A
WAF inspects HTTP/HTTPS traffic to block web attacks — SQLi, XSS, CSRF, path traversal. Deployed in front of web applications.
WAF is layer 7 (application layer). Regular firewall is layer 3/4. WAF doesn't replace secure coding — it's a compensating control. OWASP ModSecurity Core Rule Set is widely used.