A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

According to Gartner, by 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and WAFs. This is an increase from fewer than 10% today.

2018

On August 2018, Gartner’s released their latest Magic Quadrant report for Web Application Firewalls. Only Imperva and Akamai are in the Leaders quadrant. F5 has been moved out from Leaders quadrant to challengers. Other vendors , such as Fortinet, Cloudflare, Barracuda, Citrix, are not changed much and still in challengers. Oracle and Radware are in Visionaries quadrant.

2017



2016
Imperva was the only one in Leader quadrant.