Cloudflare Docs
Cloudflare for Platforms
Cloudflare for Platforms
Edit this page
Give us feedback
Set theme to dark (⇧+D)

WAF for SaaS

Web Application Firewall (WAF) allows you to create additional security measures through Cloudflare. As a SaaS provider, you can link custom rules, rate limiting rules, and managed rules to your custom hostnames. This provides more control to keep your domains safe from malicious traffic.

As a SaaS provider, you may want to apply different security measures to different custom hostnames. With WAF for SaaS, you can create multiple WAF configuration that you can apply to different sets of custom hostnames. This added flexibility and security leads to optimal protection across the domains of your end customers.

​​ Prerequisites

Before you can use WAF for SaaS, you need to create a custom hostname. Review Get started with Cloudflare for SaaS if you have not already done so.

You can also create a custom hostname through the API:

curl -X POST "{zone:id}/custom_hostnames" \
-H "X-Auth-Email: {email}" \
-H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" \
--data '{"Hostname":""}, "Ssl":{wildcard:false}}'

​​ Step 1 - Associate custom metadata to a custom hostname

To apply WAF to your custom hostname, you need to create an association between your customer’s domain and the WAF configuration that you would like to attach to it. Cloudflare’s product, custom metadata allows you to do this via the API.

  1. Locate your zone ID, available in the Cloudflare dashboard.

  2. Locate your Authentication Key by selecting My Profile > API tokens > Global API Key.

  3. Locate your custom hostname ID by making a GET call in the API:

curl -X GET "{zone_id}/custom_hostnames" \
-H "X-Auth-Email: {email}" \
-H "X-Auth-Key: {key}" \
-H "Content-Type: application/JSON"
  1. Plan your custom metadata. It is fully customizable. In the example below, we have chosen the tag "security_level" to which we expect to assign three values (low, medium, and high).
  1. Make an API call in the format below using your Cloudflare email and the IDs gathered above:
curl -sXPATCH "{zone:id}/custom_hostnames/{custom_hostname:id}" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" \
-d '{
"custom_metadata": {
"customer_id": "12345",
"security_level": "low"

This assigns custom metadata to your custom hostname so that it has a security tag associated with its ID.

​​ Step 2 - Trigger security products based on tags

  1. Locate the custom metadata field in the Ruleset Engine where the WAF runs. This can be used to trigger different configurations of products such as WAF custom rules, rate limiting rules, and Transform Rules.

  2. Build your rules either through the dashboard or via the API. An example rate limiting rule, corresponding to "security_level" low, is shown below as an API call.

curl -X PUT "{zone:id}/rulesets/phases/http_ratelimit/entrypoint" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
-H "Content-Type: application/json"\
-d '{
"rules": [
"action": "block",
"ratelimit": {
"characteristics": [
"period": 10,
"requests_per_period": 2,
"mitigation_timeout": 60
"expression": "lookup_json_string(cf.hostname.metadata, \"security_level\") eq \"low\" and http.request.uri contains \"login\""

To build rules through the dashboard:

  1. Log in to the Cloudflare dashboard and navigate to your account and website.

  2. Select Security > WAF.

  3. Follow the instructions on the dashboard specific to custom rules, rate limiting rules, or managed rules, depending on your security goal.

  4. Once the rule is active, you should see it under the applicable tab (custom rules, rate limiting, or managed rules).

Rule Active