web application firewall
(Redirected from WAF)
This article is a stub. You can help the IndieWeb wiki by expanding it.
A web application firewalls is software that inspects HTTP requests and tries to block malicious or suspect requests, often with a high risk of false positives due to broad defaults, and limited effectiveness against a motivated attacker.
They are often part of the offering of CDN providers like like Cloudflare and AWS WAF.
An example is mod_security.
If you are on shared hosting, your hoster might have one enabled by default, so be on the lookout for its reports in server logs when requests are failing without an obvious reason. It should log that it blocked a request and why it did so.
encountered issues
- the OWASP Core ModSecurity rule set has a rule allowing only some content-types for POST requests, forbidding JSON-based requests used e.g. by Micropub and IndieAuth. potential fix
See Also
- How Does a Web Application Firewall (WAF) and WAF Rules Work?
- Cloudflare
- AWS
- 2025-04-01 Example of overeager filters: Cloudflare rolling out filter blocking all URLs containing "camel" #8203 [BUG Can't install `camelcase`, `decamelize` and other camel-related packages (#camelgate)]