Understanding the Cloudflare Web Application Firewall (WAF)

The Cloudflare WAF monitors web requests to your domain and filters out undesired traffic based on rule sets that you specify.


A Web Application Firewall (WAF) examines web traffic to identify any suspicious activity. It can then automatically filter out illegitimate traffic based on rule sets that you specify. It looks at both GET and POST HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge, or let pass through. It can block comment spam, cross-site scripting attacks, and SQL injections.

The Cloudflare WAF parses JSON data within the set of managed rules that we provide. This helps Cloudflare to identify vulnerabilities targeted at APIs. The JSON payloads that the WAF parses are limited to 128KB.

As a cloud-based service, Cloudflare’s WAF requires no hardware or software to install and maintain. Once you are using Cloudflare, you can enable the WAF for your web property quickly. The Cloudflare WAF is available as part of the Pro, Business and Enterprise plans.

Understand the Cloudflare WAF

The Cloudflare WAF examines HTTP requests to your website. It inspects both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. For example, it looks for common keywords used in comment spam (i.e. XX, Rolex, Viagra, etc.), and stops the action before it is posted to the web property.

The Cloudflare WAF inspects website addresses or URLs to detect anything out of the ordinary. If the Cloudflare WAF determines suspicious user behavior, then the WAF will ‘challenge’ the web visitor with a page that asks them to submit a CAPTCHA successfully to continue their action. If the challenge fails, the action will stop. This means that the Cloudflare WAF will block any traffic identified as illegitimate before it reaches your origin web server.

You can determine how strict you want the security settings enforced by choosing a Low or High setting. 

Determining which setting is appropriate for your site depends on several factors, including the type of business and your business operations. If your business operates within a certain industry that may often trigger the WAF, then the low setting might be appropriate.

Also if your business operations include uploading large files to your origin server, then the low setting is more appropriate. With a high setting, uploading large files will trigger the firewall since this is a common attack vector.

For a business website, we recommend you initially set the Web Application Firewall to Low. You will be able to see which attacks are getting blocked and if you need to move to the high setting, that change will take effect within minutes.

Note: If you are getting the Web Application Firewall triggered in the admin section of your site (yoursite.com.admin), we strongly recommend setting a Page Rule to exclude the admin section of your site from being affected by the WAF. You can also whitelist your IP to override the challenge behavior for the WAF.

The WAF will not trigger on requests after a WebSocket has been established.

Frequently asked questions (FAQ)

Where can I manage the WAF settings? Do I need to install anything to use the Cloudflare WAF? tewst

Cloudflare Pro, Biz, and Enterprise customers have access to the WAF in the Manage WAF section of the Firewall app in the Cloudflare dashboard. No additional software or hardware is needed to configure the WAF.

Will using the WAF impact site performance?

The Cloudflare WAF introduces a limited amount of latency (approximately 100 microseconds).

How long does it take for a WAF rule change to push out?

Rule set changes or additions will take about 30 seconds to update globally.

What are the key benefits of the Cloudflare WAF?

Managing and customizing security rules to protect your web applications from common web threats is fast and easy with the Cloudflare WAF.

Key features include:

Easy set-up - The Cloudflare WAF is part of our overall service, which takes just a few minutes to set up. Once you re-direct your DNS to Cloudflare, you can configure the WAF and set up the rules you need.

Greater default rule set, plus configurability - In addition to mod_security rules and the OWASP Top 10, the Cloudflare WAF allows you to import third-party rules from our trusted partners or write your own. You can manage new rule sets by going to Manage WAF in the Firewall app of the Cloudflare dashboard.

Detailed reporting - You can see a lot of detail in the reporting; for example, threats blocked by rule/rule group.  Enterprise customers have additional firewall analytics reporting and filtering available in their Firewall app under the Overview tab.

The WAF will not trigger on requests after a WebSocket has been established.

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk