Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

Deploy rulesets via API

Use the Rulesets API to deploy and configure rulesets at the account level or at the zone level.

​​ Deploying Managed Rulesets

You can deploy WAF Managed Rulesets to the http_request_firewall_managed phase, both at the account level and at the zone level.

Other Managed Rulesets, like DDoS Managed Rulesets, must be deployed to a different phase. Check the specific Managed Ruleset documentation for details.

You can define overrides to customize the behavior of the rules included in a Managed Ruleset.

Note: There are a few requirements when deploying WAF Managed Rulesets to the http_request_firewall_managed phase at the zone level:

  • The zone-level phase can only have two execute rules deploying Managed Rulesets: one rule for deploying the OWASP Managed Ruleset and another rule for deploying the Cloudflare Managed Ruleset.

  • You must set the expression field to true in these two rules, which means that they apply to all zone requests.

To learn more about deploying Managed Rulesets and configuring overrides using the Rulesets API, refer to Work with Managed Rulesets.

​​ Deploying custom rulesets

You can create custom rulesets in the http_request_firewall_custom phase at the account level. After creating a custom ruleset, you can deploy it to a phase at the account level by adding a rule to the phase entry point that executes the custom ruleset.

To learn more about creating and deploying custom rulesets using the Rulesets API, refer to Work with custom rulesets.