Cloudflare Docs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Cloudflare Web Application Firewall

Get automatic protection from vulnerabilities and the flexibility to create custom rules.
Available on all plans
The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and API requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language.

​​ Features

​​ Custom rules

Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like WAF attack score and uploaded content scanning in your custom rules.

​​ Rate limiting rules

Define rate limits for incoming requests matching an expression, and the action to take when those rate limits are reached.

​​ Managed rules

Enable the pre-configured managed rulesets to get immediate protection. These rulesets are regularly updated, offering advanced zero-day vulnerability protections, and you can adjust their behavior.

​​ Security Events

Review mitigated requests (rule matches) using an intuitive interface. Tailor your security configurations based on the activity log.

​​ Security Analytics

Business and above
Displays information about all incoming HTTP requests, including those not affected by security measures.