Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. When we find threats that apply to a large portion of our users, we automatically apply WAF rules to protect their Internet properties. Let us take care of tracking state-of-the-art hacking techniques so you can focus on creating useful features instead of protecting them from would-be attackers.
On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released. Rules created by Cloudflare in response to new threats are responsible for mitigating the vast majority of threats on our network. While traditional OWASP rules and customer specific rules are important, they are not enough without Cloudflare's automatic WAF updates.
Cloudflare sees roughly 8.7 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.
When one customer requests a new custom WAF rule, we analyze whether it applies to all 20 million Internet properties on our network. If it does, we automatically apply that rule to everybody on our network. The more web properties on our network, the stronger our WAF gets, and the safer the Cloudflare community becomes.
Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers.
At Cloudflare, we’re just as concerned with performance as with security. Our web application firewall sits on the same Anycast network that powers our global CDN, HTTP/2, and web optimization features. Our WAF rule sets result in latency of less than 1 millisecond.
Latency for web visitors
Worldwide rule propagation
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.
Over 20,000,000 Internet properties
Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default, as well as the following application-specific rule sets:
You can enable entire rule sets or select individual rules that you want to apply to your website. For content management systems that use an admin interface, it’s possible to create a Cloudflare Page Rule to apply stronger WAF rules to your admin section.
Business and Enterprise customers can request custom WAF rules by providing attack traffic logs and suggesting the appropriate mod_security rule syntax.
Cloudflare WAF also includes an IP firewall that lets you whitelist or blacklist traffic based on IP address, IP ranges, Autonomous System Number (ASN), or country (including Tor).
Cloud Web Application Firewall