Web App & API Protection
How well you protect web applications and APIs can determine whether you’re a proven, reputable online presence or an unreliable, untrusted one. F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.
If you’re in the healthcare, nonprofit, or educational sectors and are impacted by COVID-19, contact us for a free offer.
Our world has changed
With so much commerce becoming e-commerce, protecting your business means protecting your applications. See how easy it can be with Essential App Protect—SaaS security for web apps in any cloud.
Web app and API solutions
F5 WAF can protect against application exploits, deter unwanted bots and other automation, and reduce costs in the cloud.
DEFEND AGAINST OWASP TOP 10 AND BEYOND
MITIGATE BOT ATTACKS
PREVENT APPLICATION FRAUD
PROTECT USER CREDENTIALS
SECURE YOUR APIS
PREVENT UNAUTHORIZED APP ACCESS
DEFEND AGAINST OWASP TOP 10 AND BEYOND
Defend against software and code-level vulnerabilities
Protecting your apps against existing and emerging OWASP Top 10 threats requires a defense-in-depth app protection strategy. F5 provides comprehensive protection against code-level vulnerabilities like injection or cross-site scripting attacks, but also against software vulnerabilities that are found in components of virtually all software stacks.
Web Application and API Protection Products
F5 ADVANCED WAF
F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.
NGINX APP PROTECT
F5 WAF technology on NGINX Plus to protect applications against common exploits and sophisticated threats with a WAF that natively integrates security into automated application delivery.
F5 ESSENTIAL APP PROTECT
Instant, out-of-the-box protection from common web exploits, malicious IPs, and coordinated attack types. Includes a live interactive map display, integration with F5 Labs, and multiple web application firewall (WAF) security capabilities.
F5 SILVERLINE WAF
An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need, and the ease of manageability you desire.
Managing Your Solutions
Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.
FULLY-MANAGED
F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.
SOFTWARE-AS-A-SERVICE (SaaS)
Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.
SELF-MANAGED
Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
MITIGATE BOT ATTACKS
Manage your relationship with bots
Dealing with bots is part of conducting business online. Some are benign or can even be helpful, as is the case with digital assistants. But like any useful tool, bots can be co-opted by attackers to enable criminal activity. The threats are constantly evolving, driven by a growing list of motivations, including direct consumer fraud, IP theft, long-tail profiteering, political ends, or petty personal grudges—and bots are doing the dirty work.
Web Application and API Protection Products
F5 WEB APPLICATION FIREWALLS
F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.
Silverline WAF – Managed Service ›
F5 SILVERLINE SHAPE DEFENSE
A managed and multi-service application protection platform that leverages Shape Security’s AI-powered engine to protect against bots and other automated attacks that lead to fraud and abuse.
Managing Your Solution
Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.
FULLY-MANAGED
F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.
SOFTWARE-AS-A-SERVICE (SaaS)
Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.
SELF-MANAGED
Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
PREVENT APPLICATION FRAUD
Digital innovation has changed everything: money is everywhere, so every business is a potential target for fraud. To effectively combat the perils of fraud, you need the ability to identify and thwart a wide range of creative, complex, and stealthy tools and tactics that criminals use to evaluate and exploit vulnerable apps and processes. The F5 Application Fraud Protection solutions provide a combination of app protection, network security, access controls, threat intelligence, and endpoint inspection to give you the tools you need to shut down fraudulent activity—before it can take a toll on your business.
Web Application and API Protection Products
F5 ADVANCED WAF
F5’s suite of advanced application defense features offers comprehensive protection, and easily fits into the environment that makes sense for your organization.
SHAPE ENTERPRISE DEFENSE
A managed service that provides a comprehensive, bespoke implementation protecting against the most advanced application fraud attacks, leveraging an AI-powered engine fueled by protecting over 4 billion transactions per week.
Managing Your Solution
Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.
SELF-MANAGED
Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.
FULLY-MANAGED
Shape Enterprise Defense delivers the always-on, or on-demand, fully-managed defenses you need and the ease of manageability you desire.
How to Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
PROTECT USER CREDENTIALS
Many attackers use browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data. F5’s solution encrypts data at the app layer to protect against data-extracting malware and man-in-the-browser attacks.
Web Application and API Protection Products
F5 ADVANCED WAF
F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.
F5 SILVERLINE WAF
This self-service WAF in the cloud removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses.
Managing Your Solutions
Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.
FULLY-MANAGED
F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.
SOFTWARE-AS-A-SERVICE (SaaS)
Essential App Protect and Behavioral App Protect are part of F5 Cloud Services: a portfolio of cloud-native SaaS solutions for enhanced app delivery, security, and insight across any cloud, anywhere.
SELF-MANAGED
Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your web application security.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
SECURE YOUR APIS
API use has been transformative, enabling new business models and revenue streams. Implemented without adequate guardrails, however, APIs also have the potential to disrupt and put businesses at risk. F5’s API Security Solution creates customized security policies to protect multiple APIs within a single domain, not just a global per-domain rule set.
Web Application and API Protection Products
F5 ADVANCED WAF
F5’s suite of advanced application defense features offers comprehensive protection and easily fits into the environment that makes sense for your organization.
F5 SILVERLINE WAF
An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.
Managing Your Solution
Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.
FULLY-MANAGED
F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.
SELF-MANAGED
Advanced WAF is offered as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
PREVENT UNAUTHORIZED APP ACCESS
More than half of data breaches involve weak, default, or stolen passwords. The F5 application access solution addresses this challenge by providing secure anytime, anywhere access through integrated, standards-based identity federation, single sign-on (SSO), and adaptive multi-factor authentication (MFA).
Web Application and API Protection Products
F5 ACCESS POLICY MANAGER
F5’s suite of application identity and access features unifies application access while enhancing security, usability, and scalability.
Managing Your Solutions
Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.
SELF-MANAGED
Access Policy Manage is available as an appliance or software virtual image for your on-premises or colocated data center, or public cloud environment, that provides you direct control over your secure access proxy.
How To Buy
SUBSCRIPTION
Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.
PERPETUAL
Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.
ENTERPRISE LICENSE AGREEMENT (ELA)
Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.
UTILITY
Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.
Want to save time and money with a smarter WAF solution? Estimate the ROI of Advanced WAF for your organization
KNOW WHAT YOU’RE UP AGAINST
Understanding how web apps can be compromised is the first step in protecting them.
Injection
Injection occurs when input provided by external sources contains hidden application commands from an attacker. When a web application isn’t properly filtering the input, it allows injected commands to be passed through to either the local system or a dependent one. A common example is SQL injection, as many applications rely on user input to build SQL statements to fetch information or to log them in.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) allows attackers to run their own malicious scripts in a victim’s browser, within the trusted context of a site they’re visiting. XSS can be used to steal session tokens, initiate hidden transactions, or display falsified or misleading content. More sophisticated XSS scripts can even load key loggers that relay victims’ passwords to command-and-control servers operated by the attackers.
Man-in-the-Middle (MitM)
An attacker gains full access to both sides of a conversation or connection between two parties, allowing them to eavesdrop on sensitive data, tamper with data in transit, or even inject false data or commands that will be interpreted as genuine, authenticated, or otherwise trustworthy.
Sensitive Data Disclosure
Inadvertent exposure of sensitive information is low-hanging fruit for automated scanners and ripe for exploitation. Common examples include error messages detailing how unexpected input is handled, physical locations of files on servers, specific versions of components and libraries, and stack traces from failed functions.
Insecure Deserialization
Object serialization converts an object into a data format; deserialization reads this structured data and builds an object from it. Many programming languages offer native serialization or allow customization of the serialization process, which bad actors can use maliciously. Insecure deserialization has led to remote code execution, denial-of-service, replay, injection, and privilege escalation attacks.
Session Hijacking
In the context of HTTP applications, session hijacking usually involves the theft of session cookies used to authenticate and subsequently authorize HTTP requests initiated by a known user. With the stolen session cookie, an attacker is then able to effectively impersonate their victim to initiate fraudulent transactions.
Resource Hoarding (Scalping)
Scalpers use bots and other automation to purchase high-demand items, like concert tickets or limited-edition products, at a faster rate than humans are capable of. These products are resold to actual consumers at a significant markup. Over time, consumers no longer trust you to be a reliable source for in-demand products and services.
Man-in-the-Browser
Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.
Credential Theft
Most users with compromised devices are unaware they’re infected with malware. Their credentials stolen by malware-controlled web browsers, then used to take over a user account or move laterally within the corporate network.
Brute Force
An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords or passphrases in an attempt to gain unauthorized access to an application or website.
Credential Stuffing
Attackers use automated injection of previously breached username/password pairs in order to fraudulently gain access and take over user accounts. Breached credentials are available for sale on the dark web, and it’s no secret that users frequently re-use passwords across multiple apps or websites.
Man-in-the-Browser
Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.
LEARN HOW TO DEFEND AGAINST BAD BOTS WITHOUT DISRUPTING THE GOOD ONES.
Global availability
Keep your applications healthy and performing for all users—everywhere.
Better time-to-market
Get your apps out the door and in the hands of your customers faster.
Dynamic defense
Defend against emergent threats with adaptive solutions that grow with your business.
Refined Application Intelligence
Refine business intelligence for your applications by filtering unwanted interactions.
WHY ADVANCED THREATS REQUIRE AN ADVANCED WAF
This on-demand webinar provides an in-depth look at the challenges we’re facing and how to meet them head-on.
Customer story
Premier Management Company Secures Healthcare Data with F5 Cloud-Based WAF
Get Started
Security products
Visit our Security Products page to learn about our robust portfolio for your application security needs.
Get the latest threat intel
Actionable application threat intelligence that analyzes the Who, What, When, Why, How, and What’s Next of cyber attacks to benefit the security community.