With Cloudflare Web Application Firewall (WAF), you can control the level of sensitivity to apply and the action to take when a threat is detected, as determined by the OWASP rule set.
Note: Cloudflare Web Application Firewall (WAF) is available to customers in the Pro plan and above. To learn more about our plans, visit Cloudflare Pricing.
Understand OWASP rule set sensitivity and action
When responding to a potential web application threat, Cloudflare triggers actions based on a threat score that is assigned to each incoming request. When a request triggers an OWASP rule, that rule increases the request's overall threat score. Some rules increase the score more than others.
Cloudflare provides three sensitivity settings for the OWASP rule set: high, medium, and low. The table below lists the score associated with each sensitivity setting:
|Sensitivity||Score to trigger|
|Low||60 and higher|
|Medium||40 and higher|
|High||25 and higher|
In terms of actions to take, Cloudflare allows you to select from three possible actions in response to a threat detected in your OWASP rule set. These actions are:
|Simulate||Logs the event without blocking or challenging the visitor. After reviewing your logs, you may decide block or challenge future similar requests.|
|Block||Completely blocks the request.|
|Challenge||Displays a CAPTCHA challenge before the visitor can proceed.|
Sett OWASP sensitivity and action in your WAF
To set the Cloudflare WAF OWASP rule set sensitivity and action:
1. Log in to the Cloudflare dashboard.
2. Ensure the website you want to update is selected.
3. Click the Firewall app.
4. Scroll down to find and then click the Web Application Firewall tab.
5. In the Web Application Firewall panel, ensure that the toggle is set to On.
6. Locate the Package: OWASP ModSecurity Core Rule Set panel.
7. Select the appropriate Sensitivity setting.
8. Finally, select the Action.
It's usually good to start out in Simulate mode to rule out any false positives.
Cloudflare recommends testing your web application and monitoring your logs in order to fine-tune your WAF configuration. That way, you can ensure that legitimate traffic is not blocked or constantly challenged.