Web application firewalls have become a necessity.

Every year, millions of businesses lose their data to hackers. With companies investing time and money in other functions, security at times take a back seat.

According to the 2018 Hiscox Cyber Readiness Report, majority of organizations are unprepared (cyber novices) and would be seriously impacted by a cyberattack.

While a majority of these businesses have web scanning tools, they fail to patch the loopholes. That’s exactly where web application firewalls come in.

Now, commercial WAFs can be expensive and not all businesses can afford them. Here are some of the open source or free solutions that you can use to create a defense system of your own.

Vulnerability Scan + WAF + CDN

The known open-source WAF from Mister Scanner offers a package of WAF, CDN, Scan, and Security Expert.

1. ModSecurity

ModSecurity is the leader in WAF industry offering real-time web application monitoring, logging, and access control. Their open-source community is based on the belief that users should be able to mold their web application firewall the way they want it.

  • Real-time application security monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening
  • Flexibility to develop and write rules

ModSecurity supports two deployment options: embedded and reverse proxy deployment. However, there are no fancy interfaces with this WAF. You might want to use WAF-FLE for visibility.

2. AQTRONiX WebKnight

Promoted as the universal web application security sensor intended for real-time monitoring and defense over IIS, AQTRONIX WebKnight is perfect for developers to build something simple and yet effective. This WAF scans all the requests and blocks certain based on predefined rules. It is compatible with Frontpage Extensions, WebDAV, Flash, Cold Fusion, Outlook Web Access, Outlook Mobile Access, SharePoint and several others.

  • Run-time update
  • Blocks bots
  • SSL support
  • Custom rules

This firewall is perfect for small businesses with a tight development team.


NAXSI is one of the most popular reverse proxy firewalls with simple rules and absolutely minimal maintenance to begin with.

However, it is not an extensive option given that this open source WAF is only effective against common attacks like Cross-Site Scripting and SQL Injection.

  • Effective against XSS and SQLi
  • Low runtime processing
  • Minimal custom rules
  • Difficult to understand

NAXSI is an Nginx module in charge of performing web application firewalling.

4. Shadow Daemon

On the face, Shadow Daemon is a single WAF tool but it actually does much more than that. It intercepts requests and filters out malicious parameters. Essentially, it is a powerful tool to detect, record, and block attacks so you can learn from the attacks to harden rules in the future.

The current version of this tool supports:

  • PHP
  • Perl




  • Python





It can block attacks like:

  • SQL injections
  • XML injections
  • Code injections
  • Command injections
  • Cross-site scripting
  • Local/remote file inclusions
  • Backdoor access

It is a perfect tool for companies that want to run their own extensive firewall.

5. lua-resty-waf

Written for OpenResty stack, lua-resty-waf uses NGINX and its scalable infrastructure to compete with ModSecurity. It is a powerful alternative on the OpenResty architecture with features to write your own rules.

  • Analyze HTTP request or response for anomalous behaviors
  • Powerful protection against brute force
  • Behavioral study
  • Anti-data harvesting

The performance of this open-source WAF matches that of Cloudflare at process transactions of 300-500 microseconds per request.


Vulture is one of the lesser-know WAFs with the ability to stop most common web attacks. It works on reverse-proxy and load distribution to ensure that anomalies are promptly detected and stopped.

  • Authenticate users
  • Block XSS, SQL Injection, and Malware before they reach your web applications
  • HA proxy
  • Custom filtering policies

However, most of the support documents for this web application firewall are in French and not comprehensible for all.

7. Raptor WAF

Made in C language, Raptor WAF has only be tested on Linux and little is known about its Beta Version. It is capable of blocking common XSS and SQL Injection attacks and you can even blacklist IPs.

  • Get or Post
  • Effective against XSS and SQLi
  • Tested on Linux

Raptor WAF also works on reverse proxy.Commercial Options

Developing, customizing and managing open source web application firewalls is difficult. Businesses often find it better to invest in low-cost WAFs with cleaner interface and automation. With the rise of AI and Machine Learning in the industry, it is better to have collective intelligence. Here are some of the options that you can also consider:

  1. Cloudflare
  2. Imperva
  3. Amazon
  4. F5