CIS Control 13.10: Application Layer Filtering
Application layer filtering protects your applications from sophisticated attacks that slip past network-level defenses. This CIS Control requires implementing filtering proxies or application firewalls to inspect and block malicious traffic at the point where applications communicate. For SMBs, this is a critical defense against web-based threats without requiring enterprise-scale infrastructure.
What this means
Application layer filtering operates at Layer 7 (the application layer) of the network stack, allowing you to inspect and filter traffic based on application-specific rules rather than just IP addresses or ports. This includes deploying filtering proxies that intercept traffic between users and applications, or application layer firewalls (also called WAFs) that understand HTTP/HTTPS protocols and can block requests containing malicious payloads, SQL injection attempts, cross-site scripting (XSS), or other application-specific attacks. Unlike traditional firewalls that only see IP and port information, application layer filtering can understand the content and intent of user requests.
How to comply
- 1.Deploy a filtering proxy or Web Application Firewall (WAF) in front of internet-facing applications
- 2.Configure filtering rules to detect and block common attack patterns (SQL injection, XSS, command injection)
- 3.Enable logging of all filtered traffic for audit and investigation purposes
- 4.Regularly review and update filtering rules based on emerging threats and false positives
- 5.Test filtering effectiveness by simulating attacks and verifying they are blocked
- 6.Document your application layer filtering architecture and policies
- 7.Train staff on how the filtering system works and when to review blocked requests
Evidence auditors look for
- WAF configuration files showing active filtering rules and threat signatures
- Logs of blocked requests with timestamps, source IPs, attack types, and blocked payloads
- Policy documentation describing filtering rules, maintenance procedures, and escalation paths
- Test results demonstrating successful blocking of SQL injection, XSS, and other OWASP Top 10 attacks
- Change management records for updates to filtering rules and signatures
- Network diagrams showing WAF or filtering proxy placement in your architecture
- Vendor documentation for your filtering solution (AWS WAF, Cloudflare, ModSecurity, etc.)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the documentation and monitoring of your application layer filtering logs, configurations, and test results—eliminating manual evidence gathering for CIS 13.10 audits.
See how GRCWatch handles this control automatically
Start free trial