A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections.
As a cloud-based service, Cloudflare’s WAF requires no hardware or software to install and maintain. Once you are using Cloudflare, you can enable the WAF for your web property within 2 minutes. The Cloudflare WAF is available as part of the Pro, Business and Enterprise plans.
What does the Cloudflare Web Application Firewall (WAF) do?
The Web Application Firewall (WAF) works by examining HTTP requests to your website. It inspects both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. For example, it looks for common keywords used in comment spam (i.e. XX, Rolex, Viagra etc) and stops the action before it is posted to the web property.
The Cloudflare WAF inspects website addresses or URLs to detect anything out of the ordinary. If the Cloudflare WAF determines suspicious user behavior, then the WAF will ‘challenge’ the web visitor with a page that asks them to submit a CAPTCHA successfully to continue their action. If the challenge is failed, the action will be stopped. What this means is that Cloudflare’s WAF will block any traffic identified as illegitimate before it reaches your origin web server.
You can determine how aggressively you want the security settings enforced by choosing Low or High. A ‘Low’ setting means that the WAF will enforce the filtering rules less aggressively than ‘High.’
Determining which setting is appropriate for your site depends on several factors, including the type of business and your business operations. If your business operates within a certain industry that may trigger the WAF, then the Low setting is more appropriate.
If your business operations include uploading large files to your origin server, then the ‘Low’ setting is more appropriate. On a ‘High’ setting, uploading large files will trigger the firewall since this is a common attack vector.
For a business website, we recommend you set the Web Application Firewall to “Low” initially. You will be able to see which attacks are getting blocked and if you need to move to the higher setting, that change will take effect within two minutes.
Note: If you are getting the Web Application Firewall triggered in the admin section of your site (yoursite.com.admin), we would strongly recommend setting a Page Rule to exclude the admin section of your site from being affected by the WAF. You can also whitelist your IP to override the challenge behavior for the WAF.
Where can I manage the WAF settings? Do I need to install anything to use Cloudflare's WAF?
Any Cloudflare with a Pro, Biz or Enterprise domain has access to the WAF in the ‘Manage WAF’ section of the domain's security settings. No software, hardware or anything additional is needed to install the WAF. Options for getting to the WAF settings:
Go to the Firewall app in your CloudFlare dashboard.
Will using the WAF impact site performance?
Cloudflare's WAF introduces a very limited amount of latency (approximately 100 microseconds).
How long does it take for a WAF rule change to push out?
Rule set changes or additions will take about 30 seconds to update globally.
What are the key benefits of CloudFlare's Web Application Firewall?
Cloudflare's new WAF (Web Application Firewall) is a fast and easy way to set-up, manage and customize security rules to protect your web applications from common web threats. Key features include:
Easy set-up - The Cloudflare WAF is part of our overall service, which takes just a few minutes to set-up. Once you re-direct your DNS to us, you can switch on the WAF and set-up the rules you need.
Greater default rule set plus configurability - In addition to mod_security rules and the OWASP Top 10, the new WAF allows you to import third-party rules from our trusted partners or write your own. You can manage new rule sets by going to “Manage WAF” from the Cloudflare settings page.
Faster & more effective rules - We now support all request types, including POSTs and GETs; and rules will take effect within 30 seconds globally. For example, if you see an attack vector using a new keyword, you can immediately implement a new rule to block that traffic and see it working within 30 seconds.
Detailed reporting - You’ll see much greater detail in the reporting, for example, threats blocked by rule/rule group.