To implement default-deny Web Application Firewalls (WAF) must know everything about a website at all times, even when they change. That’s programmatically documenting every expected request method, URL, parameter name/value pair, cookie, process flow, etc making default-permit deployments the rule rather than the exception.
That’s probably why my Citrix Netscaler comes with an application firewall, but has no real default rules. They have to be created for the application it is protecting.