Skip to content

OWASP Best Practices: Use of Web Application Firewalls

Link to PDF



Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular sourcecode review or the use of a WAF.

The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF. Special attention has been paid – wherever possible – to the display of work estimates – including in comparison to possible alternatives such as modifications to the source code.

In addition to the importance of the web application regarding turnover or image – the term access to a web application used in this document can be a good criterion in the decision-making process relating to the use of WAFs. Specifically, the access to a web application, measures the extent to which the required changes to the application source code are actually carried out in-house, on time,or can be carried out by third parties. As illustrated by the graph below, a web application to which there is no access can only be protected sensibly by a WAF (additional benefit of the WAF). Even with an application in full access, a WAF can be used as a central service point for various services such as secure session management, which can be implemented for all applications equally, and as a suitable means for proactive safety measures such as URL encryption.

Further key topics discussed in this paper include best practices for processes concerning the installation and operation of a WAF as well as –in particular for larger companies – a description of the role of the WAF application manager.