Cloudflare Docs

Cloudflare Docs

Overview
Concepts
WAF attack score
Uploaded content scanning
Custom rules
Create custom rules in the dashboard
Create custom rules via API
Configure a rule with the Skip action
API examples
Skip options
Common use cases
Allow traffic from search engine bots
Allow traffic from specific countries only
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Challenge bad bots
Exempt partners from Hotlink Protection
Require a specific cookie
Require a valid HMAC token
Require known IP addresses in site admin area
Require specific HTTP headers
Require specific HTTP ports
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update custom rules for customers or partners
Custom rulesets
Use the dashboard
Use the API
Rate limiting rules
Request rate calculation
Create in the dashboard for a zone
Create in the dashboard for an account
Create via API
Find appropriate rate limit
Rate limiting parameters
Rule examples
Best practices
Managed rules
Deploy in the dashboard for a zone
Deploy in the dashboard for an account
Deploy via API
Handle false positives
Create WAF exceptions
Add an exception in the dashboard
Add an exception via API
Log the payload of matched rules
Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Command-line operations
Generate a key pair
Decrypt the payload content
Check for exposed credentials
How it works
Configure via API
Test your configuration
Monitor exposed credentials events
Rulesets reference
Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset
Cloudflare Exposed Credentials Check Managed Ruleset
Additional tools
Lists
Custom lists
Bulk Redirect Lists
Managed Lists
Create in the dashboard
Use lists in expressions
Lists API
JSON object
Endpoints
IP Access rules
Create a rule
Parameters
Actions
User Agent Blocking
Zone Lockdown
Browser Integrity Check
Challenge Passage
Privacy Pass
Security Level
Analytics
Security Analytics
Security Events
Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Challenges
Migration guides
Migrating to the new WAF Managed Rules
Firewall rules are becoming custom rules
Deprecation of old rate limiting
Legacy features
WAF managed rules (previous version)
Troubleshooting
Rate Limiting (previous version)
Troubleshooting
Troubleshooting
Bing's Site Scan blocked by a managed rule
FAQ
Glossary
Changelog
Scheduled changes
2023-11-21
2023-11-06 - Emergency
2023-10-30
2023-10-23
2023-10-11 - Emergency
2023-10-04 - Emergency
2023-10-02
2023-09-18
2023-09-22 - Emergency
2023-09-04
2023-08-21
2023-08-17 - Emergency
2023-08-07
2023-08-01 - Emergency
2023-07-31
2023-07-10
2023-07-05
2023-06-19
2023-06-14 - Emergency
2023-06-12
2023-06-09 - Emergency
2023-05-22
2023-05-02
2023-04-11
2023-03-20
2023-03-13
2023-03-06
2023-02-27
2023-02-13
2023-02-06
2023-01-30
2023-01-24
2023-01-16
2023-01-09
Historical (2022)
Historical (2021)
Historical (2020)
Historical (2019)
Historical (2018)

Cloudflare Web Application Firewall

Get automatic protection from vulnerabilities and the flexibility to create custom rules.

Available on all plans

Features

Custom rules

Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like WAF attack score and uploaded content scanning in your custom rules.

Use Custom rules

Rate limiting rules

Define rate limits for incoming requests matching an expression, and the action to take when those rate limits are reached.

Use Rate limiting rules

Managed rules

Enable the pre-configured managed rulesets to get immediate protection. These rulesets are regularly updated, offering advanced zero-day vulnerability protections, and you can adjust their behavior.

Use Managed rules

Security Events

Review mitigated requests (rule matches) using an intuitive interface. Tailor your security configurations based on the activity log.

Explore Security Events

Security Analytics

Business and above

Displays information about all incoming HTTP requests, including those not affected by security measures.

Explore Security Analytics