Web App & API Protection

How well you protect web applications and APIs can determine whether you’re a proven, reputable online presence or an unreliable, untrusted one. F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.

TOP CUSTOMER USE CASES

Advanced threat defense

Advanced threat defense



Deter bad bots

MITIGATE BOT ATTACKS

protect user credentials

Protect user credentials

Cut costs in the cloud

Prevent Web Fraud

F5 Positioned as a Leader in The Forrester Wave™: Web Application Firewalls, Q2 2018

Get the report

KNOW WHAT YOU’RE UP AGAINST

Understanding how web apps can be compromised is the first step in protecting them. 

APP SERVICES APP SERVICES APP SERVICES

Injection

Injection occurs when input provided by external sources contains hidden application commands from an attacker. When a web application isn’t properly filtering the input, it allows injected commands to be passed through to either the local system or a dependent one. A common example is SQL injection, as many applications rely on user input to build SQL statements to fetch information or to log them in.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to run their own malicious scripts in a victim’s browser, within the trusted context of a site they’re visiting. XSS can be used to steal session tokens, initiate hidden transactions, or display falsified or misleading content. More sophisticated XSS scripts can even load key loggers that relay victims’ passwords to command-and-control servers operated by the attackers.

Man-in-the-Middle (MitM)

An attacker gains full access to both sides of a conversation or connection between two parties, allowing them to eavesdrop on sensitive data, tamper with data in transit, or even inject false data or commands that will be interpreted as genuine, authenticated, or otherwise trustworthy.

Sensitive Data Disclosure

Inadvertent exposure of sensitive information is low-hanging fruit for automated scanners and ripe for exploitation. Common examples include error messages detailing how unexpected input is handled, physical locations of files on servers, specific versions of components and libraries, and stack traces from failed functions.

Insecure Deserialization

Object serialization converts an object into a data format; deserialization reads this structured data and builds an object from it. Many programming languages offer native serialization or allow customization of the serialization process, which bad actors can use maliciously. Insecure deserialization has led to remote code execution, denial-of-service, replay, injection, and privilege escalation attacks.

Session Hijacking

In the context of HTTP applications, session hijacking usually involves the theft of session cookies used to authenticate and subsequently authorize HTTP requests initiated by a known user. With the stolen session cookie, an attacker is then able to effectively impersonate their victim to initiate fraudulent transactions.

Resource Hoarding (Scalping)

Scalpers use bots and other automation to purchase high-demand items, like concert tickets or limited-edition products, at a faster rate than humans are capable of. These products are resold to actual consumers at a significant markup. Over time, consumers no longer trust you to be a reliable source for in-demand products and services.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

ACCESS ACCESS ACCESS

Credential Theft

Most users with compromised devices are unaware they’re infected with malware. Their credentials stolen by malware-controlled web browsers, then used to take over a user account or move laterally within the corporate network.

Brute Force

An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords or passphrases in an attempt to gain unauthorized access to an application or website.

Credential Stuffing

Attackers use automated injection of previously breached username/password pairs in order to fraudulently gain access and take over user accounts. Breached credentials are available for sale on the dark web, and it’s no secret that users frequently re-use passwords across multiple apps or websites.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

Global availability

Global availability

Keep your applications healthy and performing for all users—everywhere.

Better time-to-market

Better time-to-market

Get your apps out the door and in the hands of your customers faster.

Dynamic defense

Dynamic defense

Defend against emergent threats with adaptive solutions that grow with your business. 

Refined Application Intelligence

Refined Application Intelligence

Refine business intelligence for your applications by filtering unwanted interactions.

Web app and API solutions

F5 WAF can protect against application exploits, deter unwanted bots and other automation, and reduce costs in the cloud.

See buying options

SECURE YOUR APIs

Enable App-to-App Authorization

As businesses build and release more apps, the number of APIs—which enable apps to communicate automatically with one another—has risen exponentially. In this fast-paced environment, DevOps teams need to rapidly create and manage application services without worrying about cross-app vulnerabilities. The challenge with more and more APIs is that they become additional targets for threats. To mitigate threats at the API level, it is essential to have secure authorization between apps based on standardized and open methods across web, mobile and desktop environments.  

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >

F5 SILVERLINE WAF EXPRESS SERVICE

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more >

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-SERVICE

An express service option, enabling rapid self-service deployment of expertly maintained policies across hybrid environments to protect apps, anywhere.

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

ON PREMISES OR CLOUD DELIVERED: INLINE/BLOCKING

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

ON PREMISES OR CLOUD DELIVERED: INLINE/MONITORING

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

ON PREMISES: OUT-OF-PATH/MONITORING

Out-of-path monitoring allows you to collect information and statistics on attack traffic and patterns out of the path of traffic should you not want to deploy inline mitigations or adjust your network topology.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

MITIGATE BOT ATTACKS

Manage your relationship with bots

Dealing with bots is part and parcel to conducting business online. Some are benign or can even be helpful, as is the case with digital assistants. But like any useful tool, bots can be co-opted by attackers to enable criminal activity. The threats are constantly evolving, driven by a growing list of motivations, including direct consumer fraud, IP theft, long-tail profiteering, political ends, or petty personal grudges—and bots are doing the dirty work.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >

F5 SILVERLINE WAF EXPRESS SERVICE

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more >

F5 RULES FOR AWS WAF

This set of rules for AWS WAF helps you protect against common vulnerabilities and exposures, integrates seamlessly with AWS WAF, and is expertly managed by F5.

Learn more >

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-SERVICE

An express service option, enabling rapid self-service deployment of expertly maintained policies across hybrid environments to protect apps, anywhere.

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

On Premises or Cloud Delivered: Inline/blocking

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

On Premises or Cloud Delivered: Inline/monitoring

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

On Premises: Out-of-path/monitoring

Out-of-path monitoring allows you to collect information and statistics on attack traffic and patterns out of the path of traffic should you not want to deploy inline mitigations or adjust your network topology.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PROTECT USER CREDENTIALS

Defeat credential stuffing

Billions of user credentials have been stolen from various services over the past decade. These usernames, email addresses, and passwords are fed through automated systems to take over accounts all over the net. And even if you haven’t been breached, your customers are still at risk if they used the same account information elsewhere. Proactive systems like F5 Advanced WAF not only defend against these attempts, they actually help prevent such credentials from being captured and stolen in the first place.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >

F5 SILVERLINE WAF EXPRESS SERVICE

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more >

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-SERVICE

An express service option, enabling rapid self-service deployment of expertly maintained policies across hybrid environments to protect apps, anywhere.

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

On Premises or Cloud Delivered: Inline/blocking

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

On Premises or Cloud Delivered: Inline/monitoring

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

On Premises: Out-of-path/monitoring

Out-of-path monitoring allows you to collect information and statistics on attack traffic and patterns out of the path of traffic should you not want to deploy inline mitigations or adjust your network topology.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PREVENT WEB FRAUD

Digital innovation has changed everything: money is everywhere, so every business is a potential target for fraud. To effectively combat the perils of fraud, you need the ability to identify and thwart a wide range of creative, complex, and stealthy tools and tactics that criminals use to evaluate and exploit vulnerable apps and processes. The F5 Web Fraud Protection solution provides a combination of app protection, network security, access controls, threat intelligence, and endpoint inspection to give you the tools you need to shut down fraudulent activity—before it can take a toll on your business. 

WEB APPLICATION AND API PROTECTION PRODUCTS

WEB APPLICATION AND API PROTECTION PRODUCTS

WEBSAFE AND MOBILESAFE

Reduce the risk of fraud when delivering web and mobile-based app services; built on a platform that analyzes several points of data, WebSafe and MobileSafe help you identify odd behaviors and score users accessing your applications.

Learn more >

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

On Premises: Inline/blocking

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

On Premises: Inline/monitoring

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

DEFEND AGAINST OWASP TOP 10 THREATS

Protecting your apps against existing and emerging OWASP Top 10 threats requires a defense-in-depth app protection strategy. F5 provides comprehensive protection solutions that are integrated and work together—incorporating machine learning and backed by threat intelligence-- to stop even the most advanced threats in their tracks.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >

F5 SILVERLINE WAF EXPRESS SERVICE

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more >

F5 RULES FOR AWS WAF

This set of rules for AWS WAF helps you protect against common vulnerabilities and exposures, integrates seamlessly with AWS WAF, and is expertly managed by F5.

Learn more >

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-SERVICE

An express service option, enabling rapid self-service deployment of expertly maintained policies across hybrid environments to protect apps, anywhere.

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

On Premises or Cloud Delivered: Inline/blocking

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

On Premises or Cloud Delivered: Inline/monitoring

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

On Premises: Out-of-path/monitoring

Out-of-path monitoring allows you to collect information and statistics on attack traffic and patterns out of the path of traffic should you not want to deploy inline mitigations or adjust your network topology.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PREVENT UNAUTHORIZED APP ACCESS

More than half of data breaches involve weak, default, or stolen passwords. Why? To put it simply, password fatigue leading to weak and reused passwords. The F5 application access solution provides secure anytime, anywhere access through integrated, standards-based identity federation, single sign-on (SSO), and adaptive multi-factor authentication (MFA). 

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more >

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >

F5 SILVERLINE WAF EXPRESS SERVICE

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more >

 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-SERVICE

An express service option, enabling rapid self-service deployment of expertly maintained policies across hybrid environments to protect apps, anywhere.

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

On Premises or Cloud Delivered: Inline/blocking

Inline web app and API protection analyzes, adapts, and filters requests in real time to ensure ongoing protection of your hosted applications. This model ensures your apps are always defensible wherever they are deployed.

On Premises or Cloud Delivered: Inline/monitoring

Passive web protection for your managed applications without filtering gives you insight and analytics without the always-on active mitigations that block attack traffic. Enable blocking and proactive filtering on demand when you are under attack.

On Premises: Out-of-path/monitoring

Out-of-path monitoring allows you to collect information and statistics on attack traffic and patterns out of the path of traffic should you not want to deploy inline mitigations or adjust your network topology.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

WHY ADVANCED THREATS REQUIRE AN ADVANCED WAF

This on-demand webinar provides an in-depth look at the challenges we’re facing and how to meet them head-on.

Customer story

Premier Management Company Secures Healthcare Data with F5 Cloud-Based WAF

Read the story

GET STARTED

Security products

Visit our Security Products page to learn about our robust portfolio for your application security needs.

Try before you buy

Get a free 90-day trial—see which products offer trials today.

Get the latest threat intel

Actionable application threat intelligence that analyzes the Who, What, When, Why, How, and What’s Next of cyber attacks to benefit the security community.