Skip to content
Visit WAF on GitHub
Set theme to dark (⇧+D)

Cloudflare Web Application Firewall

The Cloudflare Web Application Firewall (WAF) provides both automatic protection from vulnerabilities and the flexibility to create custom rules.

Learn moreWAF Managed RulesetsManaged Rulesets change log

Main features

  • Custom Rules: Create your own Custom Firewall Rules to protect your website and your APIs from malicious incoming traffic.
  • Rate Limiting rules: Define rate limits for incoming requests matching an expression, and the action to take when those rate limits are reached.
  • WAF Managed Rulesets: Enable the pre-configured Managed Rulesets to get immediate protection. These rulesets are regularly updated, offering advanced zero-day vulnerability protections. Adjust the behavior of managed rules, choosing from several possible actions.
  • Exposed Credential Checks: Monitor and block use of stolen/exposed credentials for account takeover.
  • Firewall Analytics: Identify and investigate security threats using an intuitive interface. Tailor your security configurations based on the activity log.


The new Cloudflare WAF announced in March 2021 is available for selected customers on paid plans. The exact features and limits depend on your current plan. Rate limiting is a paid add-on on all plans.

For more information on the previous WAF implementation, also known as Managed Rules, refer to Understanding the Cloudflare Web Application Firewall (WAF) in the Support KB.

For more information on Firewall Rules, refer to Cloudflare Firewall Rules.