Cloudflare Docs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)


The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language.

​​ Detection versus mitigation

The two main roles of the Cloudflare WAF are the following:

  • Detection: Run incoming requests through one or more traffic detections to find malicious or potentially malicious activity. The scores from enabled detections are available in the Security Analytics dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules.

  • Mitigation: Blocks, challenges, or throttles requests through different mitigation features such as custom rules, WAF Managed Rules, and rate limiting rules. Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests.

​​ Available traffic detections

The WAF currently provides the following detections for finding security threats in incoming requests:

  • Bots: Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human).
  • Attacks: Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious).
  • Malicious uploads: Scans content objects, such as uploaded files, for malicious signatures like malware.

To enable traffic detections in the Cloudflare dashboard, go to your domain > Security > Settings.

​​ WAF mitigation features

The WAF provides the following mitigation features for traffic posing as a security threat:

  • Custom rules: Allow you to control incoming traffic by filtering requests to a zone. You can perform actions like Block or Managed Challenge on incoming requests according to rules you define.
  • Rate limiting rules: Allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
  • Managed rules: Allow you to deploy pre-configured managed rulesets that provide immediate protection against common attacks.

To configure these mitigation features in the Cloudflare dashboard, go to your domain > Security > WAF.

​​ Rules and rulesets

Refer to the Ruleset Engine documentation for more information on the following concepts:

  • Rule: Defines a filter and an action to perform on the incoming requests that match the filter.
  • Ruleset: An ordered set of rules that you can apply to traffic on the Cloudflare global network.

​​ WAF Managed Rules

WAF Managed Rules allows you to deploy managed rulesets preconfigured by Cloudflare, and adjust their rules’ behavior if necessary.

When you enable these managed rulesets, you get immediate protection from a broad set of security rules that are regularly updated. Each of these rules has a default action that varies according to the severity of the rule.

Rules of managed rulesets have associated tags that allow you to search for a specific group of rules and configure them in bulk.

To customize the behavior of managed rulesets, do one of the following:

  • Create exceptions to skip the execution of WAF managed rulesets or some of their rules under certain conditions.
  • Configure overrides to override the default rule action or disable one or more rules of managed rulesets. Overrides can affect an entire managed ruleset, specific tags, or specific rules in the managed ruleset.

Exceptions have priority over overrides.

​​ Rule execution order

Cloudflare evaluates different types of rules when processing incoming requests. The rule execution order is the following:

  1. Firewall rules (deprecated)
  2. Custom rulesets
  3. Custom rules
  4. Rate limiting rules
  5. WAF Managed Rules
  6. Cloudflare Rate Limiting (previous version, deprecated)

For more information on the Ruleset Engine phases where each WAF feature will execute, refer to WAF phases.