StackShield

WAF Detection

Easy

Detects the presence and type of Web Application Firewall protecting the target using wafw00f.

Estimated fix time: 15-30 minutes

What is WAF Detection?

wafw00f identifies the presence and type of Web Application Firewall (WAF) protecting a website. While detecting a WAF is generally positive (it means you have one), attackers use this information to craft WAF-bypassing techniques specific to the detected product.

Security Impact

Severity: Low-Medium

  • WAF bypass techniques tailored to your specific WAF vendor
  • Identification of WAF rules for evasion
  • If no WAF detected, the application is directly exposed to attacks

Understanding the Results

WAF Detected

If wafw00f detects a WAF, this is generally good. However, you should:

  1. Ensure WAF rules are up to date
  2. Minimise WAF fingerprinting where possible
  3. Don't rely solely on the WAF — fix underlying vulnerabilities

No WAF Detected

If no WAF is detected, consider implementing one:

How to Implement a WAF

The simplest approach is using Cloudflare as a reverse proxy:

  1. Add your domain to Cloudflare
  2. Update your nameservers
  3. Enable WAF rules in the Security dashboard
  4. Enable the OWASP Core Rule Set

2. AWS WAF (For AWS-Hosted Applications)

{
    "Name": "Laravel-WAF",
    "Rules": [
        {
            "Name": "AWSManagedRulesCommonRuleSet",
            "Priority": 1,
            "Statement": {
                "ManagedRuleGroupStatement": {
                    "VendorName": "AWS",
                    "Name": "AWSManagedRulesCommonRuleSet"
                }
            },
            "OverrideAction": { "None": {} },
            "VisibilityConfig": {
                "SampledRequestsEnabled": true,
                "CloudWatchMetricsEnabled": true,
                "MetricName": "CommonRuleSet"
            }
        }
    ]
}

3. ModSecurity (Self-Hosted)

# Nginx with ModSecurity
load_module modules/ngx_http_modsecurity_module.so;

server {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/main.conf;
}

4. Laravel-Level Protection

Even with a WAF, implement application-level security:

// Rate limiting
Route::middleware('throttle:60,1')->group(function () {
    // Your routes
});

// Input validation
$validated = $request->validate([
    'name' => 'required|string|max:255',
    'email' => 'required|email',
]);

Reducing WAF Fingerprinting

If you want to make your WAF harder to identify:

# Remove WAF-specific headers
proxy_hide_header X-CDN;
proxy_hide_header CF-Cache-Status;
proxy_hide_header CF-RAY;

Verification

After implementing a WAF, wafw00f should detect its presence. The goal is to have a properly configured WAF while ensuring your application is also secure at the code level.

  • Security Headers
  • Nikto Web Server Scan
  • Web Application Vulnerability Scan

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Security Headers

Detects missing headers (CSP, HSTS, X-Frame-Options).

Easy

Nikto Web Server Scan

Scans web servers for dangerous files, outdated software, and misconfigurations using Nikto. Require...

Medium

Web Application Vulnerability Scan

Scans web applications for XSS, XXE, SSRF, and other OWASP vulnerabilities using Wapiti. Requires do...

Hard