WAF is great solution on application level. Actually some problems is much easier to protect on WAF (add CSRF tokens or enable Cookies http-only,secure flags) than ask developers to implement it on application itself. However, usually it is not very difficult to cause DoS on WAF, force it to shut down, enable HA-bypass-mode and access application directly.

Concerning mod_security : it is a cool tool, but like you say it is very heavy.

No, it isn't itself. Mod_security uses regex as attack signatures and regex operations consume lot of computing resources. All you need - to find balance between signatures quantity and used hardware resources. By the way, most of "simple WAF" in routers, UCMs, etc. have mod_security core with custom signatures. Actually default set of signatures prevents wide range of attack vectors and there are not many ways to bypass it.

In fact you don't find it on many company because that cost to many time to configure it well !

Mod_security is not widely used on enterprise because:
 - it has no nifty dashboard
 - it is not scalable
 - it requires very skilled specialist in regex (it's pretty much hard to figure out why particular signature leads to false-positives and correctly rewrite it)
 - and yes, it takes huge amount of time to tune it for custom application

For whitelist WAF : yes in fact it is the better configuration but I never see it in a production environment, or with a large whitelist rules that is the worst thing that you can do.

It is good in theory. In real life most applications are constantly in developing phase. Even if you've created white-list model it might be useless on next big fix that changes some application structure. Some WAFs provide self-learning mechanism, that is supposed to build white-list model of application (e.g. imperva adds regexs that describe what characters are allowed in particular fields). And it works fine in production with large set of white-list rules.

Saw video demo on youtube. (seclist link)
What do you think? Is it just PoC or may have real life implementation?

In CloudFlare API is described, that browser check searches for uncommon HTTP headers and valid User-Agent.
So, you should set User-Agent in your script. E.g.:
urllib.URLopener.version = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)'

Bitc is always the way to go

Not many hosting accept it and just using bitcoin is not a silver bullet (relevant links)

User have to follow the link and run by himself downloaded file, in order to execute malicious script.
Just a new way to install dropper on user's host, or RAT if it's better option for you.

Most of WAFs are based on signatures, so there are plenty of ways to modify request and bypass them.
e.g.:
/?id=1+union+select+1,2,3/* => /?id=1+un/**/ion+sel/**/ect+1,2,3--
/?id=1;select+1,2,3+from+users+where+id=1-- => /?id=1;select+1&id=2,3+from+users+where+id=1--

Security by obscurity is always a bad choice. Using this cookie is quite the same, as hardcoded passwords, keys etc. But without HTTPS you will transfer it in celartext with each request of authenticated user.
Also there is bunch of attack vectors even with HTTPS, e.g. you are also vulnerable to XSS and didn't set Secure and Httponly flags to this Cookie.
Btw, parameterized querie issue (under certain conditions) may allow attacker to access your source code and simply read this cookie.