WAF attack score
WAF attack score is a feature that complements WAF Managed Rules.
WAF’s managed rulesets contain rules that are continuously updated to better detect malicious payloads. They target specific patterns of established attack vectors and have a very low rate of false positives. However, managed rulesets are not optimized for attacks based on variations of the original signature introduced, for example, by fuzzing techniques.
WAF attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like Bot Management, you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules.
To maximize protection, Cloudflare recommends that you use both Managed Rules and WAF attack score.
The Cloudflare WAF provides the following attack scores:
|Score||Minimum plan required||Attack vector||Field|
|WAF Attack Score||Enterprise||N/A (global score)|
|WAF SQLi Attack Score||Enterprise||SQL injection (SQLi)|
|WAF XSS Attack Score||Enterprise||Cross-site scripting (XSS)|
|WAF RCE Attack Score||Enterprise||Remote Code Execution (RCE)|
|WAF Attack Score Class||Business||N/A (global classification)|
You can use the above fields in expressions of custom rules, firewall rules, and rate limiting rules.
The score fields vary between
- A score of
1indicates that the request is almost certainly malicious.
- A score of
99indicates that the request is likely clean.
- A score of
100indicates that the Cloudflare WAF did not score the request.
The available scores are independent of each other. Namely, the WAF Attack Score is not a sum of the other scores.
The WAF Attack Score Class field can have one of the following values, depending on the calculated request attack score:
|Dashboard label||Field value||Description|
|Attack||Attack score between |
|Likely attack||Attack score between |
|Likely clean||Attack score between |
|Clean||Attack score between |
Requests with an attack score of
100 will have a class of Unscored in the Cloudflare dashboard, but you cannot this class value in rule expressions.
Start using the WAF attack score
1. Create a custom rule or firewall rule
If you are an Enterprise customer:
- Create a WAF custom rule or a firewall rule that logs all requests with a WAF Attack Score below 40 (recommended initial threshold). For example, set the rule expression to
cf.waf.score lt 40and the rule action to Log.
If you are a Business customer:
- Create a WAF custom rule or a firewall rule that logs all requests with a WAF Attack Score Class of
Attack. For example, set the rule expression to
cf.waf.score.class eq "Attack"and the rule action to Log.
2. Monitor domain traffic
Monitor the rule you created, especially in the first few days, to make sure you entered an appropriate threshold (or class) for your traffic. Update the rule if required.
3. Update the rule action
After making sure that your rule is logging the correct requests, change the rule action to a more severe one, like Managed Challenge or Block.
The WAF Attack Score is different from Threat Score and Bot Score. WAF Attack Score identifies variation of attacks that WAF Managed Rules do not catch. Bot Score identifies bots, while Threat Score measures IP reputation across Cloudflare services.