Web App & API Protection

How well you protect web applications and APIs can determine whether you’re a proven, reputable online presence or an unreliable, untrusted one. F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.

If you’re in the healthcare, nonprofit, or educational sectors and are impacted by COVID-19, contact us for a free offer.

Our world has changed

With so much commerce becoming e-commerce, protecting your business means protecting your applications. See how easy it can be with Essential App Protect—SaaS security for web apps in any cloud.

Watch the overview

covid-19 web app protection

Web app and API solutions

F5 WAF can protect against application exploits, deter unwanted bots and other automation, and reduce costs in the cloud.

See buying options

DEFEND AGAINST OWASP TOP 10 AND BEYOND

Defend against software and code-level vulnerabilities

Protecting your apps against existing and emerging OWASP Top 10 threats requires a defense-in-depth app protection strategy. F5 provides comprehensive protection against code-level vulnerabilities like injection or cross-site scripting attacks, but also against software vulnerabilities that are found in components of virtually all software stacks.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more ›

NGINX APP PROTECT

F5 WAF technology on NGINX Plus to protect applications against common exploits and sophisticated threats with a WAF that natively integrates security into automated application delivery.

Learn more ›

F5 ESSENTIAL APP PROTECT

Instant, out-of-the-box protection from common web exploits, malicious IPs, and coordinated attack types. Includes a live interactive map display, integration with F5 Labs, and multiple web application firewall (WAF) security capabilities.

Learn more ›

F5 SILVERLINE WAF 

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need, and the ease of manageability you desire.

Learn More ›

MANAGING YOUR SOLUTIONS

Managing Your Solutions

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more ›

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SOFTWARE-AS-A-SERVICE (SaaS)

Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.

SELF-MANAGED

Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

MITIGATE BOT ATTACKS

Manage your relationship with bots

Dealing with bots is part of conducting business online. Some are benign or can even be helpful, as is the case with digital assistants. But like any useful tool, bots can be co-opted by attackers to enable criminal activity. The threats are constantly evolving, driven by a growing list of motivations, including direct consumer fraud, IP theft, long-tail profiteering, political ends, or petty personal grudges—and bots are doing the dirty work.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 WEB APPLICATION FIREWALLS

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Advanced WAF ›

Silverline WAF – Managed Service ›

F5 SILVERLINE SHAPE DEFENSE

A managed and multi-service application protection platform that leverages Shape Security’s AI-powered engine to protect against bots and other automated attacks that lead to fraud and abuse.

Silverline Shape Defense ›

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more ›

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SOFTWARE-AS-A-SERVICE (SaaS)

Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.

SELF-MANAGED

Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PREVENT APPLICATION FRAUD

Digital innovation has changed everything: money is everywhere, so every business is a potential target for fraud. To effectively combat the perils of fraud, you need the ability to identify and thwart a wide range of creative, complex, and stealthy tools and tactics that criminals use to evaluate and exploit vulnerable apps and processes. The F5 Application Fraud Protection solutions provide a combination of app protection, network security, access controls, threat intelligence, and endpoint inspection to give you the tools you need to shut down fraudulent activity—before it can take a toll on your business. 

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection, and easily fits into the environment that makes sense for your organization.

Advanced WAF ›

SHAPE ENTERPRISE DEFENSE

A managed service that provides a comprehensive, bespoke implementation protecting against the most advanced application fraud attacks, leveraging an AI-powered engine fueled by protecting over 4 billion transactions per week.

Shape Enterprise Defense ›

F5 Silverline Shape Defense ›

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.

Learn more ›

SELF-MANAGED

Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.

FULLY-MANAGED

Shape Enterprise Defense delivers the always-on, or on-demand, fully-managed defenses you need and the ease of manageability you desire.

HOW TO BUY

How to Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PROTECT USER CREDENTIALS

Many attackers use browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data. F5’s solution encrypts data at the app layer to protect against data-extracting malware and man-in-the-browser attacks.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more ›

F5 SILVERLINE WAF

This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.

Learn more ›

MANAGING YOUR SOLUTION

Managing Your Solutions

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more ›

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SOFTWARE-AS-A-SERVICE (SaaS)

Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.

SELF-MANAGED

Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

SECURE YOUR APIS

API use has been transformative, enabling new business models and revenue streams. Implemented without adequate guardrails, however, APIs also have the potential to disrupt and put businesses at risk. F5’s API Security Solution creates customized security policies to protect multiple APIs within a single domain, not just a global per-domain rule set.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ADVANCED WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.

Learn more ›

F5 SILVERLINE WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more ›

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more ›

FULLY-MANAGED

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.

SELF-MANAGED

Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PREVENT UNAUTHORIZED APP ACCESS

More than half of data breaches involve weak, default, or stolen passwords. The F5 application access solution addresses this challenge by providing secure anytime, anywhere access through integrated, standards-based identity federation, single sign-on (SSO), and adaptive multi-factor authentication (MFA). 

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 ACCESS POLICY MANAGER

F5’s suite of application identity and access features unifies application access while enhancing security, usability, and scalability.

Learn more ›

MANAGING YOUR SOLUTION

Managing Your Solutions

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more ›

SELF-MANAGED

Access Policy Manage is available as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

Want to save time and money with a smarter WAF solution? Estimate the ROI of Advanced WAF for your organization

KNOW WHAT YOU’RE UP AGAINST

Understanding how web apps can be compromised is the first step in protecting them. 

APP SERVICES

Injection

Injection occurs when input provided by external sources contains hidden application commands from an attacker. When a web application isn’t properly filtering the input, it allows injected commands to be passed through to either the local system or a dependent one. A common example is SQL injection, as many applications rely on user input to build SQL statements to fetch information or to log them in.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to run their own malicious scripts in a victim’s browser, within the trusted context of a site they’re visiting. XSS can be used to steal session tokens, initiate hidden transactions, or display falsified or misleading content. More sophisticated XSS scripts can even load key loggers that relay victims’ passwords to command-and-control servers operated by the attackers.

Man-in-the-Middle (MitM)

An attacker gains full access to both sides of a conversation or connection between two parties, allowing them to eavesdrop on sensitive data, tamper with data in transit, or even inject false data or commands that will be interpreted as genuine, authenticated, or otherwise trustworthy.

Sensitive Data Disclosure

Inadvertent exposure of sensitive information is low-hanging fruit for automated scanners and ripe for exploitation. Common examples include error messages detailing how unexpected input is handled, physical locations of files on servers, specific versions of components and libraries, and stack traces from failed functions.

Insecure Deserialization

Object serialization converts an object into a data format; deserialization reads this structured data and builds an object from it. Many programming languages offer native serialization or allow customization of the serialization process, which bad actors can use maliciously. Insecure deserialization has led to remote code execution, denial-of-service, replay, injection, and privilege escalation attacks.

Session Hijacking

In the context of HTTP applications, session hijacking usually involves the theft of session cookies used to authenticate and subsequently authorize HTTP requests initiated by a known user. With the stolen session cookie, an attacker is then able to effectively impersonate their victim to initiate fraudulent transactions.

Resource Hoarding (Scalping)

Scalpers use bots and other automation to purchase high-demand items, like concert tickets or limited-edition products, at a faster rate than humans are capable of. These products are resold to actual consumers at a significant markup. Over time, consumers no longer trust you to be a reliable source for in-demand products and services.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

ACCESS

Credential Theft

Most users with compromised devices are unaware they’re infected with malware. Their credentials stolen by malware-controlled web browsers, then used to take over a user account or move laterally within the corporate network.

Brute Force

An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords or passphrases in an attempt to gain unauthorized access to an application or website.

Credential Stuffing

Attackers use automated injection of previously breached username/password pairs in order to fraudulently gain access and take over user accounts. Breached credentials are available for sale on the dark web, and it’s no secret that users frequently re-use passwords across multiple apps or websites.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

LEARN HOW TO DEFEND AGAINST BAD BOTS WITHOUT DISRUPTING THE GOOD ONES.

Global availability

Global availability

Keep your applications healthy and performing for all users—everywhere.

Better time-to-market

Better time-to-market

Get your apps out the door and in the hands of your customers faster.

Dynamic defense

Dynamic defense

Defend against emergent threats with adaptive solutions that grow with your business. 

Refined Application Intelligence

Refined Application Intelligence

Refine business intelligence for your applications by filtering unwanted interactions.

WHY ADVANCED THREATS REQUIRE AN ADVANCED WAF

This on-demand webinar provides an in-depth look at the challenges we’re facing and how to meet them head-on.

Customer story

Premier Management Company Secures Healthcare Data with F5 Cloud-Based WAF

Get Started

Security products

Visit our Security Products page to learn about our robust portfolio for your application security needs.

Try before you buy

Get a free 30-day trial—see which products offer trials today.

Get the latest threat intel

Actionable application threat intelligence that analyzes the Who, What, When, Why, How, and What’s Next of cyber attacks to benefit the security community.