Abstract: With the development of Internet, malicious users attack Web sites by using leaks which exit in Web applications to achieve accessing to information, implanting trojans and virus, camouflaging fishing sites, inserting malicious advertising and other illegal operations. These malicious behaviours damage the profit of the legal users and reduce the credibility of the site.With the increasment of Web attacks , the security risks of websites have reached unprecedented levels. According to the security problems of Web sites, basing on the HTTP protocol model, combining with the URL parsed technique and core extension technique of Web server, the paper designs and implements the WAF system based on ISAPI filter. The system can resist a variety of network attacks, and can protect IIS Web sites basing on the HTTP protocol. The system contains three modules, they are configuration module, filtration module and log module. This paper introduces the design and implementation of the filtration module in detail. The system mainly implements the following functions: filtering the type of HTTP request, restricting the length of HTTP head, forbidding SQL injection, forbidding Cookie injection, forbidding XSS attack, prohibiting the scan of sensitive directory, filtering the type of files and IP blacklist. The System can detect Web attacks effectively and can response correctly. At last, the system testing environment is set up to achieve function test, The result of the test shows that the system can filter Web attacks and react as expected. The system can meet the requirement, and it has high practical value.