[kazinator]

Summary:

1. WAFs require entire requests to be buffered in order to be scanned before the server sees them. This can require lots of RAM.

2. WAFs scan requests with all sorts of hacky rules, which takes gobs of CPU time.

3. The hacky rules look for programming language syntax, for which the attackers can easily find alternative expressions to get around the rules.

4. ... yet, WAFs have high false positive rates.

5. All that kludgly processing is a security weakness. WAFs tend to be closed source behemoths written in low-level languages.