WAF (WAF)

Security

Web Application Firewall. Inspects HTTP requests at the CDN edge and blocks malicious traffic: SQL injection, XSS, path traversal, bot abuse, and other OWASP Top 10 attacks. Filters traffic before it reaches your origin.

Updated Mar 9, 2026

Full Explanation

A WAF sits between the internet and your application, inspecting every HTTP request for malicious patterns. It looks at request headers, body, query parameters, and cookies, matching against rulesets that detect known attack signatures. When it finds a match, it blocks the request, returns a 403, or presents a challenge (CAPTCHA).

Running a WAF at the CDN edge is powerful because it blocks attacks at the nearest PoP, before malicious traffic ever reaches your origin or even traverses your network. This protects against application-layer attacks that volumetric DDoS mitigation doesn't catch.

Modern CDN WAFs (Cloudflare WAF, AWS WAF, Fastly Signal Sciences) combine signature-based detection with machine learning to reduce false positives. You can create custom rules too—block specific countries, rate-limit login endpoints, or require JavaScript execution to filter simple bots.

Examples

AWS WAF rule to block SQL injection (Terraform):

resource "aws_wafv2_web_acl" "cdn_waf" {
  name  = "cdn-protection"
  scope = "CLOUDFRONT"

  default_action { allow {} }

  rule {
    name     = "block-sqli"
    priority = 1
    action { block {} }

    statement {
      sqli_match_statement {
        field_to_match {
          query_string {}
        }
        text_transformation {
          priority = 1
          type     = "URL_DECODE"
        }
      }
    }
    visibility_config {
      sampled_requests_enabled = true
      cloudwatch_metrics_enabled = true
      metric_name = "sqli-blocked"
    }
  }
}

Cloudflare WAF custom rule (API):

curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -d '{
    "filter": {"expression": "http.request.uri.path contains \"/wp-admin\" and not ip.src in {10.0.0.0/8}"},
    "action": "block",
    "description": "Block external wp-admin access"
  }'

Video Explanation

Frequently Asked Questions

Web Application Firewall. Inspects HTTP requests at the CDN edge and blocks malicious traffic: SQL injection, XSS, path traversal, bot abuse, and other OWASP Top 10 attacks. Filters traffic before it reaches your origin.

AWS WAF rule to block SQL injection (Terraform):

resource "aws_wafv2_web_acl" "cdn_waf" {
  name  = "cdn-protection"
  scope = "CLOUDFRONT"

  default_action { allow {} }

  rule {
    name     = "block-sqli"
    priority = 1
    action { block {} }

    statement {
      sqli_match_statement {
        field_to_match {
          query_string {}
        }
        text_transformation {
          priority = 1
          type     = "URL_DECODE"
        }
      }
    }
    visibility_config {
      sampled_requests_enabled = true
      cloudwatch_metrics_enabled = true
      metric_name = "sqli-blocked"
    }
  }
}

Cloudflare WAF custom rule (API):

curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -d '{
    "filter": {"expression": "http.request.uri.path contains \"/wp-admin\" and not ip.src in {10.0.0.0/8}"},
    "action": "block",
    "description": "Block external wp-admin access"
  }'
Previous Term Vary Header
Next Term Warm Cache
Back to Glossary