Cloudflare Docs
Waf
Visit WAF on GitHub
Set theme to dark (⇧+D)

Managed Rulesets

The WAF Managed Rulesets are pre-configured rulesets that provide immediate protection against:

  • Zero-day vulnerabilities
  • Top-10 attack techniques
  • Use of stolen/exposed credentials
  • Extraction of sensitive data

These rulesets are regularly updated. You can adjust the behavior of managed rules, choosing from several possible actions.

Cloudflare provides the following WAF Managed Rulesets:

RulesetDescription
Cloudflare Managed RulesetCreated by the Cloudflare security team, this ruleset provides fast and effective protection for all of your applications. The ruleset is updated frequently to cover new vulnerabilities and reduce false positives.
Cloudflare OWASP Core RulesetCloudflare's implementation of the Open Web Application Security Project, or OWASP ModSecurity Core Rule Set. Cloudflare routinely monitors for updates from OWASP based on the latest version available from the official code repository.
Cloudflare Exposed Credentials CheckDeploy an automated credentials check on your end-user authentication endpoints. For any credential pair, the Cloudflare WAF performs a lookup against a public database of stolen credentials.
Cloudflare Free Managed RulesetAvailable on all Cloudflare plans. Designed to provide mitigation against high and wide impacting vulnerabilities. The rules are safe to deploy on most applications. If you deployed the Cloudflare Managed Ruleset for your site, you do not need to deploy this Managed Ruleset.

The following rulesets run in a response phase:

RulesetDescription
Cloudflare Sensitive Data Detection (Beta)Created by Cloudflare to address common data loss threats. These rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Available in Security > Data.

Phases of deployed Managed Rulesets

When you enable a Managed Ruleset in Security > WAF > Managed rules, you are deploying that Managed Ruleset to the zone-level http_request_firewall_managed phase.

Other Managed Rulesets, like DDoS Managed Rulesets, are deployed to a different phase. Refer to the specific Managed Ruleset documentation for details.

For more information on phases, refer to Phases.