Home Compliance & Certification WAF Screenshot Guide

WAF Screenshot Guide

Last updated on Dec 18, 2025

1. Purpose of This Guide

This guide helps you show that your internet-facing web applications are protected by a Web Application Firewall (WAF).

A WAF acts like a shield in front of your website or application. It:

  • Filters malicious traffic

  • Blocks common attacks (e.g. SQL injection, cross-site scripting)

  • Reduces the risk of your app being the easiest target on the internet

This evidence proves you’re not leaving your web apps exposed to known attack patterns.

2. What You Will Submit

You will submit a screenshot showing that a Web Application Firewall is enabled and active, such as:

  • A WAF dashboard from your cloud provider or security platform

  • Configuration pages showing:

    • WAF enabled

    • Associated website, domain, or application

  • Rule or policy overview screens

The screenshot should clearly show that the WAF is on, not just available.

3. How to Collect / Obtain / Generate This Evidence

Option A: Cloud Provider WAF (Most Common)

AWS

  1. Go to AWS Console

  2. Navigate to WAF & Shield

  3. Select your Web ACL

  4. Open the overview page showing:

    • Web ACL name

    • Associated resource (ALB, CloudFront, API Gateway)

    • Status as Enabled

  5. Take a screenshot

Azure

  1. Go to Azure Portal

  2. Navigate to Application Gateway or Front Door

  3. Open Web Application Firewall

  4. Screenshot the page showing:

    • WAF enabled

    • Mode (Detection / Prevention)

    • Associated frontend

Cloudflare

  1. Log in to Cloudflare Dashboard

  2. Select your domain

  3. Go to Security → WAF

  4. Screenshot:

    • WAF enabled status

    • Active rules or protections

Option B: Third-Party or Managed WAF

If you use a managed security provider:

  1. Open the provider’s WAF dashboard

  2. Ensure the page shows:

    • Protected domain or application

    • WAF status (active / enabled)

  3. Capture a clear screenshot

4. Evidence Format

Accepted file types

  • PNG

  • JPG

  • PDF

Suggested naming format
YourCompanyName_WAF_Screenshot_Date

Example
AcmePteLtd_WAF_Screenshot_2025-07-01.png

5. What “Good” Looks Like

Your evidence is strong if it shows:

  • Visible element: WAF enabled status
    Why it matters: Confirms protection is active, not just configured

  • Visible element: Protected domain, app, or endpoint
    Why it matters: Links the WAF to real internet-facing assets

  • Visible element: Rules, policies, or protection mode
    Why it matters: Demonstrates meaningful filtering, not a blank setup

  • Visible element: Platform or provider name
    Why it matters: Shows this is a recognised, managed security control

6. Tips from Sir Stonk 🛡️

  • Prevention mode beats detection mode, if your setup allows it — but detection is still better than nothing.

  • Redact internal IPs or account IDs if they appear in the screenshot.

A WAF won’t make you invincible —
but it does stop a whole class of lazy attacks before they even knock.