Online Support

Sales: 0800 817 4727

With a web application firewall you can block malicious traffic before it reaches your site

Storm’s Web Application Firewall (WAF) is an intelligent gateway that qualifies traffic to your web application. Malicious visitors and traffic are blocked or redirected, even when masked as legitimate traffic. With a WAF you’re protected against attacks like cross-site scripting (XSS), SQL injections, remote file inclusion and execution, and more.

  • Automatic protection against common attack vectors
  • Activated as soon as your account is created
  • Easily add rules to customise your protection

You don’t need to be a security pro

Storm’s Web Application Firewall adds an additional layer of protection to your sites and servers the moment it is activated. Just point-and-click. Optionally add your own firewall rules for personalised website and server protection.

Point-and-click activation

Log into the Storm Security Centre and activate your Web Application Firewall in a few clicks. Pre-configured rule sets protect against common and less common forms of attacks, which means less work and more end-to-end application security.

Make your own rules

Custom WAF rule support comes standard with Storm’s PCI-DSS 3.2 compliant CloudFlare package. Easily whitelist legitimate traffic and reduce false positives for more accurate organisation-specific protection of your critical applications and data.

Collective Intelligence

Storm’s Web Application Firewall delivers learned intelligence from threats detected and blocked across 10,000,000 websites. New threats are automatically added to your active rule set, delivering 24/7 cutting-edge protection.

OWASP ModSecurity

OWASP ModSecurity Core Rule Set (CRS) delivers WAF attack prevention based on broad consensus critical security risks. Protection against the OWASP Top Ten list of critical threats is automatically included. OWASP project members consist of security experts from around the world who share their expertise.


A Web Application Firewall (WAF) performs the same basic task as a traditional firewall, with the exception that it does so at the application level rather than the network level. A WAF monitors and filters HTTP/HTTPS traffic to and from websites and web applications, protecting them from malicious activity.

A WAF employs a multi-faceted approach to protect websites and web applications. Some of the most common methods used to achieve this  include allowlists, denylists, regex, and heuristics:


As the name suggests, an allow list specifies which requests are allowed. Requests not on the list are blocked. This is a strict approach, and is typically applied when known safe input or behaviour should be permitted. However, the strict nature of an allowlist may cause some legitimate requests to be denied if not configured correctly. One example of an allowlist implementation is where a form field expects a numeric value; anything other than the expected numeric value will be denied.


Denylists contain entries of IP addresses, user agents, specific strings, etc. that are forbidden. Denylists can be very effective against known attack patterns, but are ineffective against new or unknown attacks. As such, it’s critical to keep a WAF current with new threat intelligence. Denylists are typically static, meaning they don’t change unless manually updated. They can be seen as a set of “hard rules.”

Regular Expression-Based Rules

Regular expressions, or regex, are a powerful tool for pattern matching and string manipulation that are typically used to match patterns of common attacks (e.g. SQL injections). A key difference between regex and allowlists / denylists is that regex can be used to detect variations in common attacks, while allowlists / denylists require explicit static definitions.


Instead of looking for a specific string or pattern, heuristic checks might analyse the behaviour or structure of a request. For example, a sudden surge in requests from a single IP or unusually large payloads might be flagged as suspicious. For heuristics to be effective and to minimise the potential for false positives, it requires careful tuning and continuous monitoring. Unlike allowlists, denylists, and regex to an extent, heuristics can detect previously unknown threats or zero-day exploits.

In addition to these methods, modern WAFs can also incorporate other advanced techniques such as machine learning, threat intelligence integration, behavioural analysis, geo-blocking, and rate limiting. A well-configured WAF uses a combination of these methods to provide robust protection against a wide range of web application threats.

Traffic analysis. A WAF analyses incoming and outgoing web traffic to identify patterns, sequences, or behaviour.

Filtering. WAFs use allowlists, denylists, regex, heuristics, as well as other more advanced methods to detect and block threats like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF), among others. These rules can be customised based on the needs of the specific application.

Blocking / Alerting. When malicious activity is identified, it will either be blocked by the WAF, or an alert will be sent to system administrators. This depends on the WAF configuration.

Other WAF functionality includes:


  • Virtual patching. A WAF may automatically patch vulnerabilities in websites or web applications by creating a custom rule. However this shouldn’t be regarded as a permanent fix, but rather a temporary measure put in place until the vulnerable code can be fixed.
  • Bot protection. WAFs provide protection against bots. They are capable of distinguishing between bot traffic and legitimate human users, and so provide protection against automated attacks and scraping.
  • API security. Some WAFs offer protection tailored specifically for API endpoints, ensuring that they are shielded from misuse and abuse.
  • 3rd Party integration. WAFs can often integrate with other security systems, such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management (SIEM) systems, creating a layered and comprehensive security approach.

The Open Web Application Security Project (OWASP) is a global non-profit organisation focused on application security. OWASP provides freely-available articles, methodologies, documentation, tools, and technologies to create awareness of, and enhance online application security.

A Web Application Firewall (WAF) offers several benefits to protect web applications and improve their overall security posture. Here are some of the primary benefits:

  1. Protection Against Common Web Vulnerabilities: WAFs are designed to protect against a variety of web-based threats and vulnerabilities, including those outlined in the OWASP Top 10, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  2. Defense Against Zero-Day Exploits: Some advanced WAFs can detect and block previously unknown vulnerabilities or zero-day exploits using heuristic analysis and behaviour-based detection mechanisms.
  3. DDoS Mitigation: While traditional DDoS protection focuses on the network layer, WAFs can help protect against application-layer (Layer 7) DDoS attacks, which target specific aspects of a web application.
  4. Rate Limiting: WAFs can limit the number of requests a user or IP can make within a specific timeframe, helping to prevent application abuse and DDoS attacks.
  5. Customizable Rules: Organisations can tailor WAF rules to their specific application needs, allowing for a balance between security and usability.
  6. Centralised Security Management: WAFs provide a centralised point of control for monitoring and managing web traffic, making it easier to enforce consistent security policies across multiple applications.
  7. SSL Termination: Many WAFs can handle SSL termination, offloading the performance cost of encrypting and decrypting HTTPS traffic from the web servers.
  8. Geo-blocking: WAFs can block or allow traffic based on geographic origin, which can be useful for both security and regulatory compliance.
  9. Compliance: For industries subject to regulations like PCI DSS, HIPAA, or GDPR, using a WAF can be a key component in meeting certain security requirements.
  10. Improved Performance: Some WAFs come with integrated content caching, which can reduce the load on backend servers and improve an application’s response times.

While Web Application Firewalls offer numerous benefits, it’s important to understand that they are just one component of a comprehensive security strategy. Regular application patching, secure coding practices, and other security measures should be employed in conjunction with a WAF for optimal protection.

Don’t just take our word for it

Over 14,000 happy retailers & brands use Storm Internet

Elizabeth Shaw

From the offset, Storm took the time to understand our problems and gave us confidence they could provide solutions to our issues. We've not been disappointed. Read More

Elliot Price - Elizabeth Shaw

Mystery Shoppers

Storm made us as the customer feel like we were valued. I think they are one of the best managed hosting companies out there! I have recommended Storm to several other people who have also been very pleased. Read More

Chris Palmer - Mystery Shoppers

Chris Palmer - Mystery Shoppers

Signum International

The Storm guys rectified any issues quickly and without needing any prompting from us. Being able to contact the MD is a real bonus, it's good to know that you have the right person's ear for what is critical to us. Read More

Bob Baker - Signum International

Bob Baker - Signum International


We had several issues with previous hosting providers including their communication, support and performance. With Storm Internet any issues have been resolved immediately and the support system is really easy to use. Read More

Sim Sekhon - Legal4Landlords

Sim Sekhon - Legal4Landlords

YKK Europe

If you need a responsive company to help with your web needs, then you can do no better than to call Storm Internet. Their dedicated team will help out in the most pressing of circumstances. Read More

Anna Stefaniak - YKK Europe

Channel and Mobile Solutions

We rely on Storm, 5 years and counting. They elevate managed hosting to a whole new level and speak our language. Read More

Mike Bowen - Channel and Mobile Solutions

Cool Milk

We need a website that is up and running at all times, and Storm delivers. They go the extra mile. Read More

Michael Saracevas - Cool Milk

Synbiotix Solutions Ltd

Storm designed and proposed a dedicated Private Cloud infrastructure that not only met our needs for current business IT operations but also allowed for future growth. Read More

Theo Constantinides - Synbiotix Solutions Ltd

Mandon Software

Whatever challenges you throw at them, Storm is always up to the task. Having them onboard is like having a complete tech team on duty 24/7 Read More

David Allaway - Mandon Software

Jayex Technology

Our needs had to be precisely matched and, unlike AWS or Google, Storm could do it Read More

Matteo Marcolini - Jayex Technology

Quantock Design

Their support makes us look good Read More

Gavin Sadler - Quantock Design


The support guys have been brilliant in sorting every issue, the support provided and the price that we pay is far better than what other hosting providers had quoted us Read More

Justin Smith - Breakerlink


Storm Internet offered everything we needed. The support is there 24/7 and it is on a personal level. We feel like a business partner. Storm have helped us to optimise our server and keep everything running smoothly Read More

Omar Farra - Nitrotek

Storm Internet wins Best Hosted Provider at 22nd ISPA Awards Storm Internet wins Best Hosted Provider at 22nd ISPA Awards

Storm Internet wins Best Hosted Provider at 22nd ISPA Awards

Over the years Storm Internet has collected a number of awards. They reflect a core methodology by which we empower our clients by providing them with the technology and tools they need to accomplish their goals efficiently.

Read More
0800 817 4727