• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Web Application Firewall Evaluation Criteria

Page history last edited by Tony Turner 8 years, 9 months ago

Web application firewalls (WAF) are an evolving information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.


As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for WAFs evaluation. The Web Application Firewall Evaluation Criteria Project (WAFEC) serves two goals:


  • Help stakeholders understand what a WAF is and its role in protecting web sites.
  • Provide a tool for users to make an educated decision when selecting a WAF.


WAFEC is a joined project between The Web Application Security Consortium (WASC) and OWASP making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.


The first version of WAFEC was released in 2006 and is in wide use in the industry. In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation WASC/OWASP WAFEC this project was sidelined until earlier this year (2015) when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project and plan to release it in the second half of 2016. If you want to join the contributors join the the mailing list and chime in when you feel ready.


RECENT UPDATE - We will also be conducting a WAFEC Project Workshop at AppSecUSA in San Francisco the week of September 21, 2015. More details TBA. Check this space for info or join the mailing list and details will be announced there.


If you have any other question or idea, please contact WAFEC project leader Tony Turner.


Quick Links:




Get WAFEC 1.0


WAFEC 1.0 is available in several formats: PDF versionHTML Version and Text Version


Please note that WAFEC, like all other WASC projects, is distributed under the creative common license. Please respect this license. Particularly note that the license requires that if you use the information you attribute it to WASC and WAFEC.


WAFEC Response Matrix 1.0


Download WAFEC response matrix


The WAFEC response matrix translates WAFEC into an easy to use standardized tool. WAFEC response matrix breaks WAFEC into specific numbered questions and explain how to address each question. The matrix is intended for both vendors and WAF evaluators. Vendors can provide detailed information about their products compliance to WAFEC by filling in this document while evaluators can use the document to compare different products.


Usage guidelines:

  • To evaluate several products list them on the 1st tab in the spreadsheet  and use one column for each product in the following tabs.
  • The product columns specify how to answer each question:
    • Yes/No - answer either yes or no.
    • Yes/No/NA - answer either yes or no, or NA if the question is not applicable to the product.
    • Specify - enter a value, many times numeric, to answer the question.
    • List - specify all the applicable values.
    • Describe - provide a descriptive text as an answer or point to an external resource or attachment.
    • In all cases an remarks can be added in the following column.
  • WAFEC 1.0 is not a minimum criteria for WAFs. Not supporting a feature does not disqualify a product. Some features may not be relevant to certain environment or to specific needs.
  • The answer N/A does not imply lack of support for a feature, but that the feature is not relevant for a product. For example a feature may be related to a deployment mode not supported by the product.


Join the WAFEC 2.0 effort


The WAFEC team is working on the next version of WAFEC. for more details refer to the WAFEC 2.0 page.


WAFEC is copyrighted © 2006-2012 Web Application Security Consortium (http://www.webappsec.org).

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ [http://creativecommons.org/ licenses/by/2.5/] or send a letter to: Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Comments (0)

You don't have permission to comment on this page.