Learn the vocabulary of inspecting and blocking a malicious HTTP request before it reaches the app.
0 / 5 completed
1 / 5
At standup, a dev mentions a layer that inspects incoming HTTP requests against known attack signatures, like SQL injection patterns, and blocks a malicious one before it ever reaches the application. What is this layer called?
A Web Application Firewall, or WAF, inspects incoming HTTP requests against known attack signatures, like a SQL injection pattern, and blocks a malicious one before it ever reaches the application. A load balancer distributes traffic across backend instances but has no built-in inspection of a request's actual content for a malicious pattern. This signature-based inspection is what lets a WAF catch a known attack pattern at the network edge, before it can touch application code.
2 / 5
During a design review, the team wants to test a newly written WAF rule by only logging what it would have blocked, without actually blocking any real traffic yet. Which capability supports this?
A detection-only, or log, mode lets the team see exactly what a newly written WAF rule would have blocked, without actually blocking any real traffic while the rule is still being validated. Deploying every new rule directly into blocking mode risks disrupting legitimate traffic the moment an imperfect rule goes live. This detection-only mode is what lets a team safely validate a rule's behavior against real traffic before trusting it to enforce anything.
3 / 5
In a code review, a dev notices a custom WAF rule added specifically to block an attack pattern that showed up in the application's own logs, beyond whatever a generic managed rule set already covers. What does this represent?
A custom rule extends the WAF's managed rule set to cover an attack pattern that's specific to one particular application, one that a generic managed rule set was never written to anticipate. Relying only on the generic managed rule set leaves exactly that kind of application-specific pattern unaddressed. This ability to layer a custom rule on top of a managed set is what lets a WAF adapt to the real attacks a specific application actually faces.
4 / 5
An incident report shows legitimate customer traffic was blocked for several hours because a newly written WAF rule was deployed straight into blocking mode without first running it in detection-only mode to see what it would have flagged. What practice would prevent this?
Running every new WAF rule in detection-only mode first, reviewing what it would have blocked, catches a false positive against legitimate traffic before the rule is ever allowed to actually enforce blocking. Deploying a rule directly into blocking mode with no such validation is exactly what caused the hours-long outage for legitimate customers in this incident. This detection-first workflow is a standard safeguard for rolling out any new WAF rule.
5 / 5
During a PR review, a teammate asks why the team puts a WAF in front of the application instead of relying solely on the application's own input validation to catch a malicious request. What is the reasoning?
Application-level input validation only covers the specific inputs a developer anticipated when writing that particular endpoint, leaving a gap at any endpoint the developer hasn't reviewed as carefully. A WAF provides a centralized layer that can catch a known attack signature across every endpoint uniformly, including one that hasn't received the same scrutiny. The tradeoff is that a WAF is a defense-in-depth layer, not a replacement for genuinely fixing an underlying application-level vulnerability.