To manage the threshold for OWASP on our WAF:
1. Log into your Cloudflare account.
2. Visit the Firewall app.
3. Click on the Web Application Firewall tab
4. Scroll down to: Package: OWASP ModSecurity Core Rule Set
5. Select the threshold from the Sensitivity dropdown.
Cloudflare provides two sensitivity settings for the OWASP rule set: High and Low. Actions are triggered based on a threat score mechanism. When a request triggers a rule, that rule increases the overall threat score of that request; some rules increase the score more than others. A sensitivity setting of Low will trigger events that score only above 60 and High will trigger events that score above 25.
We also provide 3 actions against a triggered WAF event: Simulate, Challenge and Block:
Simulate: Logs the event and does not block or challenge the visitor (you can still decide to set to a block or challenge after reviewing your logs).
Block: Block will simply block that request entirely, with no option to bypass that block for that request.
Challenge: Will display a challenge (CAPTCHA) page before the visitor can enter the site.
We recommend beginning in 'Simulate' mode to weed out any false positive so you can eventually turn the ruleset to a level that blocks malicious requests while legitimate traffic continues to your origin unaffected. We also have a more in-depth article that explains how to tune your WAF.