WAF — ModSecurity, Coraza, BunkerWeb, Cloudflare
Web application firewalls — open-source on-prem and cloud-managed.
A WAF sits in front of your web app and filters known-bad traffic. It's a partial defence — useful for buying time on freshly-disclosed CVEs, blocking trivial scans, and adding rule-based bot mitigation. For bot-specific defences see Bot Protection. For Server Hardening and Runtime Security for host-side defences. For SAST / DAST that find what the WAF should be filtering see Security Scanning.
Open-source WAFs
- ★ ModSecurity (Trustwave / OWASP) — the long-standing reference; Apache / Nginx / IIS modules; pairs with the OWASP Core Rule Set (CRS). ModSecurity v3 is the production standard. Free.
- OWASP Coreruleset (CRS) — the canonical rule set; tune paranoia level (1–4) and exclusions.
- ★ Coraza (OWASP) — Go-native ModSecurity rewrite; runs in Caddy, Traefik, Envoy, Fastly's Compute@Edge; loads CRS rules. The 2024–26 modern successor; rapidly maturing. Free.
- ★ BunkerWeb (Bunkerity) — full Nginx-based reverse proxy with WAF + bot detection + CrowdSec integration; turn-key. Free OSS + paid Pro.
- NAXSI (Wallarm) — Nginx WAF; whitelist-style; less common 2024–26.
- Open-AppSec — open-source ML-based WAF / bot detection; growing.
- lua-resty-waf (
unbit) — OpenResty-based.
Reverse-proxy / WAF combos
- Caddy + Coraza — a true OSS modern stack 2024–26.
- Traefik + Coraza — same niche.
- Nginx + ModSecurity v3 + CRS — battle-proven.
- Envoy + Coraza — service-mesh-friendly.
- HAProxy + ModSec sidecar — possible.
- See Reverse Proxy / LB.
Cloud / managed WAFs
- ★ Cloudflare WAF — paid (free Cloudflare plan includes basic managed rules); generous; the de-facto edge WAF. Strong on DDoS + bot mitigation in same stack.
- AWS WAF — paid; per-rule + per-request pricing; integrates with CloudFront / ALB / API Gateway.
- Azure Application Gateway WAF — paid.
- Google Cloud Armor — paid; integrates with HTTPS LB.
- Fastly Next-Gen WAF (Signal Sciences) — paid.
- Imperva / Akamai / F5 / Barracuda — paid enterprise.
DDoS / volumetric (link)
- Cloudflare / Akamai Prolexic / AWS Shield Advanced — paid; volumetric DDoS protection often bundled with WAF.
CrowdSec / behavioural (link)
- ★ CrowdSec — modern fail2ban replacement; community blocklists; many parsers (web, SSH, DB). See Server Hardening. Pairs with BunkerWeb for "WAF + behavioural ban."
- fail2ban — log-tail-based banning; legacy; still works.
Bot mitigation overlap
- See Bot Protection for Turnstile, hCaptcha, FingerprintJS, Anubis (anti-AI-scraper).
- BunkerWeb / Cloudflare bundle bot mitigation with the WAF layer.
API-shape WAF
- Akto — open-source API security; some runtime gating. See Security Scanning.
- Salt Security / Noname Security — paid commercial API security.
- 42Crunch — paid; OpenAPI-driven runtime API protection.
Tuning the WAF — the perpetual struggle
- ★ Start in detection-only mode. Run for a week, review false positives, then enable blocking.
- CRS paranoia level 1 by default; increase per-app once tuned.
- Allowlist legitimate weird — your app's own SOAP envelopes / file-upload flows / GraphQL queries.
- Log every block for review.
- Don't trust WAF as the only defence. It's a layer, not a fix.
What a WAF is good at
- Buying time on a freshly-disclosed CVE before you patch.
- Blocking automated scanners (Nikto, sqlmap, ZAP scripts) at low cost.
- Rate-limiting / hostname-restricting traffic.
- Mitigating naive credential-stuffing.
- Blocking specific bot UAs / patterns.
What it's bad at
- Anything subtly bespoke to your app's logic — auth bypass, IDOR, business logic.
- Encrypted bodies it can't decrypt (mTLS-only flows, end-to-end encryption).
- Determined attackers tuning around the rules.
Pick this if…
- Default OSS WAF in a Go-native stack: Coraza.
- Default OSS WAF on existing Nginx / Apache: ModSecurity v3 + CRS.
- Turnkey OSS Nginx WAF + bot mitigation: BunkerWeb.
- Cloudflare-fronted site: Cloudflare WAF (free / pro).
- AWS-hosted, full-stack: AWS WAF + CloudFront managed rules.
- CrowdSec-style behavioural ban layer alongside: CrowdSec.