Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Web Application Firewall

Stage Defend
Maturity Minimal
Content Last Reviewed 2020-06-10

Introduction and how you can help

Thanks for visiting this category direction page on the Web Application Firewall (WAF) in GitLab. This page belongs to the Container Security group of the Defend stage and is maintained by Sam White (

This direction page is a work in progress, and everyone can contribute:


A web application firewall (WAF) filters, monitors, and blocks web traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications, while regular firewalls serve as a safety gate between servers. By inspecting the contents of web traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

GitLab's WAF comes with a default out-of-the-box OWASP ruleset in detection only mode.

Target Audience

Where we are Headed

GitLab's WAF is focused on providing a base level of traffic filtering for data coming in and out of containerized environments. The goal is not to become a general purpose WAF or to compete head-to-head with long-standing WAF vendors. Rather the intent is to focus on containerized environments and optimize for the protection capabilities that can be applied at that layer.

Current WAF functionality is capable of filtering data at the L7 layer to protect against L7 DDoS attacks and many of the attacks listed on the OWASP Top 10. Our WAF has some basic L4 DoS protection; however, another WAF that sits outside the containerized environment is required for organizations wanting to do L4 DDoS protection or more advanced L4 DoS protection. For environments that are already running a WAF outside the cluster, the GitLab WAF is complementary and can provide for defense in depth with an additional layer of protection for any traffic that might circumvent or slip through a firewall further upstream.

What's Next & Why

This category has currently achieved the Minimal maturity level. For the near-term, we plan to invest minimally into this category to allow for time to gather additional user feedback. While we gather that feedback, our development efforts are currently focused on our Container Network Security and Container Behavior Analytics categories.


Q: What are the current plans to support high availability (HA) when using Ingress or the GitLab Web Application Firewall?

A: Plans to add support for a high availability Web Application Firewall have been delayed to allow development efforts to focus on the Container Network Security and Container Host Security categories. For now, we advise customers with a strict requirement for high availability to not use the GitLab Web Application Firewall. We welcome any contributions that the wider community would like to make in this area to help advance the feature and accelerate the timeline for when high availability can be supported for this feature.

Competitive Landscape

Some other vendors in the WAF market include the following:

Analyst Landscape

Gartner provides a Magic Quadrant for the Web Application Firewall market.

GIT is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license