Get started
The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and API requests and filters undesired traffic based on sets of rules called rulesets.
This page will guide you through some basic concepts and the recommended initial steps for configuring the WAF to get immediate protection against the most common attacks.
This guide focuses on configuring WAF for individual domains, known as zones. The WAF configuration is also available at the account level for Enterprise customers with a paid add-on.
Basic WAF concepts
A rule includes a filter (which defines the scope) and an action to perform on the incoming requests that match the filter.
The Cloudflare WAF includes:
- Signature-based rules (for example, the Cloudflare Managed Ruleset) created by Cloudflare that provide immediate protection against known attacks.
- Traffic detections (for example, bot score and attack score) that enrich requests with metadata.
- User-defined rules for your specific needs, including custom rules and rate limiting rules.
Detections do not take any action on incoming traffic – they only add relevant information about each request that you can use in the rules you create. For more information on the detection and mitigation roles of the WAF, refer to Detection versus mitigation.
Before you begin
Make sure that you have set up a Cloudflare account and added your domain to Cloudflare.
Users on the Free plan have access to the Cloudflare Free Managed Ruleset, a subset of the Cloudflare Managed Ruleset. The Free Managed Ruleset is deployed by default on Free plans and is not specifically covered in this guide.
If you are on a Free plan, you may skip to 5. Review traffic in security dashboards.
1. Deploy the Cloudflare Managed Ruleset
The Cloudflare Managed Ruleset protects against Common Vulnerabilities and Exposures (CVEs) and known attack vectors. This ruleset is designed to identify common attacks using signatures, while generating low false positives. Rule changes are published on a weekly basis in the WAF changelog. Cloudflare may also add rules at any time during emergency releases for high profile zero-day protection.
- Log in to the Cloudflare dashboard, and select your account and domain.
- Go to Security > WAF and select the Managed rules tab.
- Under Managed Rulesets, select Deploy next to the Cloudflare Managed Ruleset.
Default settings and ruleset customization
By default, the Cloudflare Managed Ruleset enables only a subset of rules and it is designed to strike a balance between protection and false positives. You can review and enable additional rules based on your application technology stack.
In particular situations, enabling the managed ruleset can cause some false positives. False positives are legitimate requests inadvertently mitigated by the WAF. For information on addressing false positives, refer to Handle false positives.
If you are testing the WAF against pentesting tools, it is recommended that you enable all rules by using the following ruleset configuration:
- Ruleset action: Block
- Ruleset status: Enabled (enables all rules in the ruleset)
For more information on configuring the Cloudflare Managed Ruleset in the dashboard, refer to Configure field values for all the rules.
2. Create custom rule based on WAF attack score
WAF attack score is a machine-learning layer that complements Cloudflare’s managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks.
If you are an Enterprise customer, do the following:
Reach out to your account team to get access to WAF attack score.
Create a custom rule using the Attack Score field:
Go to your domain > Security > WAF and select the Custom rules tab.
Create a rule with the following configuration:
- Expression:
Attack Score less than 20 - Action: Block
- Expression:
If you are on a Business plan, create a custom rule as mentioned above but use the WAF Attack Score Class field instead. For example, you could use the following rule expression: WAF Attack Score Class equals Attack.
3. Create custom rule based on bot score
Customers with access to Bot Management can block automated traffic (for example, from bots scraping online content) using a custom rule with bot score, preventing this traffic from hitting your application.
- Go to your domain > Security > WAF and select the Custom rules tab.
- Create a rule using the Bot Score and Verified Bot fields:
- Expression:
Bot Score less than 20 AND Verified Bot equals Off - Action: Managed Challenge
- Expression:
For a more comprehensive example of a baseline protection against malicious bots, refer to Challenge bad bots.
For more information about the bot-related fields you can use in expressions, refer to Bot Management variables.
Once you have deployed the Cloudflare Managed Ruleset and rules based on attack score and bot score you will have achieved substantial protection, limiting the chance of false positives.
4. (Optional) Deploy the Cloudflare OWASP Core Ruleset
After configuring the Cloudflare Managed Ruleset and attack score, you can also deploy the Cloudflare OWASP Core Ruleset. This managed ruleset is Cloudflare’s implementation of the OWASP ModSecurity Core Rule Set. Its attack coverage significantly overlaps with Cloudflare Managed Ruleset by detecting common attack vectors such as SQLi and XSS.
- Go to your domain > Security > WAF and select the Managed rules tab.
- Under Managed Rulesets, select Deploy next to the Cloudflare OWASP Core Ruleset.
This will deploy the ruleset with the default configuration: paranoia level = PL1 and score threshold = Medium - 40 and higher.
Ruleset configuration
Unlike the signature-based Cloudflare Managed Ruleset, the Cloudflare OWASP Core Ruleset is score-based. You select a certain paranoia level (levels vary from PL1 to PL4, where PL1 is the lowest level), which enables an increasing larger group of rules. You also select a score threshold, which decides when to perform the configured action. Low paranoia with a high score threshold usually leads to fewer false positives. For an example of how the OWASP Core Ruleset is evaluated, refer to OWASP evaluation example.
Follow one of these strategies to configure the ruleset according to your needs:
- Start from a strict configuration (paranoia level = PL4, score threshold = Low - 60 and higher). Reduce the score threshold and paranoia level until you achieve a good false positives/true positives rate for your incoming traffic.
- Alternatively, start from a more permissive configuration (paranoia level = PL1, score threshold = High - 25 and higher) and increase both parameters to adjust your protection, trying to keep a low number of false positives.
For more information on configuring the Cloudflare OWASP Core Ruleset in the dashboard, refer to Configure field values for all the rules.
5. Review traffic in security dashboards
After setting up your WAF configuration, review how incoming traffic is being affected by your current settings using the following dashboards:
- Use Security Analytics to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by traffic detections is available in this dashboard.
- Use Security Events to get more information about requests that are being mitigated by Cloudflare security products.
Enterprise customers can also obtain data about HTTP requests and security events using Cloudflare Logs.
Next steps
After configuring the WAF based on the information in the previous sections, you should have a strong base protection against possible threats to your applications.
You can explore the following recommendations to get additional protection for specific use cases.
Allowlist certain IP addresses
Create a custom rule to allow traffic from IP addresses in allowlist only.
Block specific countries
Create a custom rule to block traffic from specific countries.
Define rate limits
Create a rate limiting rule to apply rate limiting on a login endpoint.
Prevent credential stuffing attacks
Use leaked credential checks to prevent credential stuffing attacks on your applications.
Prevent users from uploading malware into your applications
Use WAF content scanning to scan content being uploaded to your application, searching for malicious content.
Get additional security for your APIs
The Cloudflare WAF protects your APIs from new and known application attacks and exploits such as SQL injection attacks. API-specific security products extend those protections to the unique risks in APIs such as API discovery and authentication management.
For more information on Cloudflare’s API security features, refer to Cloudflare API Shield.