DEV Community

Cover image for 5 Self-Hosted WAFs Engineers Are Actually Using in 2026
Hawkinsdev
Hawkinsdev

Posted on

5 Self-Hosted WAFs Engineers Are Actually Using in 2026

#security #cybersecurity #waf

Cloud WAFs dominate the modern internet.

If you're building a public SaaS product, chances are you're already using something like Cloudflare, Fastly, or AWS WAF.

But in many real-world environments — internal platforms, hybrid infrastructure, private SaaS deployments — self-hosted WAFs are still very relevant.

Some of the reasons I still deploy them:

  • Full visibility into raw traffic
  • Some systems run inside private networks
  • Certain workloads require data sovereignty
  • Costs scale badly with very high traffic
  • I want direct control over rules and logs

A WAF should never be your only security control, but as a defense-in-depth layer, it’s still one of the most practical protections you can add to a web stack.

Here are five WAFs I’ve seen used in real production environments (or tested myself) in 2026.

None of them are perfect — each one reflects a different operational philosophy.

1. ModSecurity + OWASP CRS

If you’ve been around web security long enough, you’ve probably encountered ModSecurity.

It’s essentially the classic open-source WAF engine, widely deployed with Apache, NGINX, and IIS.

Detection is primarily driven by the OWASP Core Rule Set (CRS).

The model is straightforward:

  1. Parse incoming HTTP requests
  2. Apply rule sets
  3. Assign anomaly scores or block requests

Pros:

  • extremely flexible
  • battle-tested ecosystem
  • massive rule library

Cons:

  • tuning false positives can be painful
  • configuration complexity
  • rule maintenance overhead

For teams that want maximum control over detection logic, ModSecurity still holds up surprisingly well.

But it definitely requires operational effort.

2. Coraza WAF

Coraza is a newer WAF engine written in Go.

The goal is simple: modernize the ModSecurity ecosystem without abandoning the existing rule model.

Coraza supports the same rule language and works with OWASP CRS, but its architecture fits modern infrastructure better.

Common integrations include:

  • Caddy
  • Traefik
  • Envoy
  • Kubernetes ingress controllers

Where Coraza shines:

  • good performance
  • cloud-native architecture
  • cleaner codebase than legacy engines

The downside is maturity. The ecosystem is still evolving compared with ModSecurity’s long history.

For Kubernetes-heavy stacks, though, Coraza is often the most natural choice.

3. Open AppSec

Open AppSec takes a different approach from rule-based WAFs.

Instead of maintaining large rule sets, it relies heavily on machine-learning-driven behavioral models.

The idea is to learn what normal traffic looks like and detect anomalies.

Benefits:

  • less rule maintenance
  • better handling of unknown attack variants
  • strong API protection

This works especially well in:

  • Kubernetes ingress
  • NGINX reverse proxy stacks
  • environments with fast-changing APIs

The trade-off is transparency.

When a rule-based WAF blocks a request, you usually know exactly why. With ML-driven detection, that’s sometimes harder to explain.

4. NGINX App Protect

If you're already running NGINX Plus, App Protect is the obvious enterprise WAF option.

It’s built on the F5 WAF engine and integrates directly with the NGINX platform.

Strengths include:

  • strong API security capabilities
  • enterprise rule intelligence
  • commercial support

The downside is fairly obvious:

  • licensing cost
  • dependency on NGINX Plus

For companies already standardized on NGINX infrastructure, though, it can be a solid choice.

5. Safeline WAF

Safeline is a relatively new self-hosted WAF that’s gained traction recently, especially among smaller teams and startups.

Architecturally, it runs as a reverse-proxy WAF built on NGINX, inspecting HTTP traffic before it reaches backend services.

What makes Safeline interesting is how it detects attacks.

Traditional WAFs rely heavily on regex or signature matching. Safeline instead uses a semantic analysis engine that analyzes request structure and context rather than just scanning strings.

In practice, that means it examines things like:

  • parameter relationships
  • request structure
  • data types and payload format
  • logical inconsistencies between input and expected behavior

This allows it to detect attacks even when payloads are encoded, obfuscated, or split across multiple parameters.

Some notable capabilities:

1. Semantic attack detection

The engine analyzes HTTP semantics instead of simple pattern matching, which helps catch complex or previously unseen attacks while reducing false positives.

2. Better support for modern APIs

Modern apps rely heavily on JSON, GraphQL, and nested payloads. Safeline parses structured payloads and parameter relationships rather than treating them as raw strings.

3. Built-in bot and automation protection

Safeline includes bot detection and challenge mechanisms designed to stop credential stuffing, scraping, and vulnerability scanners.

4. Layer-7 traffic controls

Features like rate limiting, access control, and HTTP flood mitigation help protect against application-layer abuse.

Operationally, the biggest advantage is simplicity.

Compared with legacy WAF stacks, Safeline is designed to be:

  • quick to deploy
  • container-friendly
  • usable without deep WAF expertise

That makes it appealing for small teams that still want serious protection without maintaining massive rule sets.

You may find it already opensourced on Github.

How I Usually Choose a WAF

In practice, the decision usually comes down to operational complexity vs. control.

A rough guideline:

Scenario Typical Choice
Maximum rule control ModSecurity
Cloud-native infrastructure Coraza
Low-maintenance detection Open AppSec
Enterprise NGINX stack NGINX App Protect
Simple self-hosted deployment Safeline

One Important Reminder

A WAF should never replace secure application design.

What it can do well:

  • block obvious attack payloads
  • reduce automated scanning noise
  • protect vulnerable endpoints temporarily
  • buy time during incidents

But if your application has critical vulnerabilities, the real fix still belongs in the codebase.

Final Thoughts

The self-hosted WAF ecosystem is actually more diverse in 2026 than it was a few years ago.

Instead of relying on a single legacy tool, engineers now have several architectural choices:

  • rule-driven (ModSecurity)
  • cloud-native engines (Coraza)
  • ML-driven detection (Open AppSec)
  • enterprise modules (NGINX App Protect)
  • semantic-analysis-based systems like Safeline

Which one is best depends less on features and more on how your infrastructure is built — and what your team is capable of operating long-term.

Top comments (0)