Web Application Firewall (WAF)
A Web Application Firewall (WAF) helps inspect API traffic for common web attacks before requests reach your upstream services. In API7 Gateway, WAF is best treated as one layer in a defense-in-depth model alongside authentication, authorization, rate limiting, logging, and secure credential management.
WAF protects published API traffic on the data plane. It is different from platform security controls such as Control Plane IP restrictions, audit logs, and credential storage hardening.
When to use WAF
WAF is most useful when you need to protect HTTP APIs that are exposed to untrusted clients, especially for:
- Public or partner-facing APIs on the internet.
- Applications that handle sensitive customer or business data.
- Environments that need protection against common attack classes such as SQL injection, cross-site scripting (XSS), and malicious payload probing.
- Teams that want a dedicated security layer in front of upstream services without pushing all filtering logic into application code.
What WAF does and does not do
A WAF complements API gateway controls, but it does not replace them.
| Control | Primary purpose |
|---|---|
| WAF | Inspect requests for malicious patterns and block or monitor suspicious traffic. |
| Authentication | Verify who the client is. |
| ACLs and permission policies | Decide which authenticated clients are allowed to access which APIs. |
| Rate limiting | Protect services from abuse, bursts, and excessive request volume. |
| Data masking | Prevent sensitive request data from being exposed in logs. |
Use WAF when the problem is threat inspection. Use auth, ACLs, and rate limiting when the problem is identity, authorization, or abuse control.
WAF in API7 Gateway today
API7 Gateway provides a direct WAF integration path through the chaitin-waf plugin for Chaitin WAF (SafeLine).
With this model:
- API7 Gateway forwards matching requests to the WAF service for inspection.
- The WAF service decides whether the request should pass or be rejected.
- You can run in
monitormode first to observe detections before switching toblockmode. - Shared WAF connection settings are configured through plugin metadata, while enforcement is enabled where you attach the plugin.
This lets you add WAF protection at the gateway layer without changing upstream applications.
API7 Gateway runtime also supports generic wasm plugins. This allows WASM-based WAF integrations, such as Coraza through coraza-proxy-wasm, for advanced deployments.
This approach is different from chaitin-waf:
- You load the WASM module in gateway runtime configuration.
- You attach the resulting plugin to routes, services, or other supported scopes like other gateway plugins.
- You manage the WAF module artifact and its configuration yourself.
Coraza can be integrated through the Gateway's WASM extension mechanism, but it is not documented in the current docs set in the same way as chaitin-waf.
Recommended rollout approach
- Start with internet-facing routes and high-value APIs.
- Use
monitormode first to understand what the WAF flags in real traffic. - Review detections with your application and security teams to tune rules and reduce false positives.
- Move selected APIs to
blockmode once the policy is understood. - Keep WAF alongside authentication, ACLs, and rate limiting rather than using it as a standalone security control.
Implementation guidance
Use the path that matches your deployment model:
- Chaitin WAF (SafeLine) plugin reference for direct integration with API7 Gateway.
- WASM-based WAFs such as Coraza if you are comfortable managing a Proxy-WASM module as part of the gateway runtime. For background on that approach, see the APISIX guide Integrate with Coraza.
If you are preparing a production rollout, include WAF in the broader security review for your deployment rather than treating it as an isolated feature.
Next Steps
- Running in Production - review the production security checklist.
- Access Control Lists - restrict which consumers can call protected APIs.
- Configure Data Masking - keep sensitive request data out of logs.
- Chaitin WAF (SafeLine) plugin reference - configure WAF protection with
chaitin-waf.