Free firewall checker for WAF detection.
Detect whether a public website sits behind a web application firewall (WAF) and identify the vendor when fingerprinting succeeds.
About firewall detection
A WAF (web application firewall) helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among others.
This checker sends a passive fingerprinting request to the target URL and reports whether a WAF was detected, along with the vendor name when the response includes it (for example {"hasWaf":true,"waf":"Cloudflare"}).
Use cases
- Understand whether a site is using a WAF and which firewall software or service protects it.
- Estimate application-layer protection before penetration testing or vendor due diligence.
- Compare edge security posture across competitors, acquisitions, or third-party SaaS vendors.
- Keep lightweight evidence of WAF fingerprinting through the downloadable raw JSON response.
Knowing the WAF in use provides insight into protection against several attack vectors, but may also reveal configuration weaknesses or bypass research paths specific to that product.
How to interpret the response
| Signal | Meaning |
|---|---|
| hasWaf: true | A WAF or similar edge filter was detected in front of the application. |
| waf | Vendor or product name returned by the fingerprinting engine when available. |
| hasWaf: false | No WAF was detected. The origin may be directly exposed or use non-standard protection. |
Common WAF and firewall products
Fingerprinting engines may return vendor names similar to the examples below. Results depend on live response headers, TLS behavior, and challenge pages—not every deployment is detectable from the outside.
Cloudflare WAF
Cloudflare
Edge WAF bundled with CDN and DDoS protection, commonly detected on high-traffic public sites.
AWS WAF
Amazon Web Services
Managed rules attached to Application Load Balancer, CloudFront, or API Gateway in AWS environments.
Akamai Kona Site Defender
Akamai
Enterprise edge WAF used by large publishers, retailers, and financial services at the CDN layer.
Imperva WAF
Imperva
Cloud and on-premise WAF focused on bot management, API protection, and compliance-driven workloads.
Azure Application Gateway WAF
Microsoft Azure
Regional WAF policy for OWASP CRS rules on applications hosted in Azure.
Google Cloud Armor
Google Cloud
Edge security policy for Google Cloud load balancers with rate limiting and geo restrictions.
Sucuri Website Firewall
Sucuri
Reverse-proxy WAF popular on WordPress and small business sites for malware and exploit blocking.
F5 BIG-IP ASM
F5
Application security module often deployed in front of APIs and legacy enterprise applications.
FortiWeb
Fortinet
Hardware or virtual appliance WAF used in hybrid networks and regulated industries.
Barracuda WAF
Barracuda Networks
Appliance and cloud WAF for SMB and mid-market teams needing straightforward rule management.