NSS Labs defines web application firewalls (WAFs) as stand-alone or virtual appliances, or as self-contained software designed specifically to secure web-based traffic. WAFs employ a wide range of functions to work in conjunction with perimeter firewalls and intrusion prevention system (IPS) technologies and provide protection specifically for web applications. WAFs should include HTTP/HTTPS protocol enforcement and native signature detection along with other protection mechanisms, such as URL normalization and scanning; positive or negative security enforcement model functionality (or both) that enforces proper application operation and page logic flow; and adaptive learning modules for automated policy updates. WAFs block attacks masked by HTTPS encryption by inspecting SSL sessions using a web server’s private key; they also detect policy violations and reset offending connections. These sessions are either passively decrypted and inspected or actively terminated and re-encrypted. WAFs should be able to identify and police the use of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic.