WAF

A WAF inspects HTTP/HTTPS to block OWASP-class attacks like SQL injection and XSS that network firewalls can’t see. It complements — never replaces — secure coding and input validation. WAFs can run per-rule in detect, block, or log-only mode, letting teams tune rules before enforcing them.