Ask HN: Are Web Application Firewalls Necessary?

CSP is a good investment. My colleague gave a talk at BSidesSF with (I think) good recommendations on how to enforce better CSP in practice: https://youtu.be/MNT0O94FYTg

In my opinion WAF is security through obscurity, its worse than useless as it adds extra latency and complexity to your app, along with giving you a false sense of security.

Most of them are just a ruleset of common basic SQL injections that it hopes to detect and block. If it even actually works the attacker just changes a few characters and easily gets past the block.

You are better fuzzing, using the ruleset to test your code in development detect the SQL injections and fix them. Now your code is secure, there is no extra setup, there is no extra latency, there is no extra complexity, there is no way around this security, its secure security.

If your application is coded securely, it should be able to withstand most of what a waf can do. The problem is companies have a false sense of reality by and large: thinking their application is secure, when really its just waiting to be hacked.

Fix your SQLi problems. In-depth defense, etc.

You might protect your web-facing service, but what about someone already inside your network (RAT)?

WAFs are an additional measure, that you probably can't deploy between each pair of machines that communicate together. Have someone perform a pentest, see how bad it is. Also, they're expensive, more so than a check for weird chars in a comment field.