diff --git a/helm/revproxy/templates/ingress_aws.yaml b/helm/revproxy/templates/ingress_aws.yaml
index cd0f1da7..612dad43 100644
--- a/helm/revproxy/templates/ingress_aws.yaml
+++ b/helm/revproxy/templates/ingress_aws.yaml
@@ -11,6 +11,9 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
     alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
     alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04
+    {{- if .Values.global.aws.wafv2.enabled }}
+    alb.ingress.kubernetes.io/wafv2-acl-arn: {{ .Values.global.aws.wafv2.wafAclArn }}
+    {{- end }}
 spec:
   ingressClassName: alb
   rules:
diff --git a/helm/revproxy/values.yaml b/helm/revproxy/values.yaml
index 80039806..44d0f3ed 100644
--- a/helm/revproxy/values.yaml
+++ b/helm/revproxy/values.yaml
@@ -16,6 +16,12 @@ global:
     awsAccessKeyId:
     # -- (string) Credentials for AWS stuff.
     awsSecretAccessKey:
+    # -- (map) WAF configuration
+    wafv2:
+      # -- (bool) Set to true if using AWS WAFv2
+      enabled: false
+      # -- (string) ARN for the WAFv2 ACL.
+      wafAclArn:
   # -- (bool) Whether the deployment is for development purposes.
   dev: true