Higher Wall

I don't remember when the term WAF first appeared.

I read O'Reilly's Building Internet Firewalls a long time ago. The cover had a castle gate, I think. The contents were packet filtering and proxies. Layer 3 and Layer 4. You decided what to allow or block by IP address and port number. Concepts like DMZ and bastion host existed for network segmentation, but nobody thought about inspecting the application layer. The word WAF did not appear in that book.

A firewall was a gatekeeper. It stopped suspicious visitors at the door. It did not watch what they did once inside. If an HTTP request passed through port 80, the gatekeeper didn't care whether it carried SQL injection or XSS. Not its jurisdiction.

Web applications became the battlefield. Attacks moved to Layer 7. Malice arrived dressed as legitimate HTTP requests. The gatekeeper couldn't stop it. So WAF became necessary. Read the request body. Pattern-match and reject. Take every attack in the OWASP Top 10 and turn it into a rule.

On AWS, put AWS WAF in front of the ALB, apply managed rules, and you have a basic defense. Cloudflare bundles a WAF by default. Work that once meant buying a dedicated appliance, racking it, and hand-tuning rules now finishes with a few clicks in a console.

It is not a cure-all, though. WAF is pattern matching. Unknown attacks pass through. Legitimate requests get killed by false positives. Loosen the rules and attacks slip in. Tighten them and real traffic dies. That tuning is quietly troublesome. In the end, you still need proper validation and escaping on the application side.

A magnificent castle gate means nothing if the residents forget to lock their doors. I say this with zero authority, having once shipped a cookie without the secure flag.