Web Application Firewall (WAF) Best Practices

A Web Application Firewall (WAF) is a key component to any modern AppSec program. Having a set of best practices for how to effectively implement and leverage the solution within your organization can help keep you secure. 

What is a WAF?

A WAF is a specialized security solution that shields a web application from the internet, safeguarding the server by detecting and blocking malicious HTTP and HTTPS traffic to and from a web service. 

WAFs often function as reverse proxies between the internet and protected web applications. However, you can also deploy WAFs in various configurations, including inline, cloud-based, or on-premises, to suit specific security requirements. Regardless of the deployment method, a WAF inspects all incoming traffic before it reaches application servers, creating a protective shield against potential threats.

What are WAF Best Practices for Security Teams? 

At the highest level, best practices for security teams implementing and maintaining a WAF deployment should focus on enabling the WAF to its full capacity, and fine tuning WAF policies to get maximum performance out of it. 

More specific WAF best practices to implement include:

Use WAF Policies. 

WAFs operate based on policies that help it determine which traffic is deemed safe and which is malicious — in other words, what kinds of traffic a WAF will allow or block. Each company or person using a WAF can customize policies to their unique requirements. Policies can be updated quickly and even automatically. This is one of the advantages of a WAF: because policies can be modified easily, there can be a faster response to various types of attacks.

Perform continuous testing + updates WAF Rules frequently. 

WAF rules are individual security guidelines within the broader WAF policies. A WAF policy contains multiple WAF rules. WAF rules have both conditions (what to look for in traffic requests) and actions (what to do if conditions in the rule are met). Think of this as an if/then statement. A rule will define “if” this happens, “then” do this, for a WAF solution. 

Updating WAF rules frequently and adding any necessary new ones should always be a best practice. This helps avoid the blocking of legitimate traffic (called a false positive) and the accidental allowance of bad traffic through (called a false negative). Continuous testing helps keep WAF rules precise and accurate. 

Implement Bot Management.

 Bot management rules help filter out malicious bot traffic and prevent them from causing harm. 

Use Rate Limiting.

 Rate limiting helps restrict the rate of requests coming at your web apps. It helps control the overall volume of traffic, preventing an overload and protecting your resources. 

Consider OWASP Top 10.

Ensure that you are testing and have adequate rules and policies in place for known OWASP vulnerabilities. 

Implement management and monitoring. 

Integrate your WAF logs with your existing tooling (think SIEM) to help monitor for any abnormal traffic activity and to gain heightened visibility into any identified issues. 

Use profiling + allowlisting. 

Use the WAF’s intelligence about normal application behavior. Create a list of allowed traffic/IPs in order to prevent false positives. Some WAF solutions offer their own capabilities in this area, making it super easy to avoid blocking legitimate traffic. 

What are WAF Best Practices for DevOps? 

The best practices above look at WAF performance and impacts through the lens of security teams and their effectiveness. But you should also consider impacts on development teams, which are directly correlated to how effective and intrusive a WAF deployment is within their existing development pipelines, 

Put WAF in Front of Every API. 

WAFs help companies gain visibility into their applications' runtime status and what sort of requests and attacks impact their software. Orgs should therefore place a WAF in front of all applications exposed to the internet. They should also go between containers in a microservice or API-forward architectures. 

Without a strong WAF solution in place, an organization has only sparse coverage of their application portfolio, at best. Without complete insight and visibility into the threats targeting their applications, they are leaving a large security gap. Companies can use WAF logs and analytics in combination with other security data across the org in order to gain an in-depth look at organizational risk. 

WAFs that provide enhanced observability are a must, as they enable teams to automate and integrate monitoring logs and attacks into their security processes and decisions. 

Make Security Part of the Code. 

Relying on a security-as-code approach within a development environment allows developers to communicate runtime security assumptions to the application infrastructure at deployment. By limiting the types of requests to an application, allows for pre-processing of inputs at the edge of the application infrastructure. A WAF can also help address more complex vulnerabilities: teams can create a virtual patch that can be deployed to the WAF, making fixes simpler and less of a hindrance for dev teams. 

Continuously Test WAF Changes. 

Mentioned above, this step is also critical when considering Dev teams. WAFs set to “log and block” mode run the risk of causing application failures if changes and updates to the WAF are not tested properly.

Groups that do test typically integrate the WAF into the testing process, as a component of the application. Just like changes to the application, it's useful to be able to see any potential impacts from security tools before the change is made in production. 

Get Buy-In on WAF decisions. 

For a company whose web application is their business — such as an online retailer — tuning a WAF may require additional effort, as blocking potential legitimate customers will result in business loss. 

It is therefore important to work closely with business executives on the broad strategy to be employed with the WAF and the specific criteria to guide decisions.

Modern WAFs bring significant utility to DevOps groups when used correctly, including better intelligence, faster security implementation and response, and the shifting left of some responsibility for security configuration. Ensuring a WAF deployment considers both security and Dev needs should always be a best practice. 

How Fastly can help

When choosing a WAF provider, it is essential to select one with global coverage, powerful detection, and integration capabilities tailored to modern infrastructure. 

Fastly's Next-Gen WAF is designed from the ground up with these features in mind. As the world's largest global edge cloud platform, it sits within milliseconds of users worldwide.

This strategic positioning allows Fastly to protect websites and applications faster than traditional WAFs. Inspecting traffic close to end users quickly limits the level threats can penetrate, helping to block attacks before they ever reach the origin servers.

Among its key benefits, Fastly's Next-Gen WAF provides:

• Comprehensive protection: Fastly detects and blocks the OWASP Top 10 web application vulnerabilities and custom threats you define through simple rules.

• Rapid response times:  With its global network of POPs, Fastly's Next-Gen WAF ensures ultra-low latency inspection for exceptional user experience, even during attacks.

• Flexible configuration: You can customize rules, response pages, and more via Fastly's user-friendly interface without relying on lengthy change windows.

• Real-time analytics: Thanks to Fastly's dashboard and API for proactive issue identification, you benefit from valuable insights into traffic and security events.

• Seamless integration: Fastly's Next-Gen WAF works transparently with its CDN and edge computing services for unified security, performance, and delivery capabilities.

Learn more about how the Fastly Next-Gen WAF can provide advanced protection for your applications, APIs, and microservices with flexible deployment options and cutting-edge detection capabilities.