F5 WAF for NGINX
By F5
A lightweight, software-only WAF module that runs as a sidecar alongside NGINX, built for containerized and Kubernetes-native environments rather than a dedicated appliance. Renamed from NGINX App Protect, though the older name still appears throughout F5's own documentation and community references.
Verified Source: 1
- Product type
- Software
- Deployment
- On-premAgent
- Organization size
- Mid-marketEnterprise
- Pricing tier
- $$
Capability checklist
WAFHow F5 WAF for NGINX measures up against the full WAF & API Security taxonomy.
- Attack signature blocking — supported
- Blocks OWASP Top 10 style attacks like SQL injection and XSS at the edge.
- API discovery — not supported
- Automatically inventories known and shadow API endpoints from observed traffic.
- Schema validation — supported
- Enforces that requests match the declared API schema, blocking anything that doesn't.
- Bot management — not supported
- Distinguishes automated and malicious bot traffic from legitimate users.
- Rate limiting — supported
- Throttles abusive request volumes per client or endpoint.
- Runtime API protection — not supported
- Detects and blocks data leakage and abuse in live API traffic.
Alternatives
Other WAF & API Security tools with overlapping capabilities, sized for similar teams.