Managing the OWASP rule set in the WAF

With Cloudflare Web Application Firewall (WAF), you can control the level of sensitivity to apply and the action to take when a threat is detected, as determined by the OWASP rule set.

Cloudflare Web Application Firewall (WAF) is available to customers in the Pro plan and above. To learn more about our plans, visit Cloudflare Pricing

Understand OWASP rule set sensitivity and action

When responding to a potential web application threat, Cloudflare triggers actions based on a threat score that is assigned to each incoming request. When a request triggers an OWASP rule, that rule increases the request's overall threat score. Some rules increase the score more than others.

Cloudflare provides three sensitivity settings for the OWASP rule set: high, medium, and low. The table below lists the score associated with each sensitivity setting:

Sensitivity Score to trigger
Low 60 and higher
Medium 40 and higher
High 25 and higher

For Ajax requests, the following scores are applied:

Sensitivity Score to trigger
Low 120 and higher
Medium 80 and higher
High 65 and higher

In terms of actions to take, Cloudflare allows you to select from three possible actions in response to a threat detected in your OWASP rule set.  These actions are:

Action Description
Simulate Logs the event without blocking or challenging the visitor. After reviewing your logs, you may decide block or challenge future similar requests.
Block Completely blocks the request.
Challenge Displays a CAPTCHA challenge before the visitor can proceed.

Set OWASP sensitivity and action in your WAF

To set the Cloudflare WAF OWASP rule set sensitivity and action: 

1. Log in to the Cloudflare dashboard.

2. Ensure the website you want to update is selected.

3. Click the Firewall app.

4. Click the Managed Rules tab.

5. In the Web Application Firewall panel, ensure that the toggle is set to On.

6. Locate the Package: OWASP ModSecurity Core Rule Set panel.

7. Select the appropriate Sensitivity setting.

8. Finally, select the Action.

It's usually good to start out in Simulate mode to rule out any false positives. 

Cloudflare recommends testing your web application and monitoring your logs in order to fine-tune your WAF configuration. That way, you can ensure that legitimate traffic is not blocked or constantly challenged. 

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk