What role does a WAF play in an AppSec strategy, and what are its limitations?

A WAF (Web Application Firewall) inspects HTTP traffic and blocks known malicious patterns (injection, common exploit signatures) at the edge. Its real value is as a compensating / virtual-patching control: it buys time to fix a vulnerability properly, blunts automated/opportunistic attacks, and adds a defense-in-depth layer. Limitations: it's a pattern-matcher, so it's bypassable (encoding tricks, novel payloads), produces false positives that get rules disabled, can't understand application logic (so it misses BOLA/BFLA, business-logic flaws, and most authz bugs), and gives a false sense of security. Treat a WAF as a speed bump and stopgap, never as a substitute for fixing the code — the framing in an interview is 'defense-in-depth and virtual patching, not a primary control.'