Guide

What Is a Web Application Firewall (WAF)?

A WAF sits in front of your website and filters out malicious traffic before it ever reaches your server.

Most small business owners have heard of a firewall but assume it lives on their office router. A web application firewall is a different thing entirely — it protects your website, not your office network, and it works around the clock whether you are watching or not.

Here is what a WAF actually does, the kinds of attacks it stops, and how to tell whether your site already has one.

What a WAF does

A web application firewall inspects the traffic arriving at your website and decides whether to let it through or block it. It looks for patterns that match known attacks — things like attempts to inject malicious code into a contact form, probe for admin pages, or exploit a known weakness in a plugin.

Crucially, it works at the application layer. A traditional firewall might just see that data is arriving on a particular port. A WAF understands what a web request looks like, so it can spot a malicious one and stop it before it ever touches your server.

The attacks it stops

Common targets include SQL injection (tricking your database into handing over data), cross-site scripting (sneaking code into pages other visitors will load), and brute-force login attempts. A good WAF blocks these automatically and quietly.

It also helps with the noise. Most websites are constantly probed by automated bots looking for vulnerabilities. A WAF filters that traffic out, which reduces server load as a useful side effect — your real visitors get a faster site.

Do you need one?

If you run anything beyond a simple brochure site — a shop, a login area, a booking system, or a WordPress site with plugins — a WAF is one of the most cost-effective protections you can add. Many are cloud-based, so there is nothing to install.

Plenty of hosting plans and CDNs now include a WAF as standard, sometimes without making it obvious. If you are not sure whether yours is protected, ask your developer or host. It is the kind of thing that quietly does its job until the day it saves you a very bad week.

FAQs

Common questions.

Is a WAF the same as antivirus?
No. Antivirus scans files on a computer for malware. A WAF filters incoming web traffic to your site, blocking malicious requests before they reach your server.
Will a WAF slow my site down?
A well-configured cloud WAF usually has no noticeable impact, and by blocking bot traffic it can actually reduce load on your server.
Does my website need a WAF even if it does not handle payments or sensitive data?
Yes, because attackers target all websites, not just those with obvious financial data — they look for vulnerabilities to inject spam, steal server resources, or use your site to attack others. We recommend a WAF as a standard layer of protection for any site we build, regardless of what it sells or stores.
How we can help

Turn this into action.

The services behind this guide.

Related guides

More on website care & tech.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation