March 8, 2026

Green lights, open gates

Article URL →HN comments →

Detection Is Not Protection: What WAF Detection Mode Does (and Doesn't)

Azure’s “on” setting just watches attacks, doesn’t stop them — and the comments are savage

TLDR: Azure’s firewall can default to logging attacks instead of blocking them, leaving teams thinking they’re safe when they aren’t. Commenters split between blaming Azure’s setup, dismissing WAFs in favor of fixing apps, and cracking AI-writing jokes—while warning this silent gap can cost you big.

Welcome to the internet’s favorite kind of plot twist: your “protection” is just… watching. The article says Azure’s website firewall (WAF) defaults to “Detection,” which logs attacks but doesn’t block them. Translation: the dashboard is green, the gates are open, and attackers stroll in while the logs take notes.

Cue the comments. The loudest camp? The “WAFs are snake oil” crowd. One poster argued that unless you’re running common apps like WordPress, a WAF is a time sink and you should fix your app instead of praying to pattern-matching rules. Another side piled on Azure’s defaults, noting that AWS makes you pick Allow or Block, while Azure’s “Detection” feels like a trap for anyone assuming “enabled” means “protected.”

Not everyone was impressed with the revelation. A few veterans rolled their eyes, saying this is day-one stuff for cloud security and wondering why we’re still explaining it. Meanwhile, comic relief came from the meta corner: a commenter confessed they can’t stop rating the “LLM-ness” of posts now, linking to a thread that roasted AI writing tics.

The drama? It’s equal parts “Azure did you dirty,” “WAFs are theater,” and “security 101.” The takeaway: a quiet log isn’t proof of safety — it might just be proof that nothing is being blocked. Ouch.

Key Points

  • Azure WAF in Detection mode logs anomalies but forwards requests, providing no protection.
  • Azure WAF uses OWASP anomaly scoring; a Critical match contributes 5 points, triggering a block in Prevention mode.
  • Mandatory rules (e.g., body parsing failures and size limits) can block even in Detection mode but are not security controls.
  • Azure portal defaults new WAF policies to Detection mode; Microsoft advises starting in Detection to tune before switching to Prevention.
  • There is no timer, alert, or Azure Policy enforcement to exit Detection mode, leading to drift, misleading logs, and alert fatigue.

Hottest takes

"WAF is waste of time... better spent actually auditing the application" — PunchyHamster
"AWS forces an explicit default choice—Allow or Block" — tl2do
"rating the “LLM-ness” of everything I read" — jakehansen

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.