Glossary term
Web Application Firewall (WAF)
A web application firewall (WAF) is a security layer that filters and monitors HTTP traffic between a website and the internet — blocking common attacks (SQL injection, cross-site scripting, malicious bots, brute-force login attempts) before they reach the application — and is the baseline defense expected of any public-facing nonprofit, B Corp, or e-commerce site in 2026.
A web application firewall (WAF) is a security layer that filters and monitors HTTP traffic between a website and the internet — blocking common attacks (SQL injection, cross-site scripting, malicious bots, brute-force login attempts) before they reach the application — and is the baseline defense expected of any public-facing nonprofit, B Corp, or e-commerce site in 2026.
Where a WAF sits
- Edge WAFs: Cloudflare, AWS WAF, Fastly — sit in front of your hosting and block traffic before it touches the origin.
- Host-level WAFs: Pantheon and other managed hosts bundle WAF capabilities, including rate limiting and abuse detection.
- Application-level WAFs: Wordfence (WordPress), Patchstack — run inside the CMS, with more app-aware rules but less ability to drop traffic at the network edge.
What a good WAF posture looks like
- An edge WAF blocking obvious abuse, bot floods, and country-level restrictions where appropriate.
- An application-level WAF watching for CMS-specific exploits the edge can’t see (logged-in user abuse, plugin vulnerabilities).
- Documented exception process: legitimate scripts, embedded forms, and partner integrations sometimes need to be whitelisted.
- Quarterly review of WAF logs to spot trends and tune rules.
Trade-offs
WAFs sometimes false-positive on legitimate user actions — long form submissions, file uploads, accessibility tools. We tune WAF rules during launch QA so they protect without breaking real workflows, and document the exceptions so future staff don’t waste hours debugging blocked requests.