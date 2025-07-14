Security settings
This page describes the settings available in Security > Settings for a given domain.
In the Web application exploits security module you can manage the following settings:
- Detections:
- Under Attack mode in Security Level
- Managed security.txt
Refer to each linked page for details.
The DDoS protection security module shows the multiple mitigation services against DDoS attacks provided by Cloudflare.
You can create rules to override DDoS attack protection tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription.
To learn more about DDoS protection overrides, refer to the following resources:
Additionally, you can manage the following settings:
- Block AI Bots
- Bot Management (depending on your Enterprise subscriptions)
- Browser Integrity Check
- Challenge Passage
- Cloudflare managed ruleset
- Firewall for AI
- Schema learning
- Schema validation (requires you to upload a schema or apply a learned schema)
- Under Attack mode (under Security Level)
- SSL/TLS DDoS attack protection
In the Bot traffic security module you can manage the following settings:
- AI Labyrinth
- Block AI Bots
- Bot fight mode (depending on your Cloudflare plan)
- Super Bot fight mode (depending on your Cloudflare plan)
- Bot Management (depending on your Enterprise subscriptions)
- AI bot traffic management with robots.txt
- API sequence detection (requires you to configure a session identifier)
In the API abuse security module you can manage the following settings:
- Developer portal creation
- Endpoint discovery (always enabled if included in your Enterprise subscriptions; requires you to configure a session identifier)
- Endpoint labels
- JWT validation (requires you to add a JWT configuration)
In the Client-side abuse security module you can manage the following settings:
- Continuous script monitoring (previously Page Shield):
- Reporting endpoint to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on)
- Data logged in client-side abuse reports (only the hostname or the full URI)
The following table links to additional information about each available setting:
|Setting
|Location in previous dashboard navigation
|AI Labyrinth
|Security > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
|Block AI Bots
|Security > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
|Bot Management:
|Security > Bots
|— JS detections
|Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
|— Auto-update machine learning
|Security > Bots > Configure Bot Management
|Browser integrity check
|Security > Settings
|Challenge Passage: Timeout
|Security > Settings
|Client certificates
|SSL > Client Certificates
|Cloudflare managed ruleset
|Security > WAF > Managed rules tab
|Continuous script monitoring:
|Security > Page Shield
|— Reporting endpoint
|Security > Page Shield > Settings
|— Data processing
|Security > Page Shield > Settings
|— Alerts
|Security > Page Shield > Settings
Account Home > Notifications
|Create a developer portal
|Security > API Shield > Settings
|Custom fallthrough rules
|Security > API Shield > Settings
|Endpoint discovery:
|API Shield > Discovery
|— Session identifiers
|Security > API Shield > Settings
|Endpoint labels
|Security > Settings > Labels
|Firewall for AI
|N/A
|HTTP DDoS attack protection:
|Security > DDoS
|— Configure overrides
|Security > DDoS
|IP access rules
|Security > WAF > Tools tab
Security > WAF > Custom rules tab
|IP lists
|Account Home > Manage Account > Configurations
|JWT validation:
|Security > API Shield > Settings
|— JWT validation rules
|Security > API Shield > API Rules
|— Token configurations
|Security > API Shield > Settings
|Leaked credentials detection:
|Security > Settings
|— Custom username and password location
|Security > Settings
|Malicious uploads detection:
|Security > Settings
|— Custom content location
|Security > Settings
|Manage AI bot traffic with robots.txt
|Security > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
|mTLS rules
|SSL/TLS > Client Certificates
|Network-layer DDoS attack protection
|Account Home > L3/4 DDoS > Network-layer DDoS Protection
|OWASP Core ruleset
|Security > WAF > Managed rules tab
|Rate limit authentication requests
|Security > WAF > Rate limiting rules tab
|Replace insecure JavaScript libraries
|Security > Settings
|Schema learning:
|Security > API Shield > Schema Validation
|— Session identifiers
|Security > API Shield > Settings
|Schema validation
|Security > API Shield > Schema Validation
|— Endpoints
|Security > API Shield
|— Active schemas
|Security > API Shield > Schema Validation
|— Default action
|Security > API Shield > Schema Validation
|Security Level: Under Attack mode
|Security > Settings
|Security.txt
|Security > Settings
|Sensitive data detection ruleset
|Security > Sensitive Data
|Sequence detection:
|Security > API Shield > API Rules
|— Endpoints
|Security > API Shield
|— Session identifiers
|Security > API Shield > Settings
|Session identifiers
|Security > API Shield > Settings
|SSL/TLS DDoS attack protection
|Security > DDoS
|Token configurations
|Security > API Shield > Settings
|User agent blocking
|Security > WAF > Tools tab
Security > WAF > Custom rules tab
|Zone lockdown
|Security > WAF > Tools tab
Security > WAF > Custom rules tab
