Best Practices for Configuring a Web Application Firewall

Why a Web Application Firewall (WAF) Matters in 2025

Web applications remain among the most-targeted attack vectors. From login portals to web apps, attackers exploit weaknesses to exfiltrate data, hijack sessions, or plant malware. A Web Application Firewall (WAF) can serve as a first line of defense, monitoring, filtering, and blocking malicious traffic before it reaches your application stack.

But simply deploying a WAF is not enough. Without properly tuning, testing, and updating your WAF to match your organization’s security needs and attack surface, WAFs can allow threats through or generate false positives (and block legitimate users).

In the past year, exploitation of vulnerabilities via web application made up 42% of non-misuse breaches reported in the Verizon Data Breach Investigations Report of 2025. Given the ubiquity of web applications and exploitation in 2025, a properly configured WAF should be considered a business continuity asset rather than just a technical tool.

What Does a WAF Do?

A Web Application Firewall (WAF) sits between a web application and the internet, protecting it from malicious intrusions. It can inspect traffic to and from web applications and filter it based on predefined rules and behavioral logic. It may help protect against:

• Common web vulnerabilities such as SQL injection
• Cross-site scripting (XSS)
• Remote Code Execution (RCE)
• Malicious HTTP traffic

WAFs operate at Layer 7 (application layer). They can operate based on allow lists or blocklists, wherein allow lists allow only specific kinds of traffic from a predesignated list, while blocklists identify and exclude traffic on a block list.

Organizations have their pick between several different implementations:

• Network-based: Installed locally and based on hardware
• Host-based: Integrated with an application’s software
• Cloud-based: Cloud-based, which can decrease startup investment and costs

Best Practice 1: Setup and Customize WAF policies

Once tuned, WAFs can appropriately filter traffic as you want. Determine how best to tailor your WAF to your environment, whether it is creating an allowlist to specify exactly what kind of traffic is authorized, or creating a blocklist to create firm enforcement against unwanted or known malicious traffic.

Customize based on your specific user behavior and API usage patterns.

Best Practice 2: Defend Against Bots and Rate-Based Attacks

Bots are not harmless. Many scrape content, launch credential stuffing, or abuse forms. A WAF should:

• Block traffic from high-risk geographies or known bad IPs, as appropriate or possible
• Use rate limiting to prevent excessive incoming requests

Rate limiting can help block attacks such as brute-force attacks and credential reuse, especially when threat actors use credentials leaked in third-party breaches. SecurityScorecard’s Leaked Breach Records service helps organizations identify compromised credentials.

Best Practice 3: Integrate WAF with SIEM and Monitoring Tools

WAF logs must be actionable. Integrate them with other security tools, such as your SIEM (Security Information and Event Management) platform, to:

• Correlate blocked events with user behavior
• Detect coordinated campaigns across systems
• Trigger alerts for repeated violations from the same source
• Prioritize response based on severity and impact

SecurityScorecard’s global threat intelligence can help security teams identify reconnaissance or active attacks early.

Best Practice 4: Validate and Update WAF Effectiveness

Don’t assume your WAF is blocking what it should. Test it and review it regularly through:

• Reviewing WAF logs
• Updating WAF rules to ensure your team is allowing in what it wants and blocking what it doesn’t
• Updating rules customized to the threat landscape, leveraging threat intelligence feeds or lessons learned from incident response
• Red team exercises focused on bypassing filters

Document the results, adjust rules, and retest on a regular basis.

Protect Your Supply Chain with Real-Time Threat Detection
SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.
🔗 Understand SCDR