How AWS WAF Inspects Requests

AWS WAF (Web Application Firewall) inspects HTTP and HTTPS requests at the application layer (Layer 7), unlike security groups and NACLs that work at Layers 3 and 4. It can read URLs, headers, query strings, and bodies to block attacks that look like normal network traffic but carry malicious payloads.

WAF targets common web threats such as SQL injection, cross-site scripting (XSS), bad bots, and application-layer floods. These attacks ride on legitimate ports 80 and 443, so lower-layer firewalls cannot distinguish them. WAF examines request content to tell good from bad.