Skip to content
Visit WAF on GitHub
Set theme to dark (⇧+D)

DDoS L7 Attack Mitigation (Beta)

Cloudflare provides protection against DDoS L7 attacks through several mitigation systems and rules. The HTTP DDoS Managed Ruleset contains a subset of these rules. This Managed Ruleset is enabled by default for all customers, regardless of their Cloudflare plan, and provides protection against a broad range of DDoS attack vectors.

The Cloudflare HTTP DDoS Managed Ruleset

The Cloudflare HTTP DDoS Managed Ruleset is a set of pre-configured rules used to match known DDoS attack vectors at the application layer on the edge, like the following:

  • Requests causing large amounts of origin errors
  • Excessive traffic hitting origin
  • Excessive traffic hitting cache
  • Abuse of search features and authentication endpoints
  • Other attack vectors

Cloudflare updates the list of rules in the Managed Ruleset on a regular basis.

The Cloudflare HTTP DDoS Managed Ruleset provides users with increased observability into layer 7 DDoS attacks mitigated by Cloudflare, informing users of ongoing or past attacks. The Firewall dashboard, available at Firewall > Overview, will display additional information on the types of layer 7 DDoS attacks detected for a specific zone.

You can adjust the behavior of the rules in the Managed Ruleset using overrides. Use overrides to modify:

  • The performed action when an attack is detected
  • The sensitivity of attack detection mechanisms

Note: Certain actions or sensitivity levels may not be available to all Cloudflare plans.

For more information on the available override parameters, see Managed Ruleset override parameters.

To define overrides using the Rulesets API, see Configure HTTP DDoS Managed Ruleset overrides via API.


The Cloudflare HTTP DDoS feature is available in Beta to all Enterprise customers. If you would like Beta access, contact your Customer Success Manager or Account Team.