Skip to content

Cloudflare Docs

Sign up / Log in

GitHub X YouTube

Select theme

Overview
Get started
Concepts
Traffic detections
- Overview
- Attack score
- Leaked credentials
- Malicious uploads
- Bot score ↗
Custom rules
Rate limiting rules
Managed rules
- Overview
- Deploy in the dashboard
- Deploy via API
- Deploy using Terraform ↗
- Handle false positives
- Create exceptions
- Log the payload of matched rules
  - Overview
  - Configure in the dashboard
  - View the payload content in the dashboard
  - Configure via API
  - Store decrypted matched payloads in logs
  - Command-line operations
    
    Overview
    Generate a key pair
    Decrypt the payload content
- Check for exposed credentials
- Rulesets reference
  - Cloudflare Managed Ruleset
  - Cloudflare OWASP Core Ruleset
    
    Overview
    Concepts
    Evaluation example
    Configure in the dashboard
    Configure via API
    Configure in Terraform ↗
  - Cloudflare Exposed Credentials Check Managed Ruleset
  - Cloudflare Sensitive Data Detection
Additional tools
- Lists
- IP Access rules
- Scrape Shield
- User Agent Blocking
- Zone Lockdown
- Browser Integrity Check
- Challenge Passage
- Enable security.txt ↗
- Privacy Pass
- Replace insecure JS libraries
- Security Level
- Validation checks
Account-level configuration
- Overview
- Custom rulesets
- Rate limiting rulesets
- Managed rulesets
Analytics
- Security Analytics
- Security Events
Reference
- Alerts
- Phases
- Challenges
- Migration guides
- Legacy features
  - WAF managed rules (previous version)
    
    Overview
    Troubleshooting
  - Rate Limiting (previous version)
    
    Overview
    Troubleshooting
Troubleshooting
Glossary
Changelog

GitHub X YouTube

Select theme

On this page

Overview

On this page

Overview

Was this helpful?

Products
WAF
Custom rules
Common use cases

Common use cases

The following common use cases illustrate how to secure web traffic to your sites and applications with custom rules:

Allow traffic from IP addresses in allowlist only
Allow traffic from search engine bots
Allow traffic from specific countries only
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Block traffic from specific countries
Challenge bad bots
Configure token authentication
Exempt partners from Hotlink Protection
Issue challenge for admin user in JWT claim based on attack score
Require a specific cookie
Require known IP addresses in site admin area
Require specific HTTP headers
Require specific HTTP ports
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update custom rules for customers or partners

Was this helpful?

Last updated: Feb 4, 2025

Resources
API
New to Cloudflare?
Products
Sponsorships
Open Source

Support
Help Center
System Status
Compliance
GDPR

Company
cloudflare.com
Our team
Careers

Tools
Cloudflare Radar
Speed Test
Is BGP Safe Yet?
RPKI Toolkit
Certificate Transparency

2025 Cloudflare, Inc.
Privacy Policy
Terms of Use
Report Security Issues
Trademark