I’ve been reading about WAFs as I’m trying to nail down a security option that I feel good about. I read about Cloud WAFs such as cloudflare, sucuri, stackpath etc… and it seems they are pretty easily bypassed, thus making them pretty pointless to begin with. It seems the best security is to have it right on the doorstep (the endpoint/origin server).
Any input/suggestions on this? I think it’s a important topic that definitely gets overlooked.