Cloudflare Web Application Firewall
Get automatic protection from vulnerabilities and the flexibility to create custom rules.
The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and API requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language.
Learn how to get started.
Custom rules
Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like WAF attack score and malicious uploads detection in your custom rules.
Rate limiting rules
Define rate limits for incoming requests matching an expression, and the action to take when those rate limits are reached.
Managed rules
Enable the pre-configured managed rulesets to get immediate protection. These rulesets are regularly updated, offering advanced zero-day vulnerability protections, and you can adjust their behavior.
Account-level configuration
Create and deploy rulesets to multiple Enterprise zones.
Security Events
Review mitigated requests (rule matches) using an intuitive interface. Tailor your security configurations based on sampled logs.
Security Analytics
Displays information about all incoming HTTP requests, including those not affected by security measures.
Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
Page Shield is a comprehensive client-side security solution to ensure the safety of your website visitors' browser environment.
Cloudflare bot solutions identify and mitigate automated traffic to protect your domain from bad bots.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
