WAF Best Practices

Working session to crowdsource best practices for deployment and managing Web Application Firewalls.


Web Application Firewalls require the skills and knowledge of Network, Security, and Application subject matter experts. These teams need to collaborate on WAF configurations in order to ensure that business, operational, and security requirements are all met with minimal impact to the business and its customers. In practice this is hard to achieve; the team managing WAF should be involved in application projects from day one but are often forgotten till the end of a project.


  • Planning
    • Requirements & Expectations
    • Team Dynamics & Route to Live
  • Architecture & Setup
    • Deployment Architecture & Failure Modes
    • Security Models, Web Services & Applications
  • On boarding
    • Profiling & Application Protection
    • Vulnerability Scanning & Mitigation
  • BAU Maintenance
    • Logging, Reporting, Housekeeping & Tuning


Anyone deploying WAF, managing WAF or working within envirometns where WAF has been deployed already.


Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Current versions by OWASP German Chapter (which are now 9 years old) are linked below.


https://www.owasp.org/index.php/Projects/OWASP_Best_Practices:_Use_of_Web_Application_Firewalls https://www.owasp.org/images/1/1b/Best_Practices_Guide_WAF.pdf (German) https://www.owasp.org/images/b/b0/Best_Practices_WAF_v105.en.pdf (English)

Back to list of all Working Sessions and Tracks

Edit this page here