SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS AttacksStop Malicious Bot AbuseAccelerate Internet ApplicationsEnsure Application AvailabilityOptimize Web ExperiencesStream Videos On-DemandSuperior Online Experience for China Users
Secure Employee Applications and Devices
Deliver Zero Trust Access to ApplicationsImplement Secure Access Service Edge (SASE)Protect Users Accessing the InternetProtect Corporate NetworksManage Secure Contractor AccessReplace Virtual Private Networks (VPNs)Secure Your Remote WorkforceStop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Cloudflare's Network ServicesMitigate L3 DDoS AttacksConnect network infrastructure with CloudflareTransform Corporate Networks
Code on the Network Edge
Build a Serverless ApplicationDeploy a Static WebsiteConfigure a CDNDefine Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS PlatformsEnable SSL for SaaS ApplicationsReduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerceFinancial ServicesGamingHealthcare and Life SciencesMedia and EntertainmentPublic SectorSaaSEducation
PUBLIC INTEREST
Election CampaignsAthenian ProjectProject GalileoProject Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS ProtectionWAFBot ManagementMagic TransitMagic WANRate LimitingSSL / TLSSSL/TLS for SaaS ProvidersCloudflare SpectrumNetwork InterconnectCDNDNSArgo Smart RoutingLoad BalancingStream DeliveryChina NetworkWaiting Room
FOR TEAMS
Cloudflare for TeamsAccessGatewayBrowser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare WorkersCloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare PagesCloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.11.1.1.1 with WARP (App)1.1.1.1 for Families
INSIGHTS
AnalyticsCloudflare LogsWeb AnalyticsCloudflare Radar
PRIVACY
Data LocalizationCompliance
FOR INFRASTRUCTURE
Advanced Security
Bot ManagementFirewall rulesMagic TransitSpectrum (TCP/UDP)SSLWAFCDNDNSImage ResizingLoad BalancingStream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick StartCloudflare PagesSample Workers ProjectsWorkers TutorialsCommand-line (Wrangler)Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare APIAPI Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource HubWhitepapersWebinarsSolutions & Product GuidesCase StudiesAnalysts
EXPLORE
What's New?Network MapCloudflare in ChinaGDPR
GET STARTED
Register Your WebsiteWelcome CenterGet Help
LEARN
Learning CenterSecurityDDoSBot ManagementSSLIdentity and Access ManagementPerformanceCDNDNSCloudServerlessNetwork Layer
CONNECT
BlogCommunity
TRUST
Trust HubPrivacy & Data ProtectionCertificationsTrust & SafetyGDPRLegal Documentation
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner NetworkPartner Portal
TECHNOLOGY PARTNERS
OverviewAnalytics PartnersBandwidth AllianceEndpoint Security PartnershipsInterconnect PartnershipsNetwork On-ramp PartnershipsPeering Portal
PRICING BY PLAN
FreeProBusinessEnterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan?Add OnsCompare All Plans
NEWS

Cloudflare WAF named as a Customers' Choice Leader in the 2021 Gartner Peer Insights ‘Voice of the Customer’ Read the Reviews

Web Application Firewall

Built for the modern enterprise architecture

An intelligent, integrated and scalable solution to protect your business-critical web applications from malicious attacks, with no changes to your existing infrastructure.

Sign UpContact Sales

How it works

Cloudflare Web Application Firewall's intuitive dashboard enables users to build powerful rules through easy clicks and also provides Terraform integration. Every request to the WAF is inspected against the rule engine and the threat intelligence curated from protecting approximately 25 million websites. Suspicious requests can be blocked, challenged or logged as per the needs of the user while legitimate requests are routed to the destination, agnostic of whether it lives on-premise or in the cloud. Analytics and Cloudflare Logs enable visibility into actionable metrics for the user.

Built for your security needs

Ease of Use and Management

Onboarding and management is simple and intuitive, requiring just a few clicks. Additionally, APIs enable easy rules deployments for customers who prefer to use an API interface.

Threat Intelligence At-Scale

Cloudflare’s global distributed network enables us to curate a proprietary threat score by evaluating 1B+ IPs and analyzing digital signatures, every day.

API Integrations

Rich API integration with popular tool sets allows easy configuration, customizable analytics and direct plug-ins for existing SIEM infrastructure. Examples include Terraform, GraphQL Splunk, SumoLogic, Datadog and more.

Flexible Control

Firewall Rules allows customers to create custom rules for their specific needs directly from the dashboard. The rules engine supports a number of functions, operators and transformations

Integrated Security and Performance

Our WAF sits on the same global Anycast network as our performance product suite and seamlessly integrates with DDoS protection, Bot Management, CDN, Load Balancer, Argo Smart Routing and more. Tight integration between products enables enhanced performance, as compared to legacy WAF solutions.

High Accuracy

Our engineering team leverages Cloudflare’s proprietary threat intelligence to update Managed Rulesets regularly. This allows us to continuously improve accuracy, lower false positives and provide comprehensive coverage to protect against zero-day vulnerabilities.

Page Shield

Protect User Data In-Browser

Protect your website visitors from script-based attacks and data theft. Cloudflare Page Shield helps you monitor your applications’ Javascript dependencies for suspicious activity and protect your visitors from Magecart-style attacks.

Page Shield monitors potential attack vectors from third party scripts and prevents user information from falling into the hands of hackers, where it can be resold or be used to launch additional attacks such as credit card fraud and identity theft.

Page Shield uses a feature named ‘Script Monitor’ to record your site’s JavaScript dependencies over time. New JavaScript dependencies trigger alerts so application owners can investigate whether or not they were expected changes.

API Security at the edge

Secure your APIs and prevent data leaks

Cloudflare API Shield helps you secure your APIs with strong client certificate-based identity and strict schema-based validation to protect your APIs from attack.

Prevent stolen or compromised devices from exposing sensitive data by permanently excluding traffic. Cloudflare manages the certificates so you don’t have to and lets you embed client certificates into mobile apps and IoT devices. Revoke a list of client side certificates with a single click.

Stop data leaks and protect your origin from invalid requests or a malicious payload. Create a positive security model by uploading an OpenAPI schema to the Firewall. Every request will be verified against your API definition and the requests that do not comply will be blocked.

Block malicious IPs from abusing your APIs. Leverage Cloudflare's massive scale of threat intelligence with a managed IP list that contains IP addresses of open SOCKS and HTTP Proxies.

Apply rate limiting to prevent malicious actors from abusing your origin and your application.

Click, Deploy, Protect

Cloudflare’s WAF enables protection against malicious attacks that aim to exploit vulnerabilities including SQLi, XSS and more, by simply turning on the OWASP Core Ruleset. To quickly protect against new and zero-day vulnerabilities, toggle to turn on Cloudflare’s Managed Ruleset. As the vulnerability landscape changes quickly, Managed Rulesets are updated regularly by Cloudflare to provide fast and seamless protection against the latest attack vectors.

There is also flexibility to build your own Firewall Rules with attributes including user-agent, path, country, query string, IP address, and more. Simulation mode enables you to quickly test your newly created rules before deploying it live.

An integrated solution to protect all your apps, everywhere.

Cloudflare’s WAF is built to seamlessly integrate with our security and performance products including DDoS, Bot Management, CDN, Load Balancing, Argo Smart Routing and more, to deliver a highly performant and integrated security solution

Modern approach provides a uniform security solution to protect all your apps, agnostic of where they reside globally: on-prem data centers, private cloud and multiple public clouds.

Integration with existing third-party tools and systems is an important design aspect for Cloudflare’s WAF. Programmatically create rules that block potential threats in near-real time by integrating the API with third-party SIEMs, internal alerting systems, or vulnerability scanners.

Built on a global network that is always learning

Legacy web application firewalls do not leverage collective intelligence from other web properties. Rather, they require customers to build rulesets — a complicated, resource-intensive, and time-consuming process

Cloudflare’s network spans 200 cities globally and serves 25 million HTTP requests per second on average. This scale provides unique intelligence that enables high accuracy and low false positives.

Continuous analysis of signature-based heuristics and IP reputation on our global network powers Cloudflare’s Managed Rulesets, delivering enhanced protection. Cloudflare engineers constantly enhance Managed Rulesets and deliver new features to protect your Internet properties.

Trusted by approximately 25 million Internet properties

View case studies

Sales

Getting Started

Community

Developers

Support

Company

© 2021 Cloudflare, Inc.Privacy PolicyTerms of UseDisclosureCookie PreferencesTrademark