A Web Application Firewall (WAF) is used to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. This method of defense isn’t designed to stop every form of attack. As with most defenses, it takes more than one defense system to create a strong defense against a range of attack vectors.
When you have a web application firewall in place, it is inserted in front of the web application, where it creates a shield between the web application and the Internet. The purpose of a WAF is to filter out the malicious traffic and let in the safe traffic.
Additional Reading: Web Application Security Without Organizational Resistance