WAF vs. API Gateway Security: What Your Application Stack Actually Needs
A web application firewall (WAF) was designed for browser-based web applications: it inspects HTTP requests for known attack patterns (SQL injection, XSS, command injection) and blocks malicious traffic. An API gateway manages API traffic: it handles authentication, rate limiting, routing, and transformation for REST and GraphQL APIs. As applications shifted from serving HTML pages to serving API responses, the WAF's role evolved but its design assumptions did not always keep pace. Understanding what each tool actually protects is the prerequisite for identifying where your application security has gaps.
What a WAF Does
A WAF operates as an inline proxy between clients and your web application. It inspects HTTP/HTTPS request parameters, headers, body, and URI paths for attack patterns defined in its ruleset. Core WAF capabilities:
Signature-based attack detection
Block requests matching known attack signatures: SQL injection, XSS, command injection, path traversal, and OWASP Top 10 vulnerability exploitation patterns.
IP reputation filtering
Block requests from known malicious IP addresses, Tor exit nodes, and VPN providers commonly used for anonymous attack traffic.
Rate limiting and bot management
Identify and limit automated traffic, credential stuffing bots, scrapers, and DDoS traffic based on request rate and behavioral patterns.
Virtual patching
Temporarily block exploitation of known vulnerabilities in web application code before the development team deploys a permanent code fix. Particularly valuable for third-party or legacy applications that cannot be quickly patched.
TLS termination and inspection
Terminate TLS connections, inspect decrypted traffic for threats, and re-encrypt before forwarding to application servers.
What an API Gateway Does
An API gateway is a reverse proxy purpose-built for API traffic management. Security capabilities of an API gateway:
Authentication and authorization enforcement
Validate API keys, OAuth tokens (JWT validation), and mutual TLS (mTLS) client certificates before allowing requests through to backend services. This is a primary security function that WAFs do not perform.
Rate limiting per consumer
Enforce per-client rate limits based on API key or authenticated identity, preventing any single consumer from overloading backend services or conducting brute force attacks.
Request and response transformation
Strip sensitive headers, sanitize request parameters, and filter response data before returning to clients. Prevents accidental data exposure through verbose API responses.
Schema validation
Validate API requests against OpenAPI specifications: reject requests with unexpected parameters, invalid data types, or missing required fields. This prevents mass assignment vulnerabilities and parameter pollution.
Service mesh integration
In microservices architectures, API gateways or service meshes (Istio, Linkerd) enforce mTLS between services and control east-west API traffic, not just north-south client traffic.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Gap: What Neither Covers Well
OWASP API Security Top 10 vulnerabilities demonstrate that WAFs and API gateways each leave significant security gaps when used without the other or without additional API security tooling:
BOLA (Broken Object Level Authorization)
OWASP API1. An attacker accesses another user's resources by manipulating object IDs in API requests (changing /api/users/1234/orders to /api/users/5678/orders). WAFs cannot detect this: the request is structurally valid. API gateways cannot detect this without application-context awareness of which user IDs are legitimate for which caller. Application-layer authorization logic must enforce this.
BFLA (Broken Function Level Authorization)
OWASP API5. Calling admin functions as a regular user. A WAF blocks known attack signatures but not legitimate API calls to privileged endpoints. An API gateway enforces authentication but may not enforce that the authenticated user has the right role for the function. Role-based access control must be enforced at the application or API gateway with role awareness.
Business logic attacks
Abusing valid API functionality to cause unintended outcomes: negative quantity orders, price manipulation, loyalty point inflation. No signature matches because the requests are syntactically valid. Application-specific business logic validation is required.
Platform Landscape: WAAP and Converged Platforms
Gartner coined WAAP (Web Application and API Protection) to describe the converging market. Modern WAAP platforms combine WAF capabilities with API security, bot management, and DDoS protection in a single platform. Leading WAAP platforms:
Cloudflare Application Security
WAF, API shield (schema validation, JWT validation, rate limiting per endpoint), bot management, and DDoS protection from a single CDN-integrated platform. Strong developer experience and broad geographic distribution. Best for: organizations wanting easy deployment with strong performance benefits.
Imperva Cloud WAF / API Security
Enterprise WAF with dedicated API discovery and protection. Automatic API discovery finds shadow APIs (undocumented endpoints receiving traffic). Strong for complex enterprise applications with large API inventories.
F5 Distributed Cloud WAAP
Enterprise-grade WAF with API security, bot management, and client-side protection. Deep integration with F5's application delivery infrastructure. Best for: enterprises with existing F5 deployments.
Akamai App and API Protector
WAF and API security delivered from Akamai's CDN. Strong performance at scale and DDoS mitigation. Adaptive security engine that learns application behavior.
AWS WAF + API Gateway
Native AWS combination for applications hosted in AWS. WAF provides rule-based filtering; API Gateway handles authentication, rate limiting, and schema validation. Low cost for AWS-native applications; less flexible than third-party platforms for complex requirements.
API Discovery: The Prerequisite
You cannot protect APIs you do not know about. Shadow APIs (undocumented endpoints that receive traffic) represent the most common gap in API security programs. Most large organizations have 40 to 80 percent more API endpoints than are documented in their OpenAPI specifications. Discovery methods: passive traffic analysis (WAF or API gateway logs analyzed for unique endpoint patterns), active crawling of application code and repositories for API route definitions, and specialized API discovery tools (Noname Security, Salt Security, Traceable AI) that learn API behavior from traffic and build an inventory. Complete your API inventory before configuring API gateway policies: protecting a subset of your APIs creates false security confidence.
The bottom line
A WAF protects against known attack signatures; an API gateway enforces authentication and rate limiting; neither addresses business logic vulnerabilities or broken authorization. For APIs, start with schema validation in your API gateway, then layer WAF protection for injection attacks, and invest in application-layer authorization for BOLA and BFLA. Modern WAAP platforms consolidate the first two layers into a single product.
Frequently asked questions
Does every organization need both a WAF and an API gateway?
Not necessarily. If your application serves only browser-based HTML (no public API), a WAF alone may be sufficient. If you have only internal APIs used by authenticated services with no public exposure, an API gateway without a WAF may be adequate. Most modern applications have both a web frontend and public APIs, making a combined WAAP platform (or WAF plus API gateway) the appropriate architecture. Evaluate based on your actual application inventory: catalog your web applications and APIs separately and assess which protection layers each requires.
What is the difference between a WAF and a next-generation WAF?
Traditional WAFs rely on static signature rules that must be manually updated. Next-generation WAFs (NGWAF) add machine learning-based behavioral detection that identifies attacks by behavioral pattern rather than matching specific signatures, reducing false positives and detecting novel attack variations. Cloudflare, Imperva, and F5 all offer machine learning-enhanced WAF capabilities. In practice, the NGWAF label is a marketing distinction: evaluate specific detection capabilities and false positive rates in your environment rather than relying on the NGWAF designation.
How do I handle WAF false positives without weakening protection?
WAF false positives are the primary reason WAFs are deployed in detection-only (log) mode rather than blocking mode. Minimize false positives through: starting in log mode to baseline what the WAF would block, reviewing logs to identify false positive patterns, creating exceptions (exclusion rules) for specific URL paths, parameters, or user agents that generate false positives, and using tuned commercial rulesets (OWASP Core Rule Set with commercial tuning) rather than default configurations. The goal is running in blocking mode with a well-tuned exception list, not permanent log-only operation.
What is mTLS and when is it required?
Mutual TLS (mTLS) is a TLS variant where both the client and server present certificates, authenticating both parties. In API security, mTLS is used for service-to-service authentication: each microservice or API client presents a certificate that the API gateway or service mesh validates before allowing the connection. mTLS is required when you need cryptographic assurance of client identity for sensitive API calls, particularly in zero trust architectures where you cannot rely on network location for trust. Cloudflare API Shield, Kong, and Istio all support mTLS configuration.
How does API schema validation work?
API schema validation enforces your OpenAPI specification at the gateway layer: request parameters must match the types, formats, and constraints defined in your spec. A request sending a string where an integer is expected, or including a parameter that does not exist in the spec, is rejected before reaching your application. This prevents several OWASP API vulnerabilities: mass assignment (sending additional properties not in the spec), parameter pollution, and type confusion attacks. Configure schema validation in your API gateway (AWS API Gateway, Kong, Apigee) or WAF/WAAP platform (Cloudflare API Shield) using your OpenAPI specification as the source of truth.
What are GraphQL-specific security considerations?
GraphQL APIs have a different attack surface than REST: a single endpoint handles all queries, making per-endpoint rate limiting ineffective. GraphQL-specific security controls include: depth limiting (prevent deeply nested queries that cause excessive database load), query complexity analysis (assign costs to operations and reject queries exceeding a complexity threshold), introspection disabling in production (prevents attackers from mapping your entire schema), field-level authorization validation, and persisted queries (only allow pre-registered query shapes in production). Standard WAF signatures are largely ineffective against GraphQL-specific attacks; use a GraphQL-aware API gateway or a specialized tool like StepZen or AWS AppSync with custom resolvers for GraphQL security.
Sources & references
- Gartner Magic Quadrant for Web Application and API Protection 2025
- OWASP API Security Top 10 2023
- F5 Application Threat Intelligence Report 2025
- Cloudflare Application Security Report 2025
- Akamai State of the Internet Security Report 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.