面安全性模型) 的 WAF 僅承認經過預先核准的流量。這就好比一個專屬派對的保鏢，他或她僅承認列於此名單中的人員。封鎖清單與白名單均具有各自的優缺點，這就是許多 WAF 提供可同時執行兩項操作的混合安全性模型的原因。
A WAF can be implemented one of three different ways, each with its own benefits and shortcomings:
Learn about Cloudflare's cloud-based WAF solution.