* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [Secure the Cloud](https://www.paloaltonetworks.com.au/blog/category/secure-the-cloud/)
* Web Application Firewalls...

# Web Application Firewalls (WAFs): What You Need To Know About the Security Checkpoint for Your Web Application

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fweb-application-firewalls-what-you-need-to-know%2F)  
[](https://twitter.com/share?text=Web+Application+Firewalls+%28WAFs%29%3A+What+You+Need+To+Know+About+the+Security+Checkpoint+for+Your+Web+Application&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fweb-application-firewalls-what-you-need-to-know%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fweb-application-firewalls-what-you-need-to-know%2F&title=Web+Application+Firewalls+%28WAFs%29%3A+What+You+Need+To+Know+About+the+Security+Checkpoint+for+Your+Web+Application&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/web-application-firewalls-what-you-need-to-know/&ts=markdown)  
\[\](mailto:?subject=Web Application Firewalls (WAFs): What You Need To Know About the Security Checkpoint for Your Web Application)  
Link copied  
By [Mohit Bhasin](https://www.paloaltonetworks.com/blog/author/mohit-bhasin/?ts=markdown "Posts by Mohit Bhasin")  
Aug 31, 2022  
6 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)  
[Cloud-Native Application](https://www.paloaltonetworks.com/blog/tag/cloud-native-application/?ts=markdown)  
[WAF](https://www.paloaltonetworks.com/blog/tag/waf/?ts=markdown)  
[Web Application and API Security](https://www.paloaltonetworks.com/blog/tag/web-application-and-api-security/?ts=markdown)  
[Web Application Firewall](https://www.paloaltonetworks.com/blog/tag/web-application-firewall/?ts=markdown)

When you're developing a cloud-native web application, it can feel as if you're building a kingdom. The success of your application and company depends on a strong and scalable infrastructure, especially if it consists of valuable materials like data, proprietary information, and resources. And if you build it, the hackers and attackers will come.

[A recent study from Tigera](https://www.prnewswire.com/news-releases/tigera-releases-the-state-of-cloud-native-security-report-revealing-key-challenges-and-opportunities-that-accompany-the-rapid-adoption-of-cloud-native-applications-301539593.html#:~:text=By%202025%2C%20Gartner%20estimates%20that,development%20on%20cloud%2Dnative%20applications.) found that three-quarters of companies surveyed are focusing on the development of cloud-native applications. In the same report, 96% of respondents cited cloud-native application security as one of the biggest challenges they face in building out their capabilities. These numbers are reinforced by a [CDNetworks study](https://www.cdnetworks.com/news/state-of-the-web-security-2020/) on web security, stating that web application attacks have risen by 800% as organizations work through the difficulties associated with keeping web apps safe.

So what are some ways you can protect yourself and your organization from these increasingly common attacks? The solution is in a next generation of security checkpoints --- [Web Application Firewalls](https://www.paloaltonetworks.com/cyberpedia/what-is-a-web-application-firewall), or WAFs.

## How Web Application Firewalls (WAFs) Work

First, if you're wondering what a Web Application Firewall is, the answer is straightforward. A web application firewall (WAF) is a form of application firewall that protects a web application from web-based attacks. In other words, it's the security checkpoint or gatekeeper of traffic going to and from a website or API.

A WAF sits between an application and a client, monitoring and securing inbound and outbound traffic between the application and the internet. It applies rules that allow it to protect against attacks, such as cross-site-scripting, SQL injection, and broken access control, as well as other Open Web Application Security Project [(OWASP) Top 10](https://owasp.org/www-project-top-ten/) weaknesses.

WAFs aren't as old as a medieval fortress, but they did [first appear in the late 1990s](https://www.techtarget.com/searchsecurity/feature/Introduction-to-Web-application-firewalls-in-the-enterprise), and actually predate the rise of cloud infrastructure.

Your web application is just like a walled city. It contains an assortment of valuable materials that you need to protect, and has a two-way road connecting it to the outside world (the internet). The web application firewall is the security checkpoint of your city, stationed on the road at the main entrance. Any new person who wishes to enter is inspected, and a decision is made to either allow or deny access for entry.

The security checkpoint accepts those who meet the security criteria and rejects suspicious or malicious characters. Whenever people leave, the WAF security checkpoint assesses them again to make sure they aren't taking any of the city's valuable resources outside without approval. It also stops anyone from leaving --- either accidentally or on purpose --- with something they shouldn't be able to take with them.

This is how [traditional WAFs](https://learn.g2.com/issues-with-traditional-web-application-firewalls) operated before the adoption of cloud environments --- with only one entry point. However, as companies continue to move applications and data to the cloud, traditional approaches to building and protecting applications are becoming outdated.

You can learn more about how web application firewalls work and the threats they protect against in **Episode 4 of What's That with Prisma Cloud**:

## 4 Ways to Step Up Web Application Security With WAFs

An organization's applications were once hosted on a single server in their private data center or network. In other words, their walled city only had one entry and exit point, and its perimeter was well-defined. But attackers will do anything in their power to gain entry (underground tunnel system, anyone?). Threats can now come from all sides to target the web application and its back-end database.

As applications move to cloud platforms like AWS, Azure, and GCP, they become significantly more complex. To make cloud-native applications run securely, developers increasingly break down those applications into microservices with [containers and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security). Another layer of complexity is added when considering that most cloud applications connect and communicate with other web apps through APIs.

The rise of cloud-native has turned the walled city into a complex, inter-connected kingdom. To make things more difficult, the city now has many roads connecting its different neighborhoods to other application cities (APIs) and to the outside world --- and they all need to be secured.

Obviously, one security checkpoint isn't enough anymore. Instead, the city needs a coordinated security force that's able to identify and secure each access point. This means the legacy WAF (a single, security checkpoint) is no longer sufficient in protecting cloud-native web applications. The coverage needs to be more extensive than traditional WAFs since it needs to protect against potential vulnerabilities, such as those outlined in the OWASP Top 10, [advanced DoS](https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos), bad bots, access control, and file upload on systems open to the internet.

So what's the ideal approach to securing cloud-native web applications?

1. \*\*Develop strong discovery processes.\*\*Your security solution needs to be able to easily discover all the web apps and API endpoints in your environment.
2. **Ensure your security solution can defend against vulnerabilities** , such as those outlined in the OWASP Top 10, [advanced DoS](https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos), bad bots, access control, file upload, and more on systems that are open to the internet.
3. **Integrate protections and security checkpoints into your application lifecycle** to make security a seamless part of the developer workflow.
4. **Implement a solution and modern WAF with a defense**that not only provides visibility but also protection of the application during runtime.

Moving applications to the cloud comes with a host of benefits, but it also means the potential for security threats is that much greater. Developers now need to ensure that their WAFs are protecting every endpoint and API associated with their application.

## Leverage Web Application Firewalls Successfully with Prisma Cloud

As organizations move toward cloud infrastructure and development, they need to make sure they're also modernizing their security solutions. Otherwise, they risk potentially disastrous security failures. Without a WAF that protects web applications and API endpoints, sensitive data and resources can be vulnerable to a variety of internet-based attacks.

Web application firewalls that can identify all the access points and API endpoints associated with a cloud-native application are crucial to making sure you don't fall prey to security breaches. But they're only one piece of the cloud security puzzle. The most successful and secure WAFs are part of all-in-one cloud-native security solutions, allowing their capabilities to work in tandem with a host of other tools within a [Cloud-Native Application Protection Platform](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform) (CNAPP).

CNAPPs combine the functionality of advanced WAFs that protect applications and APIs with other critical tools, such as IaC scanning, posture management, entitlement management, and [CI/CD security](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security). CNAPPs provide developers and security professionals with a single dashboard, allowing them to address their full continuum of needs from development, to build, to deployment to the runtime environment.

With the use of comprehensive security solutions, you can feel safe knowing your cloud is protected against sophisticated threats ahead of time --- and your teams are well-equipped to identify and fix critical risks.

*** ** * ** ***

## Related Blogs

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CWPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cwpp/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### The Expanding API Attack Surface](https://www.paloaltonetworks.com.au/blog/cloud-security/api-security-visibility-prioritization-protection/)

### [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Analyzing CVE-2023-50164: Apache Struts Path Traversal Vulnerability](https://www.paloaltonetworks.com.au/blog/cloud-security/cve-2023-50164-custom-rules/)

### [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### API Discovery Made Simple](https://www.paloaltonetworks.com.au/blog/cloud-security/api-discovery-security/)

### [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Streamline Risk Management with Context-Based Risk Prioritization](https://www.paloaltonetworks.com.au/blog/cloud-security/risk-prioritization-remediation/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Demystifying API Security: A Review of the OWASP Top 10 Risks for 2023](https://www.paloaltonetworks.com.au/blog/cloud-security/demystifying-api-security/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Top 3 IAM Risks in Your GitHub Organization](https://www.paloaltonetworks.com.au/blog/cloud-security/prevent-inadequate-iam-github-organization/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language