SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium Infrastructure

WAF Detection

A Web Application Firewall (WAF) sits in front of your web application and filters malicious traffic — blocking SQL injection, XSS, path traversal, and other attacks before they reach your application code. SecurityStatus checks whether a WAF is detected on your domain.

What SecurityStatus Checks

  • WAF fingerprinting via HTTP response headers and cookies
  • Known WAF signatures: Cloudflare, AWS WAF, Akamai, Imperva, Sucuri, ModSecurity
  • WAF bypass indicators that suggest a WAF is misconfigured or bypassable
  • Whether static assets (CDN-served) bypass WAF protection

Why This Matters

A WAF is a critical layer of defence, especially for web applications that cannot be patched immediately. It can block exploitation attempts against known CVEs while patches are prepared. Without a WAF, every web vulnerability in your application code is directly exploitable from the internet.

How to Fix It

  1. 1

    Deploy a WAF if you do not have one

    Cloudflare offers a free WAF tier that is easy to enable. AWS WAF integrates with CloudFront and ALB. Sucuri WAF is popular for WordPress sites. Any WAF is better than none.

  2. 2

    Enable OWASP Core Rule Set

    All major WAF products support the OWASP Core Rule Set (CRS), which blocks the OWASP Top 10 attack categories. Enable it in detection mode first, review false positives, then switch to blocking mode.

  3. 3

    Do not treat WAF as the only defence

    A WAF is a compensating control, not a substitute for secure code. Attackers can often bypass WAFs with encoding tricks. Fix vulnerabilities in your code even if the WAF is blocking them.

  4. 4

    Ensure all traffic goes through the WAF

    A WAF only protects traffic that passes through it. Make sure your origin server is not directly accessible by IP, bypassing the WAF. Use security groups to only allow traffic from the WAF's IP ranges.

Frequently Asked Questions

Does a WAF make my site completely safe?
No. WAFs can be bypassed. They reduce risk but are not a complete solution. Secure coding practices, patching, and proper server configuration are all necessary alongside a WAF.
Is Cloudflare's free WAF sufficient?
For most small to medium sites, yes. The free Cloudflare WAF with managed rulesets blocks most common attacks. Larger organisations with compliance requirements may need the Pro tier with additional rulesets.
Can SecurityStatus detect all WAFs?
We detect most major WAF solutions by their response signatures. Some WAFs deliberately hide their identity. Not detecting a WAF does not definitively mean there is none — it means we could not confirm one.

Related Guides

critical CVE Detection Read Guide critical Open Port Scanner Read Guide critical Security Headers Read Guide

Check Your Domain Now

Run all 38 security checks including WAF Detection and get your domain's security grade in under 2 minutes.

Scan Your Domain Free