The MHCLG Way and its content is intended for internal use by the MHCLG community.

Use a web application firewall (WAF)

A web application firewall (WAF) is an application layer protection for bi-directional web-based traffic. With a WAF, you can track web traffic and use specific tools to configure access control for your web content. Doing this improves your service’s security monitoring and security position.

Why you should use a WAF

Your continuous integration (CI) and continuous deployment (CD) pipelines should include security tests in their workflows to identify any common vulnerabilities in your code. Some common vulnerabilities like Cross-site Scripting (XSS) and XML command injection attacks are still possible in your production environments due to human error.

Combining a WAF with CI and CD tools reduces the risk from those tools, and provide enhanced layered security coverage for your service.

When and how to use a WAF

Set up a baseline of tests in your project’s alpha phase to identify any security vulnerabilities. As your service’s features grow, extend your tests to cover new vulnerabilities you identify. For example, through exercises like application threat modelling.

Good development practices should detect and fix common vulnerabilities before they reach production environments. Use your WAF to track digital services vulnerabilities an attacker could exploit.

You should:

• have an independent security audit in place
• use established logging techniques
• encrypt data at rest as well as in transit
• subscribe to and apply security patches
• use query variables instead of plain text (stored procedure) to prevent SQL injections

You should monitor the Open Web Application Security Project (OWASP) top 10 most critical web application vulnerabilities to keep up to date with the latest threats.

Using a WAF should align with your other security monitoring features. When developing use cases you should also factor in the extra time and resources needed to configure WAF rules.

Managing your WAF

Identify any areas in your app not covered by your WAF and define measures to protect them, such as using:

• AWS Shield Advanced (it’s paid for and already available in MHCLG’s AWS environment)
• threat modelling - to assess potential weaknesses in your environment
• reviews - to manage your security controls

Reviews

Review your WAF after each application change against the risks in the OWASP top 10 category rules.

This should be similar to how you use a Penetration Test to test and confirm the effectiveness of security controls in your environment.

Contact Cyber Security

Contact the security architects in the MHCLG Cyber Security team by email at cybersecurity@communities.gov.uk.

Further reading

To find out more about WAF refer to:

• Open Web Application Security Project (OWASP) the OWASP Foundation
• WASC OWASP Web Application Firewall Evaluation Criteria Project
• National Cyber Security Centre (NCSC) guidance

This page was last reviewed on 28 July 2025. It needs to be reviewed again on 28 July 2026 by the page owner #mhclg-way .