Understanding the Cloudflare Web Application Firewall (WAF)

The Cloudflare WAF monitors web requests to your domain and filters out undesired traffic based on rule sets that you specify.


The Cloudflare Web Application Firewall (WAF) identifies and removes suspicious activity for HTTP GET and POST requests.  Examples of malicious content the WAF identifies include: 

  • Common keywords used in comment spam (XX, Rolex, Viagra, etc.), 
  • cross-site scripting attacks (XSS), and 
  • SQL injections (SQLi).

The WAF is available to Pro, Business, and Enterprise plans for any subdomains proxied to Cloudflare.  Control WAF settings via the Cloudflare Firewall app under the Managed Rules tab.  The Cloudflare WAF contains 3 packages: 

  • Cloudflare Managed Ruleset 
  • Package: OWASP ModSecurity Core Rule Set
  • Customer Requested Rules 

Review threats blocked via the Firewall Analytics Activity log available in the Cloudflare Firewall app under the Overview tab.

Important considerations

  • The Cloudflare WAF introduces a limited amount of latency (approximately 100 microseconds). 
  • WAF changes take about 30 seconds to update globally.
  • Cloudflare uses proprietary rules to filter traffic. 
  • Established Websockets do not trigger the WAF for subsequent requests.
  • The Cloudflare WAF parses JSON responses to identify vulnerabilities targeted at APIs. The WAF limits JSON payload parsing to 128KB.
  • There are a handful of WAF rules that Cloudflare does not disable even if the entire Web Application Firewall is turned Off, such as rule IDs WP0025B, 100043A, and 100030

A note about WAF false positives

False positives are legitimate requests that the WAF deems malicious.  By default, the Cloudflare WAF is fully managed via the Cloudflare dashboard and is compatible with most websites and web applications.  However, false positives are possible considering the immense size of the Internet. To spot false positives, review your Cloudflare Firewall analytics, especially the Activity log to identify which WAF rules are blocking legitimate requests.   

Troubleshoot WAF false positives

The definition of suspicious content is subjective for each website.  For example, PHP code posted to your website is suspicious unless your website teaches how to code and requires PHP code submissions from visitors.  Therefore, such a website must disable related WAF rules that interfere with normal operation. Additional guidelines are as follows:

  • Use the Firewall Analytics Activity log to determine which WAF rules cause false positives.
  • If one specific rule causes false positives, set rule’s Mode to Disable rather than turning Off the entire rule Group.
  • If the Low Sensitivity for OWASP causes too many false positives, completely disable Package: OWASP ModSecurity Core Rule Set

For false positives with the administrator content on your website, create a Page Rule to Disable Security for the admin section of your site resources, i.e. yoursite.com/admin. Alternatively, whitelist your IP address via Cloudflare IP Access Rules to override the WAF behavior.

Cloudflare Managed Ruleset

The Cloudflare Managed Ruleset contains security rules written and curated by Cloudflare. Click on a ruleset name under Group to reveal the rule descriptions. 

Cloudflare Specials is a Group that provides core WAF security against common attacks.   

Cloudflare recommends that you always leave Cloudflare Specials enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the Cloudflare WordPress group.

When viewing a ruleset, Cloudflare shows default actions for each rule listed under Default mode. The Mode available for individual rules within a specific Cloudflare Managed Ruleset are:

  • Default - takes the default action listed under Default mode when viewing a specific rule.
  • Disable - turns off the specific rule within the group.
  • Block - the request is discarded. 
  • Challenge - the visitor receives a CAPTCHA challenge page.
  • Simulate - the request is allowed through but is logged in the Activity log.

Cloudflare’s WAF changelog allows customers to monitor ongoing changes to the Cloudflare Managed Ruleset

Package: OWASP ModSecurity Core Rule Set

Understand Cloudflare’s OWASP package

Package: OWASP ModSecurity Core Rule Set assigns a score to each request based on how many OWASP rules trigger. Some OWASP rules have a higher sensitivity score than others. After OWASP evaluates a request, Cloudflare compares the final score to the Sensitivity configured for the domain.  If the score exceeds the Sensitivity, the request is actioned based on the Action configured within Package: OWASP ModSecurity Core Rule Set:

  • Block - the request is discarded.
  • Challenge - the visitor receives a CAPTCHA challenge page.
  • Simulate - the request is allowed through but is logged in the Activity log.

The sensitivity score required to trigger the WAF for a specific Sensitivity is as follows:

  • Low - 60 and higher
  • Medium - 40 and higher
  • High - 25 and higher

For Ajax requests, the following scores are applied instead:

  • Low - 120 and higher
  • Medium - 80 and higher
  • High - 65 and higher

Review the Activity log to see the final score as well as the individual rules that triggered along with their scores.

Control Cloudflare’s OWASP package

Package: OWASP ModSecurity Core Rule Set contains several rules from the OWASP project. Cloudflare does not write or curate OWASP rules.  Click on a ruleset name under Group to reveal the rule descriptions.  Unlike the Cloudflare Managed Ruleset, specific OWASP rules are either turned On or Off.

To manage OWASP thresholds, set the Sensitivity to Low, Medium, or High under Package: OWASP ModSecurity Core Rule Set. Determining the appropriate Sensitivity depends on your business industry and operations.  For instance, a Low setting is appropriate for:

  • Certain business industries more likely to trigger the WAF, and
  • large file uploads. 

With a High Sensitivity, large file uploads trigger the WAF.

Cloudflare recommends initially setting the WAF Sensitivity to Low and reviewing for false positives before further increasing the Sensitivity.

The Activity log displays Rule ID 981176 when a request is blocked by OWASP. Also, some OWASP rules listed in the Activity log do not appear in the list of rules under Package: OWASP ModSecurity Core Rule Set because disabling those rules is not recommended.

Custom WAF Rules

For Business and Enterprise plans, upon request, Cloudflare writes Custom WAF Rules to block any combination of request characteristics such as those containing certain headers, URLs, etc.  Business customers are allowed up to 25 Custom WAF Rules and Enterprise customers have no limit on the number of requested Custom WAF Rules.

Custom WAF Rules are created per your specifications, so review your traffic patterns and determine the appropriate rules.  

Custom WAF Rules take up to 3 business days to implement due to the time required to build, test, and deploy the rule(s).

There are two ways to create a custom WAF rule:

  1. Request a custom WAF rule via the Cloudflare dashboard: In the Firewall app under the Managed Rules tab, click on Request a rule in the Web Application Firewall section.
  2. Contact Cloudflare Support by submitting a ticket with the relevant WAF rule information.

Functionality is continuously added to Firewall Rules which increasingly deprecates Custom WAF Rules.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk