Skip to content
Cloudflare Docs
Search
Products
Learning
Status
Support
Log in
GitHub
X
YouTube
Select theme
Dark
Light
Auto
WAF
Overview
Get started
Concepts
Traffic detections
Overview
WAF attack score
Leaked credentials
Overview
Get started
Common API calls
Mitigation examples
Malicious uploads
Overview
Get started
Example rules
Common API calls
Bot score ↗
Custom rules
Overview
Create in the dashboard
Create via API
Configure a rule with the Skip action
Overview
API examples
Skip options
Common use cases
Allow traffic from IP addresses in allowlist only
Allow traffic from search engine bots
Allow traffic from specific countries only
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Block traffic from specific countries
Challenge bad bots
Configure token authentication
Exempt partners from Hotlink Protection
Issue challenge for admin user in JWT claim based on attack score
Require a specific cookie
Require known IP addresses in site admin area
Require specific HTTP headers
Require specific HTTP ports
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update custom rules for customers or partners
Custom rulesets ↗
Rate limiting rules
Overview
Request rate calculation
Create in the dashboard
Create via API
Find appropriate rate limit
Rate limiting parameters
Rule examples
Best practices
Managed rules
Overview
Deploy in the dashboard
Deploy via API
Handle false positives
Create exceptions
Overview
Add an exception in the dashboard
Add an exception via API
Log the payload of matched rules
Overview
Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Store decrypted matched payloads in logs
Command-line operations
Overview
Generate a key pair
Decrypt the payload content
Check for exposed credentials
Overview
How it works
Configure via API
Test your configuration
Monitor exposed credentials events
Upgrade to leaked credentials detection
Rulesets reference
Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset
Overview
Concepts
Evaluation example
Configure in the dashboard
Configure via API
Configure in Terraform ↗
Cloudflare Exposed Credentials Check Managed Ruleset
Cloudflare Sensitive Data Detection
Additional tools
Lists
Overview
Custom lists
Bulk Redirect Lists ↗
Managed Lists
Create in the dashboard
Use lists in expressions
Lists API
Overview
JSON object
Endpoints
IP Access rules
Overview
Create a rule
Parameters
Actions
Scrape Shield
Overview
Email Address Obfuscation
Hotlink Protection
User Agent Blocking
Zone Lockdown
Browser Integrity Check
Challenge Passage
Enable security.txt ↗
Privacy Pass
Replace insecure JS libraries
Security Level
Account-level configuration
Overview
Custom rulesets
Overview
Use the dashboard
Use the API
Rate limiting rulesets
Overview
Create in the dashboard
Create via API
Managed rulesets
Overview
Deploy in the dashboard
Deploy via API
Create exceptions ↗
Analytics
Security Analytics
Security Events
Overview
Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Challenges
Migration guides
WAF Managed Rules migration
Firewall Rules to WAF custom rules migration
Rate limiting (previous version) deprecation
Legacy features
WAF managed rules (previous version)
Overview
Troubleshooting
Rate Limiting (previous version)
Overview
Troubleshooting
Troubleshooting
Bing's Site Scan blocked by a managed rule
Issues sharing to Facebook
SameSite cookie interaction with Cloudflare
FAQ
Glossary
Changelog
Overview
General updates
Scheduled changes
2024-10-21
2024-10-14
2024-10-07
2024-10-01
2024-09-16
2024-09-03
2024-08-20 - Emergency
2024-08-19
2024-08-05
2024-07-29
2024-07-24
2024-07-17
2024-07-10
2024-06-18 - Emergency
2024-06-06 - Emergency
2024-05-30 - Emergency
2024-05-29 - Emergency
2024-05-21
2024-05-14
2024-05-08
2024-05-06
2024-04-24
2024-04-22
2024-04-16 - Emergency
2024-04-15
2024-04-08
2024-03-18
2024-03-11
2024-03-04
2024-02-26
2024-02-20
2024-02-12
2024-02-05
2024-01-22 - Emergency
2024-01-17 - Emergency
2024-01-16
2024-01-04
Historical (2023)
Historical (2022)
Historical (2021)
Historical (2020)
Historical (2019)
Historical (2018)
Products
Learning
Status
Support
Log in
GitHub
X
YouTube
Select theme
Dark
Light
Auto
Products
…
WAF
Additional tools
Additional tools
The Cloudflare WAF offers the following additional tools:
Browser Integrity Check
Challenge Passage
IP Access rules
Enable security.txt
Lists
Privacy Pass
Replace insecure JS libraries
Scrape Shield
Security Level
User Agent Blocking
Zone Lockdown
Cloudflare Dashboard
Discord
Community
Learning Center
Support Portal
Cookie Settings