NEWS

Cloudflare WAF named as a Customers' Choice Leader in the 2021 Gartner Peer Insights ‘Voice of the Customer’ Read the Reviews

Web Application Firewall

Built for the modern enterprise architecture

An intelligent, integrated and scalable solution to protect your business-critical web applications from malicious attacks, with no changes to your existing infrastructure.

How it works

Cloudflare Web Application Firewall's intuitive dashboard enables users to build powerful rules through easy clicks and also provides Terraform integration. Every request to the WAF is inspected against the rule engine and the threat intelligence curated from protecting approximately 25 million websites. Suspicious requests can be blocked, challenged or logged as per the needs of the user while legitimate requests are routed to the destination, agnostic of whether it lives on-premise or in the cloud. Analytics and Cloudflare Logs enable visibility into actionable metrics for the user.

Built for your security needs

Ease of Use and Management

Onboarding and management is simple and intuitive, requiring just a few clicks. Additionally, APIs enable easy rules deployments for customers who prefer to use an API interface.

Threat Intelligence At-Scale

Cloudflare’s global distributed network enables us to curate a proprietary threat score by evaluating 1B+ IPs and analyzing digital signatures, every day.

API Integrations

Rich API integration with popular tool sets allows easy configuration, customizable analytics and direct plug-ins for existing SIEM infrastructure. Examples include Terraform, GraphQL Splunk, SumoLogic, Datadog and more.

Flexible Control

Firewall Rules allows customers to create custom rules for their specific needs directly from the dashboard. The rules engine supports a number of functions, operators and transformations

Integrated Security and Performance

Our WAF sits on the same global Anycast network as our performance product suite and seamlessly integrates with DDoS protection, Bot Management, CDN, Load Balancer, Argo Smart Routing and more. Tight integration between products enables enhanced performance, as compared to legacy WAF solutions.

High Accuracy

Our engineering team leverages Cloudflare’s proprietary threat intelligence to update Managed Rulesets regularly. This allows us to continuously improve accuracy, lower false positives and provide comprehensive coverage to protect against zero-day vulnerabilities.

Page Shield

Protect User Data In-Browser

Protect your website visitors from script-based attacks and data theft. Cloudflare Page Shield helps you monitor your applications’ Javascript dependencies for suspicious activity and protect your visitors from Magecart-style attacks.

Page Shield monitors potential attack vectors from third party scripts and prevents user information from falling into the hands of hackers, where it can be resold or be used to launch additional attacks such as credit card fraud and identity theft.

Page Shield uses a feature named ‘Script Monitor’ to record your site’s JavaScript dependencies over time. New JavaScript dependencies trigger alerts so application owners can investigate whether or not they were expected changes.


API Security at the edge

Secure your APIs and prevent data leaks

Cloudflare API Shield helps you secure your APIs with strong client certificate-based identity and strict schema-based validation to protect your APIs from attack.

Prevent stolen or compromised devices from exposing sensitive data by permanently excluding traffic. Cloudflare manages the certificates so you don’t have to and lets you embed client certificates into mobile apps and IoT devices. Revoke a list of client side certificates with a single click.

Stop data leaks and protect your origin from invalid requests or a malicious payload. Create a positive security model by uploading an OpenAPI schema to the Firewall. Every request will be verified against your API definition and the requests that do not comply will be blocked.

Block malicious IPs from abusing your APIs. Leverage Cloudflare's massive scale of threat intelligence with a managed IP list that contains IP addresses of open SOCKS and HTTP Proxies.

Apply rate limiting to prevent malicious actors from abusing your origin and your application.


Click, Deploy, Protect

Cloudflare’s WAF enables protection against malicious attacks that aim to exploit vulnerabilities including SQLi, XSS and more, by simply turning on the OWASP Core Ruleset. To quickly protect against new and zero-day vulnerabilities, toggle to turn on Cloudflare’s Managed Ruleset. As the vulnerability landscape changes quickly, Managed Rulesets are updated regularly by Cloudflare to provide fast and seamless protection against the latest attack vectors.

There is also flexibility to build your own Firewall Rules with attributes including user-agent, path, country, query string, IP address, and more. Simulation mode enables you to quickly test your newly created rules before deploying it live.


An integrated solution to protect all your apps, everywhere.

Cloudflare’s WAF is built to seamlessly integrate with our security and performance products including DDoS, Bot Management, CDN, Load Balancing, Argo Smart Routing and more, to deliver a highly performant and integrated security solution

Modern approach provides a uniform security solution to protect all your apps, agnostic of where they reside globally: on-prem data centers, private cloud and multiple public clouds.

Integration with existing third-party tools and systems is an important design aspect for Cloudflare’s WAF. Programmatically create rules that block potential threats in near-real time by integrating the API with third-party SIEMs, internal alerting systems, or vulnerability scanners.


Built on a global network that is always learning

Legacy web application firewalls do not leverage collective intelligence from other web properties. Rather, they require customers to build rulesets — a complicated, resource-intensive, and time-consuming process

Cloudflare’s network spans 200 cities globally and serves 25 million HTTP requests per second on average. This scale provides unique intelligence that enables high accuracy and low false positives.

Continuous analysis of signature-based heuristics and IP reputation on our global network powers Cloudflare’s Managed Rulesets, delivering enhanced protection. Cloudflare engineers constantly enhance Managed Rulesets and deliver new features to protect your Internet properties.

Trusted by approximately 25 million Internet properties