Open Source Web Application Firewalls

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. Below we have listed some of the best free WAF solutions for your consideration.


ModSecurity is one of the most popular web application firewalls and it supports Apache HTTP, Microsoft IIS & Nginx.

ModSecurity will be helpful if you are looking for the following:

  • Cross-site scripting protection
  • Trojan protection
  • Information leakage protection
  • SQL injection protection
  • Common web attacks protection
  • Malicious activity monitor

ModSecurity doesn’t have a graphical interface and if you are looking for the one then you may consider using WAF-FLE. It let you store, search and view the event in a console.


IronBee is a next-generation open source web application firewall engine, designed to be modular, portable, and efficient, and to give you the tools you need to defend sites from attack. IronBee is not available in the binary package yet so you got to compile from the source. Tested on the following operating systems:

  • CentOS
  • Fedora
  • Ubuntu
  • OS X

It’s highly portable and very lightweight web security framework.


NAXSI is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities.

Contrary to most Web Application Firewalls, Naxsi doesn’t rely on a signature base like an antivirus, and thus cannot be circumvented by an “unknown” attack pattern.

NAXSI filter only GET and PUT request and default configuration will act as a DROP-by-default firewall so you got to add the ACCEPT rule to work properly.


WebKnight WAF is an application firewall for IIS and other web servers and is released under the GNU General Public License.

More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. WebKnight is good for securing from the following:

  • Buffer overflows
  • Directory transversals
  • Character encoding
  • SQL injections
  • Blocking bad robots
  • Hotlinking
  • Brute force

Shadow Daemon

Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expand-ability.

It can detect the following attacks:

  • SQL injection
  • XML injection
  • Code injection
  • Command injection
  • XSS
  • Backdoor access
  • Local/remote file inclusion