WAF

Segurança

Definição

Firewall de aplicação web. Uma camada de segurança que filtra, monitora e bloqueia tráfego HTTP/HTTPS de e para uma aplicação web, protegendo contra ataques como injeção SQL, XSS e CSRF na camada de aplicação.

What a WAF Protects Against

A Web Application Firewall operates at Layer 7, inspecting HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. request and response bodies rather than raw IP packets. It is purpose-built to stop the OWASP Top 10: SQL InjectionA code injection attack that inserts malicious SQL statements into application input fields to manipulate or extract data from a backend database. Prevented by parameterized queries and input validation., XSSCross-Site Scripting. A web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users, or deface websites; mitigated by output encoding and CSP headers., CSRFCross-Site Request Forgery. An attack that tricks an authenticated user's browser into sending an unintended request to a web application. Prevented by anti-CSRF tokens, SameSite cookies, and verifying the Origin header., path traversal, and broken authentication. Unlike a network firewall that works on ports and IPs, a WAF understands application semantics — it can parse JSON payloads, decode Base64, and follow URL-encoded parameters.

Deployment Modes

Mode Position Notes
Reverse proxy In front of app servers Full inspection, terminates TLS
Transparent bridge Inline, no IP change Simpler deployment
Cloud / CDN At edge (e.g., Cloudflare) Scales automatically

Cloud WAFs integrate with CDN platforms, blocking attacks at the edge before traffic ever reaches origin servers.

Rule Sets and Tuning

WAFs ship with managed rule sets (OWASP Core Rule Set, vendor-specific sets) and allow custom rules. The main tradeoff is between security coverage and false positive rate. Monitoring HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). — especially 403 blocks — is the first step when debugging WAF interference. HTTP Header Analyzer inspection can reveal WAF fingerprints and help verify rules are applied correctly.

Termos relacionados

Mais em Segurança