Security settings

This page describes the settings available in Security > Settings for a given domain.

Security modules

Web application exploits module

In the Web application exploits security module you can manage the following settings:

Refer to each linked page for details.

DDoS attacks module

The DDoS protection security module shows the multiple mitigation services against DDoS attacks provided by Cloudflare.

You can create rules to override DDoS attack protection tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription.

To learn more about DDoS protection overrides, refer to the following resources:

Additionally, you can manage the following settings:

Bot traffic module

In the Bot traffic security module you can manage the following settings:

API abuse module

In the API abuse security module you can manage the following settings:

Client-side abuse module

In the Client-side abuse security module you can manage the following settings:

All settings

The following table links to additional information about each available setting:

SettingLocation in previous dashboard navigation
AI LabyrinthSecurity > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
Block AI BotsSecurity > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
Bot Management:Security > Bots
JS detectionsSecurity > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
Auto-update machine learningSecurity > Bots > Configure Bot Management
Browser integrity checkSecurity > Settings
Challenge Passage: TimeoutSecurity > Settings
Client certificatesSSL > Client Certificates
Cloudflare managed rulesetSecurity > WAF > Managed rules tab
Continuous script monitoring:Security > Page Shield
Reporting endpointSecurity > Page Shield > Settings
Data processingSecurity > Page Shield > Settings
AlertsSecurity > Page Shield > Settings
Account Home > Notifications
Create a developer portalSecurity > API Shield > Settings
Custom fallthrough rulesSecurity > API Shield > Settings
Endpoint discovery:API Shield > Discovery
Session identifiersSecurity > API Shield > Settings
Endpoint labelsSecurity > Settings > Labels
Firewall for AIN/A
HTTP DDoS attack protection:Security > DDoS
Configure overridesSecurity > DDoS
IP access rulesSecurity > WAF > Tools tab
Security > WAF > Custom rules tab
IP listsAccount Home > Manage Account > Configurations
JWT validation:Security > API Shield > Settings
JWT validation rulesSecurity > API Shield > API Rules
Token configurationsSecurity > API Shield > Settings
Leaked credentials detection:Security > Settings
Custom username and password locationSecurity > Settings
Malicious uploads detection:Security > Settings
Custom content locationSecurity > Settings
Manage AI bot traffic with robots.txtSecurity > Bots > Configure Bot Fight Mode
Security > Bots > Configure Super Bot Fight Mode
Security > Bots > Configure Bot Management
mTLS rulesSSL/TLS > Client Certificates
Network-layer DDoS attack protectionAccount Home > L3/4 DDoS > Network-layer DDoS Protection
OWASP Core rulesetSecurity > WAF > Managed rules tab
Rate limit authentication requestsSecurity > WAF > Rate limiting rules tab
Replace insecure JavaScript librariesSecurity > Settings
Schema learning:Security > API Shield > Schema Validation
Session identifiersSecurity > API Shield > Settings
Schema validationSecurity > API Shield > Schema Validation
EndpointsSecurity > API Shield
Active schemasSecurity > API Shield > Schema Validation
Default actionSecurity > API Shield > Schema Validation
Security Level: Under Attack modeSecurity > Settings
Security.txtSecurity > Settings
Sensitive data detection rulesetSecurity > Sensitive Data
Sequence detection:Security > API Shield > API Rules
EndpointsSecurity > API Shield
Session identifiersSecurity > API Shield > Settings
Session identifiersSecurity > API Shield > Settings
SSL/TLS DDoS attack protectionSecurity > DDoS
Token configurationsSecurity > API Shield > Settings
User agent blockingSecurity > WAF > Tools tab
Security > WAF > Custom rules tab
Zone lockdownSecurity > WAF > Tools tab
Security > WAF > Custom rules tab