Understanding your site protection options

Learn about the tools Cloudflare offers to protect your domains, URLs, and directories.


Cloudflare offers a number of tools for protecting your site against specified volumes of traffic, certain groups of requesters, and specific requesting IPs.  There is a specific order in which security tools trigger:

  • IP Access Rules
  • Firewall Rules
  • Zone Lockdown
  • User Agent Blocking
  • WAF

Below is a list of security features with details on how to set them up.  Refer to the Cloudflare Developer docs for information on what order security features are applied.

Cloudflare Access

Cloudflare Access adds an authentication page in front of an application you don’t want to be publicly accessible. It is a perimeter-less access control solution for cloud and on-premise applications.

Read more about Getting Started with Cloudflare Access.

IP Access Rules

IP Access Rules allow you to control access for specific IP addresses, IP ranges, countries, ASNs, and certain CIDR blocks. This is best used when you want to control traffic for these specific elements. Available actions to affect incoming requests are Whitelist, Block, Challenge (Captcha), or JavaScript Challenge (IUAM challenge).

For example, if you are already restoring visitor IPs using the mod_cloudflare plugin and you notice that a particular IP is causing malicious requests; you can block that user via IP address.

Security Level

Security Level controls Captcha challenges for requests from low reputation IP addresses.

Zone (URL) Lockdown

Only available for Pro, Business, and Enterprise plans.

Zone (URL) Lockdown allows you to specify a list of one or more IP addresses or networks that are the only IPs allowed to access a domain, subdomain, or URL. This does not whitelist IPs, it defines what is allowed, and rejects everything else. Zone Lockdown supports:

  • Specific sub-domains, allowing you to, for example, allow IP to access domain foo.example.com and allow IP to access domain bar.example.com, but not necessarily allow the vice versa.
  • Specific URLs, enabling you to, for example, allow IP to access the directory example.com/foo/* and allow IP to access the directory example.com/bar/*, but not allow the opposite.

This is useful when you need more granularity in your access rules since with the IP Firewall, you can only either apply the block to all sub-domains of the current domain or all domains on your account, and you can not specify URIs.

Forwarding URL

Forwarding URL allows you to prevent access to (1) URLs, (2) a certain request scheme (HTTP or HTTPS), (3) file type, (4) sub-domain, or (5) directory, by redirecting users away from these this content to some "safe" location.

Example uses for each of these would be:

User-Agent Blocking Rules

User-Agent Blocking allows you to action any preferred User-Agent string. This works similarly to Zone (URL) Lockdown as described above except this block examines the incoming User-Agent string rather than the IP. You can also choose how to handle a matching request with the same list of actions as you have in the IP Firewall (Block, JS Challenge, Captcha Challenge, and Whitelist). Note that User-Agent blocking applies to your entire zone, so you cannot specify sub-domains as you can with Zone Lockdowns.

This tool is useful for blocking any User-Agent strings that you deem suspicious and works great in conjunction with the Browser Integrity Check feature.

Rate Limiting

Rate Limiting allows you to control volumes of traffic for your entire site, specific URL, and any directory, for a given interval of time.

When Protect My Login, a pre-configuration of Rate Limiting is enabled, it will mitigate brute force login attacks. This is useful because login pages tend to not be cacheable and vulnerable as DDOS attack vectors.

For example, if there are many uncacheable resources in your /foo/bar/ directory and want to also mitigate DDOS attacks to your origin server, enabling Rate Limiting could ensure that no one can exceed traffic rates of 1000 requests per minute to that directory and that any violating IP gets blocked.

Custom WAF Rule

You can request a Custom WAF rule to be created for any traffic logic that you are unable to implement at the edge using the tools in your Cloudflare account by default, such as all of the above.

This is recommended in order to base traffic logic on:

  • Virtually any HTTP header in the request.
  • IP ranges.
  • Hostname
  • Regex
  • Validation of byte ranges to prevent binary data from being transferred through the URI for, example.
  • Checking for empty strings anywhere in request.
  • Integer comparisons (greater than, less than, greater than/equal to, less than/equal to, and equal to).


Token Authentication

Token Authentication allows you to restrict access to documents, files, and media to selected users without requiring registration. This can be used to protect paid/restricted content from leeching and non-authorized sharing. Token Authentication can be easily implemented using the Cloudflare Web Application Firewall (WAF) and requires a Business level subscription or higher.

Read more about How to setup Token Authentication.

Related resources


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk