Tooling

WAF — ModSecurity, Coraza, BunkerWeb, Cloudflare

Web application firewalls — open-source on-prem and cloud-managed.

A WAF sits in front of your web app and filters known-bad traffic. It's a partial defence — useful for buying time on freshly-disclosed CVEs, blocking trivial scans, and adding rule-based bot mitigation. For bot-specific defences see Bot Protection. For Server Hardening and Runtime Security for host-side defences. For SAST / DAST that find what the WAF should be filtering see Security Scanning.

Open-source WAFs

  • ModSecurity (Trustwave / OWASP) — the long-standing reference; Apache / Nginx / IIS modules; pairs with the OWASP Core Rule Set (CRS). ModSecurity v3 is the production standard. Free.
    • OWASP Coreruleset (CRS) — the canonical rule set; tune paranoia level (1–4) and exclusions.
  • Coraza (OWASP) — Go-native ModSecurity rewrite; runs in Caddy, Traefik, Envoy, Fastly's Compute@Edge; loads CRS rules. The 2024–26 modern successor; rapidly maturing. Free.
  • BunkerWeb (Bunkerity) — full Nginx-based reverse proxy with WAF + bot detection + CrowdSec integration; turn-key. Free OSS + paid Pro.
  • NAXSI (Wallarm) — Nginx WAF; whitelist-style; less common 2024–26.
  • Open-AppSec — open-source ML-based WAF / bot detection; growing.
  • lua-resty-waf (unbit) — OpenResty-based.

Reverse-proxy / WAF combos

  • Caddy + Coraza — a true OSS modern stack 2024–26.
  • Traefik + Coraza — same niche.
  • Nginx + ModSecurity v3 + CRS — battle-proven.
  • Envoy + Coraza — service-mesh-friendly.
  • HAProxy + ModSec sidecar — possible.
  • See Reverse Proxy / LB.

Cloud / managed WAFs

  • Cloudflare WAF — paid (free Cloudflare plan includes basic managed rules); generous; the de-facto edge WAF. Strong on DDoS + bot mitigation in same stack.
  • AWS WAF — paid; per-rule + per-request pricing; integrates with CloudFront / ALB / API Gateway.
  • Azure Application Gateway WAF — paid.
  • Google Cloud Armor — paid; integrates with HTTPS LB.
  • Fastly Next-Gen WAF (Signal Sciences) — paid.
  • Imperva / Akamai / F5 / Barracuda — paid enterprise.
  • Cloudflare / Akamai Prolexic / AWS Shield Advanced — paid; volumetric DDoS protection often bundled with WAF.
  • CrowdSec — modern fail2ban replacement; community blocklists; many parsers (web, SSH, DB). See Server Hardening. Pairs with BunkerWeb for "WAF + behavioural ban."
  • fail2ban — log-tail-based banning; legacy; still works.

Bot mitigation overlap

  • See Bot Protection for Turnstile, hCaptcha, FingerprintJS, Anubis (anti-AI-scraper).
  • BunkerWeb / Cloudflare bundle bot mitigation with the WAF layer.

API-shape WAF

  • Akto — open-source API security; some runtime gating. See Security Scanning.
  • Salt Security / Noname Security — paid commercial API security.
  • 42Crunch — paid; OpenAPI-driven runtime API protection.

Tuning the WAF — the perpetual struggle

  • Start in detection-only mode. Run for a week, review false positives, then enable blocking.
  • CRS paranoia level 1 by default; increase per-app once tuned.
  • Allowlist legitimate weird — your app's own SOAP envelopes / file-upload flows / GraphQL queries.
  • Log every block for review.
  • Don't trust WAF as the only defence. It's a layer, not a fix.

What a WAF is good at

  • Buying time on a freshly-disclosed CVE before you patch.
  • Blocking automated scanners (Nikto, sqlmap, ZAP scripts) at low cost.
  • Rate-limiting / hostname-restricting traffic.
  • Mitigating naive credential-stuffing.
  • Blocking specific bot UAs / patterns.

What it's bad at

  • Anything subtly bespoke to your app's logic — auth bypass, IDOR, business logic.
  • Encrypted bodies it can't decrypt (mTLS-only flows, end-to-end encryption).
  • Determined attackers tuning around the rules.

Pick this if…

  • Default OSS WAF in a Go-native stack: Coraza.
  • Default OSS WAF on existing Nginx / Apache: ModSecurity v3 + CRS.
  • Turnkey OSS Nginx WAF + bot mitigation: BunkerWeb.
  • Cloudflare-fronted site: Cloudflare WAF (free / pro).
  • AWS-hosted, full-stack: AWS WAF + CloudFront managed rules.
  • CrowdSec-style behavioural ban layer alongside: CrowdSec.

On this page