What kind of requests does the WAF work on?

The Cloudflare WAF will work on all HTTP requests, including GET, POST, PUT, DELETE, HEAD, etc.

Does the WAF work on subdomains?

Yes. Once you enable the Cloudflare Web Application Firewall (WAF),any subdomain where you have Cloudflare-enabled will get the benefits of the WAF. To know which subdomains have Cloudflare-enabled, visit your CloudFlare DNS Settings page. The subdomains that have an orange cloud next to them indicate those subdomains have CloudFlare-enabled.

If you signed up for Cloudflare using CNAME setup, rather than the full authoritative DNS signup method, then the WAF will be enabled for any CNAME in which you have enabled Cloudflare. 

What is POST content verification?

The POST and GET content verification is a part of our Web Application Firewall (WAF). Malicious POST-like events (comment spam, login credentials, etc.) will be stopped in real-time, which includes events such as credential hacking, XSS, SQL injection etc.

When Cloudflare stops these malicious POSTs, the site owner can configure the WAF to present a challenge page, block the request, or simply record the event. The challenge gives human visitors the opportunity to verify their humanity and proceed past the challenge.

Can I add a custom rule set if the WAF isn't blocking behavior?

If the attacker is using a specific pattern or user agent and the Cloudflare WAF doesn’t have a rule in place already, then you can create a custom rule for your web property. The custom WAF rule functionality is available to Cloudflare Business and Enterprise customers. To create a custom WAF rule, please contact us by submitting a support ticket with the relevant information.

You can also request a custom WAF rule through the Cloudflare dashboard via the Firewall app in the Web Application Firewall section by clicking Request a rule.

Will the WAF protect against XSS and SQL Injection attacks?

Yes. The Cloudflare WAF protects against XSS and SQL injection attacks, as well as comment spam. Cloudflare includes the ModSecurity and the OWASP Top 10 vulnerabilities by default.  If you are on the Business or Enterprise plan, you can also write your own rule sets or buy additional ones from our third party partners.

To create a custom WAF rule, please contact us by submitting a support ticket with the relevant information. 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk