[AnonHP]

I disagree that it’s a waste of time or that only gullible people use it. A WAF (enabled to block malicious requests) is a cheaper and quicker solution to throw and still get some benefits.

I’ve seen that even in some large (non-FAANG or whatever) companies, budgets for security are always very tight or not available. Practically, it’s easier to kick the can down the road with a WAF.

For enterprise applications deployed for specific clients, if at all there are issues because of the WAF, they’d quickly bubble up through standard support mechanisms.