A Web application firewall (WAF) is a firewall that monitors, filters or blocks the HTTP traffic to and from a Web application.
A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. In real time or near-real time, it monitors traffic before it reaches the Web application, analyzing all requests, using a rule base to filter out potentially harmful traffic or traffic patterns. Web application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits and known vulnerabilities and attacks.
WAFs started to gain attention when PCI DSS compliance was mandated for merchants that process payment card transactions. PCI DSS requires that Web applications be fortified through either a code security review or a WAF.