The development of information technology and the popularity of the Internet have caused a rapid expansion of Internet attacks. Since many attackers obtain business secrets by attacking website servers, many companies have successively built firewalls to protect the safety of websites. However, there are many brands and types of web application layer firewalls on the market. If you want to find a web application firewall that meets the corporate environment, you must choose carefully. You may even know if you want to use this product to protect the security of your website after you have tried the product. In order to understand the basic operation mode of the web application layer firewall, this paper use open source ModSecurity and the corporate website simulation environment to understand how to deploy the web application firewall and its operation method. In addition, we also use the OWASP ModSecurity Core Rule Set rules to test whether it can block OWASP all attacks of TOP 10. Finally, we use the attack scripts developed in this paper to test the website and observe the protective effect of the web application firewall.