---
type: "term"
title: "WAF (Web Application Firewall)"
description: "A security control that monitors, filters, and blocks HTTP traffic to and from a web application."
resource: "tlctc:term:waf-web-application-firewall"
tags:
  - "glossary"
---
# WAF (Web Application Firewall)

A security control that monitors, filters, and blocks HTTP traffic to and from a web application. In TLCTC: WAF is an **Umbrella Control** primarily targeting `#2 Exploiting Server` — it provides a protective layer against common server-side exploitation techniques (SQL injection, XSS, etc.) for web applications within its scope. WAFs cannot protect against all threat clusters and should be part of a defense-in-depth strategy.

See also: Umbrella Controls, Exploiting Server (#2), Defense-in-Depth