WAF changelog overview

The WAF changelog provides information about changes to managed rulesets and general updates to WAF protection.

View changelog

View scheduled changes

Subscribe to RSS

Changelog for managed rulesets

Cloudflare regularly releases updates and adds new rules to WAF managed rulesets. Updates improve rule accuracy, reduce false positives, or increase protection in response to changes in the threat landscape.

Release cycle

New and updated rules follow a seven-day release cycle, typically on Monday or Tuesday (adjusted for public holidays).

Week 1 — Logging only: Cloudflare deploys new or updated rules in logging-only mode with the Log action. Rules in this mode record matching requests but do not block traffic. Most newly created rules carry both the beta and new tags. Use this period to review your security events for unexpected matches that could be false positives.

Week 2 — Default action: On the following release day, the rules change from the Log action to their intended default action (shown in the New Action column of the changelog table). The beta and new tags are removed.

For updates to existing rules, Cloudflare first deploys the updated version as a separate BETA rule (noted in the rule description) with a beta tag, before updating the original rule on the next release cycle.

Disabled rules

Cloudflare may also add rules in disabled mode on the same release cycle. These rules make remediation logic available without affecting traffic, and allow Cloudflare to perform impact testing and performance checks. You can activate a disabled rule at any time if you need its protection. Disabled rules do not carry the beta or new tags.

Emergency releases

For new vulnerabilities, Cloudflare may release rules outside the regular seven-day cycle. These are emergency releases.

Warning

Ruleset overrides and tag overrides apply to existing and future rules in a managed ruleset. This means overrides you configure today will automatically apply to rules added in regular and emergency releases.

If you notice a new or updated rule generating an increased volume of security events, you can disable it or change its action from the default. Once you change a rule to use an action other than the default one, Cloudflare will not be able to override the rule action.

General updates

The changelog also includes general updates to WAF protection that are not specific to managed rulesets.