dsingh

I am wondering if it is worth the extra protection of using a WAF or is it ok to rely on our application code to protect against XSS, SQL injection etc. type of attacks? This is for a new cloud application that we are launching. I am leaning towards using a WAF since this is a enterprise/business application. Also, are there any specific products you would recommend? I have been reviewing how to configure the rules in HAProxy/mod_security but am wondering if it is just safer to rely on commercial product. Any suggestions or experiences?

I am looking at a couple of options including CloudFlare. Any recommendations or suggestions on what to look for?