WAF Detection: a beginner's guide
Detect Web Application Firewall
WAFs: the security layer that sits in front of your website
A WAF (Web Application Firewall) is a security layer that sits in front of your website and inspects every incoming HTTP request before forwarding it to your actual application server. The WAF's job is to detect and block requests that look like attacks — SQL injection attempts, cross-site scripting payloads, known vulnerability exploits, malicious bot traffic, denial-of-service patterns — based on a continuously updated set of rules. Some WAFs are software you run on your own server (like ModSecurity); most modern ones are cloud-hosted services that you point your DNS at, like Cloudflare, AWS WAF, Akamai Kona, Imperva, or Fastly's Signal Sciences.
You should care because **a WAF is one of the few security layers that can protect a vulnerable application from being exploited before the application itself is patched**. The classic story is the company that discovers a critical vulnerability in a third-party library at 9 PM Friday — and uses a WAF rule to block exploitation traffic at the network edge by 9:15 PM, buying the engineering team the entire weekend to patch the actual code. Without a WAF, the only option is the emergency patch. With a WAF, you have a buffer.
The five things every WAF detection check looks at:
Is the domain proxied through a known WAF provider? Cloudflare, Akamai, Imperva, Fastly, AWS, F5, Barracuda, Sucuri — each leaves recognizable headers, response patterns, or IP ranges.
What is the WAF policy mode? Block, challenge, log-only? A WAF in log-only mode is just an alarm system, not a defense.
Is rate limiting configured? A WAF without rate limits is easier to bypass with brute-force attacks.
Are bot-management features enabled? Most modern WAFs include tools to distinguish legitimate bots (search engines, monitoring) from malicious ones.
Is the WAF actually being bypassed? A common misconfiguration is exposing the origin server's IP directly, which lets attackers route around the WAF entirely.
Three questions a WAF check answers:
Is this domain protected by a WAF, or is the origin server fully exposed?
Which WAF provider is in use, and at what level of protection?
Could an attacker bypass the WAF by finding the origin IP?
The cost of running without a WAF is the loss of the buffer between "vulnerability discovered" and "vulnerability patched." For high-traffic or high-value sites, that buffer is the difference between an embarrassing email and a public security incident. WAFs are not a substitute for secure coding — but they are an excellent defense in depth on top of it.
The WAF Detection endpoint, in plain language
In one sentence: Detect Web Application Firewall
Identifies if a Web Application Firewall (WAF) is protecting a domain by analyzing HTTP (HyperText Transfer Protocol) response signatures. Detects 17 major WAF providers including Cloudflare, AWS WAF, Akamai, Imperva/Incapsula, Sucuri, F5 BIG-IP, Barracuda, Fortinet FortiWeb, Google Cloud Armor, and ModSecurity with OWASP CRS. Returns confidence levels and specific evidence for each detection.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Makes an HTTP (HyperText Transfer Protocol) request to the domain and analyzes multiple detection signals: WAF-specific response headers (cf-ray, x-sucuri-id, x-akamai-transformed), server header patterns, Set-Cookie signatures (e.g., __cf_bm, incap_ses_), response body patterns (block pages, challenge pages), and HTTP status code behaviors. Each detected provider includes vendor name, WAF type, confidence level (high/medium/low), and the specific evidence that triggered detection.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the WAF Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
WAF detection is essential for security assessments (knowing what defenses are in place), troubleshooting (identifying if a WAF is blocking legitimate traffic), and competitive intelligence (understanding infrastructure choices). For penetration testers, WAF awareness is critical for adjusting testing methodology. For operations teams, knowing the WAF provider helps diagnose false positive blocks on API (Application Programming Interface) traffic.
Picture this in real life. Imagine a penetration tester. Here's the situation they're walking into: Identify WAF presence before testing to adjust methodology accordingly. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the WAF Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the WAF Detection tool is built for you:
Is my website encrypted properly, or are visitors going to see a scary browser warning?
Am I missing any of the security headers that modern browsers expect?
Could a known weakness on my site quietly be costing me trust, traffic, or compliance?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/waf`.
When would I actually use this?
If you're still on the fence about whether the WAF Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a penetration tester, a solutions architect, and a devops engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security Assessment
Imagine you're a penetration tester. Identify WAF presence before testing to adjust methodology accordingly.
Why it matters: Plan penetration tests with WAF evasion considerations.
Story 2: Competitive Analysis
Imagine you're a solutions architect. Understand which WAF solutions competitors use for security.
Why it matters: Inform WAF selection based on industry adoption.
Story 3: Troubleshooting
Imagine you're a devops engineer. Identify if a WAF is blocking legitimate requests to APIs or services.
Why it matters: Diagnose connectivity issues caused by WAF blocks.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the WAF Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
After every site redesign or platform migration.
Before a penetration test, security review, or vendor questionnaire.
When your SSL certificate is about to expire and you want to confirm the renewal worked.
On a recurring monthly schedule, so you catch new issues before attackers do.
If you can see yourself in even one of those bullets, the WAF Detection tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the WAF Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the WAF Detection tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/waf?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to detect WAF for | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
detected | boolean | Whether a WAF was detected |
primaryProvider | string | null | Primary WAF provider name, or null if no WAF detected |
providers | array | All detected WAF providers with confidence and evidence |
providerCount | number | Number of WAF providers detected |
recommendations | array | Security improvement suggestions |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
HTTP (HyperText Transfer Protocol) — The language web browsers and websites use to talk to each other.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.