Websites hosted on the Internet are continuously inundated with unwanted traffic coming from bots (robots, and automated programs that trawl the internet for vulnerable websites), hacktivists, and focused attack groups. The intent is simple – exploit vulnerabilities to:
Thousands of websites get hacked every day due to vulnerabilities in code or misconfigurations. One of the best ways to protect your web application from online threats is to use a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution.
A WAF / WAAP solution helps protect websites and APIs by inspecting and filtering traffic between the web servers and the Internet. The solution can help defend web applications from attacks such as SQL Injection, File Inclusion, Cross-Site-Scripting, Remote Code Execution, etc.
Many Commercial WAF / WAAP solutions exist but over the years, many open source web application firewall and freemium WAF solutions have also come to the aid of website owners to help secure their web applications. Below are some of the top open-source/freemium solutions:
Type: Freemium
Haltdos WAF CE is a free version by Haltdos. It is a high-performance WAF and WAAP solution designed to safeguard Web Applications and APIs. Unlike many other open-source WAF solutions in the list, Haltdos uses a new HTTP request processing engine designed for handling performance, creating complex rules, and mitigating sophisticated attacks. Supports complex attack mitigation techniques such as captcha, rate limiting, anomaly detection, redirection, request termination, and connection termination.
Pros of Haltdos WAF CE:
Cons of Haltdos WAF CE:
Type: Open Source
Sometimes also referred to as Modsec, ModSecurity is an open-source web application firewall (WAF) built by TrustWave. One of the oldest open-source solutions, this WAF comes as a module for Apache HTTP Server, Nginx, and Microsoft IIS. It is free software distributed under the Apache 2.0 license.
Effective July 1, 2024, Trustwave will no longer provide support for ModSecurity. The maintenance of the ModSecurity code will thereafter be returned to the open-source community.
Pros of ModSecurity:
Cons of ModSecurity:
Type: Open Source
Another popular open source WAF is NAXSI. NAXSI is a third party nginx module that has a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. These rules compute score for every request and when the score threshold is breached, the requests are dropped. NAXSI only filters GET, POST and PUT requests, and its default setup acts as a DROP-by-default firewall, thus you must add the ACCEPT rule for it to function properly.
Pros of NAXSI:
Cons of NAXSI:
Type: Open Source
Shadow Daemon detect, record, and prevent web attacks by filtering request from malicious parameters. It comes with an own interface where you can perform administration and manage this WAF. It supports PHP, Perl & Python language framework.
Pros of Shadow Daemon:
Cons of Shadow Daemon:
Type: Open Source
WebKnight is an application firewall for the Microsoft IIS. The set of tools scan all the requests and filter them according to rules set by the administrator.
Pros of WebKnight:
Cons of WebKnight:
Type: Open Source
OctopusWAF is an open-source Web application firewall written completely in C that makes numerous connections using libevent. The event-driven design is geared for many concurrent connections (keep-alive), which is essential for AJAX applications with high speed. This tool is quite lightweight. You may use it in any desired manner. This resource is ideal for securing particular endpoints that require customized security.
Pros of OctopusWAF:
Cons of OctopusWAF:
Type: Open Source
Coraza is an open-source, high-performance Web Application Firewall (WAF) designed to safeguard your most cherished apps. It is developed in the Go programming language, supports ModSecurity and SecLang rule sets, and is fully compatible with the OWASP Core Rule Set. Built as a modular design, it has supports for plugins for GeoIP, etc.
Pros of Coraza:
Cons of Coraza: