If you are interested in WAF for SaaS but unsure of where to start, Cloudflare recommends using Managed Rulesets. The Cloudflare security team creates and manages a variety of rules designed to detect common attack vectors and protect applications from vulnerabilities. These rules are offered in managed rulesets, like Cloudflare Managed and OWASP, which can be deployed with different settings and sensitivity levels.
Customers can automate the custom metadata tagging by adding it to the custom hostnames at creation. For more information on tagging a custom hostname with custom metadata, refer to the API documentation.
Outline security_tag buckets. These are fully customizable with no strict limit on quantity. For example, you can set security_tag to low,medium, and high as a default, with one tag per custom hostname.