Configure in the dashboard
The Cloudflare OWASP Core Ruleset is Cloudflare's implementation of the OWASP ModSecurity Core Rule Set ↗ (CRS). It is designed to work as a single entity to calculate a threat score and execute an action based on that score.
-
In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings -
(Optional) Filter by Web application exploits.
-
Turn on OWASP core ruleset.
-
Review the deployment settings. Edit the scope, if necessary, to apply the ruleset to a subset of the incoming requests, or configure any custom settings (also known as overrides).
-
Select Save.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Security > WAF > Managed rules tab.
-
Under Managed Rulesets, select Deploy next to Cloudflare OWASP Core Ruleset.
This operation deploys the managed ruleset for the current zone, creating a new rule with the Execute action.
You can configure (or override) the Cloudflare OWASP Core Ruleset, overriding its default configuration, at several levels:
More specific configurations (rule and tag level) have greater priority than less specific configurations (ruleset level).
You can configure (or override) the following Cloudflare OWASP Core Ruleset settings in the Cloudflare dashboard:
- Scope: When you specify a custom filter expression, the Cloudflare OWASP Core Ruleset applies only to a subset of the incoming requests. By default, a managed ruleset deployed in the dashboard applies to all incoming traffic.
- Paranoia level: The paranoia level (PL) classifies OWASP rules according to their aggressiveness, varying from PL1 to PL4, where PL4 is the most strict level. The available levels are:
- PL1 (default)
- PL2
- PL3
- PL4
- Score threshold: The score threshold (or anomaly threshold) defines the minimum cumulative score — obtained from matching OWASP rules — for the WAF to apply the configured OWASP ruleset action. The available thresholds are:
- Low - 60 and higher
- Medium - 40 and higher (default)
- High - 25 and higher
- OWASP action: The action to perform when the calculated request threat score is greater than the score threshold. The available actions are: Managed Challenge, Block, JS Challenge, Interactive Challenge, and Log.
- Payload logging: When enabled, logs the request information (payload) that triggered a specific rule of the managed ruleset. You must configure a public key to encrypt the payload.
Once you have deployed the Cloudflare OWASP Core Ruleset, do the following to configure it in the dashboard:
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
(Optional) Filter by Managed rules.
-
Search for Cloudflare OWASP Core Ruleset. Look for a rule with an Execute action.
-
Select the rule name (containing the name of the managed ruleset) to open the deployment configuration page.
-
(Optional) To execute the Cloudflare OWASP Core Ruleset for a subset of incoming requests, select Edit scope and configure the expression that will determine the scope of the current rule deploying the managed ruleset.
-
In the ruleset configuration section, define settings for all the rules in the Cloudflare OWASP Core Ruleset by setting one or more fields using the drop-down lists.
For example, select the action to perform for all the rules in the ruleset.
-
Select Save.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Security > WAF > Managed rules tab.
-
Next to the Execute rule deploying the Cloudflare OWASP Core Ruleset, select the managed ruleset name.
If you have not deployed the managed ruleset yet, select Cloudflare OWASP Core Ruleset under Managed Rulesets. -
(Optional) To execute the Cloudflare OWASP Core Ruleset for a subset of incoming requests, select Edit scope and configure the expression that will determine the scope of the current rule deploying the managed ruleset.
-
Under Ruleset configuration, define settings for all the rules in the Cloudflare OWASP Core Ruleset using the drop-down lists.
For example, select the action to perform for all the rules in the ruleset.
-
If you have not deployed the Cloudflare OWASP Core Ruleset yet:
- Select Deploy to deploy the ruleset immediately.
- Select Save as Draft to save your deployment settings for later.
If you are editing a managed ruleset you already deployed, select Save.
You can configure (or override) the following setting in the dashboard for OWASP Core Ruleset rules tagged with at least one of the selected tags:
- Rule status: Sets the rule status (enabled or disabled) for all the rules with the selected tags. To remove the action override at the tag level, set the action to Default.
Once you have deployed the Cloudflare OWASP Core Ruleset, do the following to configure rules with specific tags in the dashboard:
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
(Optional) Filter by Managed rules.
-
Search for Cloudflare OWASP Core Ruleset. Look for a rule with an Execute action.
-
Select the rule name (containing the name of the managed ruleset), and then select Browse rules.
-
Select one or more tags under the search input to filter the rules with those tags, and then select the checkbox in the top left corner of the table to select all the rules shown in the current page.
If not all the rules are displayed in the current page, extend your selection to all rules with the selected tags across all pages by selecting Select all <NUMBER> rules.
-
Update one or more settings for the selected rules using the buttons displayed in the top right corner of the table (for example, Set status).
-
Select Next.
-
A dialog appears asking you if any new rules with the selected tags should be configured with the field values you selected.
- Select Include new rules if you want to apply your configurations to any new rules with the select tags.
- Select Only selected rules to apply your configurations to the selected rules only.
-
Select Save.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Security > WAF > Managed rules tab.
-
If you have already deployed the Cloudflare OWASP Core Ruleset, select the ruleset name in the list of deployed managed rulesets. Alternatively, select the three dots > Edit next to the Execute rule deploying the Cloudflare OWASP Core Ruleset.
If you have not deployed the managed ruleset, select Cloudflare OWASP Core Ruleset under Managed Rulesets.
-
Select Browse rules.
-
Select one or more tags under the search input to filter the rules with those tags, and then select the checkbox in the top left corner of the table to select all the rules shown in the current page.
If not all the rules are displayed in the current page, extend your selection to all rules with the selected tags across all pages by selecting Select all <NUMBER> rules.
-
Update one or more settings for the selected rules using the buttons displayed in the top right corner of the table (for example, Set status).
-
Select Next.
-
A dialog appears asking you if any new rules with the selected tags should be configured with the field values you selected.
- Select Include new rules if you want to apply your configurations to any new rules with the select tags.
- Select Only selected rules to apply your configurations to the selected rules only.
-
Select Save.
You can configure (or override) the following setting in the dashboard for the selected OWASP Core Ruleset rules:
- Rule status: Sets the status (enabled or disabled) of a single rule or, if you select multiple rules, for the selected rules.
Once you have deployed the Cloudflare OWASP Core Ruleset, do the following to configure individual ruleset rules in the dashboard:
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
(Optional) Filter by Managed rules.
-
Search for Cloudflare OWASP Core Ruleset. Look for a rule with an Execute action.
-
Select the rule name (containing the name of the managed ruleset), and then select Browse rules.
-
Search for rules using the available filters.
-
In the results list, change the values for each rule as desired, using the displayed drop-down lists and toggles. For example, change the status of a rule using the Status toggle next to the rule.
To configure multiple rules with the same value, select the checkboxes for all the rules you want to configure. If not all the rules are displayed in the current page, you can extend your selection to all rules across all pages by selecting Select all <NUMBER> rules. Then, use the buttons displayed in the top right corner of the table — for example, Set status — to update one or more fields for the selected rules.
-
Select Next, and then select Save.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Security > WAF > Managed rules tab.
-
If you have already deployed the Cloudflare OWASP Core Ruleset, select the ruleset name in the list of deployed managed rulesets. Alternatively, select the three dots > Edit next to the Execute rule deploying the Cloudflare OWASP Core Ruleset.
If you have not deployed the managed ruleset, select Cloudflare OWASP Core Ruleset under Managed Rulesets.
-
Select Browse rules.
-
Search for rules using the available filters.
-
In the results list, change the values for each rule as desired, using the displayed drop-down lists and toggles. For example, change the status of a rule using the Status toggle next to the rule.
To configure multiple rules with the same value, select the checkboxes for all the rules you want to configure. If not all the rules are displayed in the current page, you can extend your selection to all rules across all pages by selecting Select all <NUMBER> rules. Then, use the buttons displayed in the top right corner of the table — for example, Set status — to update one or more fields for the selected rules.
-
Select Next, and then select Save.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
