Cloud Web Application Firewall
Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.
444,528,000
WAF rules triggered in the last day
WAF Triggers Map
WAF Type
Automatic WAF Updates
Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. When we find threats that apply to a large portion of our users, we automatically apply WAF rules to protect their Internet properties. Let us take care of tracking state-of-the-art hacking techniques so you can focus on creating useful features instead of protecting them from would-be attackers.
On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released. Rules created by Cloudflare in response to new threats are responsible for mitigating the vast majority of threats on our network. While traditional OWASP rules and customer specific rules are important, they are not enough without Cloudflare's automatic WAF updates.
Collective Intelligence
Cloudflare sees roughly 5.5 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.
When one customer requests a new custom WAF rule, we analyze whether it applies to all 13 million domains on our network. If it does, we automatically apply that rule to everybody on our network. The more web properties on our network, the stronger our WAF gets, and the safer the Cloudflare community becomes.
Define Firewall Rules to Stop Malicious Traffic
Quickly build granular firewall rules to stop emerging and sophisticated threats. A rule can be based upon multiple request attributes such as user-agent, path, country, query string, IP address, and more.
Address your specific use cases, including:
- Block bad crawlers
- Allow valid user-agents specific to routes and endpoints
- Stop malicious injection attacks using URL parameters
Use an intuitive rule builder that also supports regular expressions (regex), then deploy globally to over 175 data centers in seconds.
Programmatically create rules that block potential threats in near-real time by integrating the API with SIEMs, internal alerting systems, or vulnerability scanners.
Multi-Cloud Holistic Security Framework
Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers.
Built for Performance
At Cloudflare, we’re just as concerned with performance as with security. Our web application firewall sits on the same Anycast network that powers our global CDN, HTTP/2, and web optimization features. Our WAF rule sets result in latency of less than 1 millisecond.
<1ms
Latency for web visitors
30s
Worldwide rule propagation
PCI Compliance
Utilizing Cloudflare’s WAF helps you cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:
- Deploy a WAF in front of your website
- Or, conduct application vulnerability security reviews of all of your in-scope web applications
OWASP, Application-Specific, and Custom Rules
Cloudflare’s WAF protects your web properties from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules that you can apply with the click of a button. Business and Enterprise customers can also request custom WAF rules to filter out specific attack traffic.
OWASP Top 10 Vulnerabilities
- Injection
- Broken Authentication and Session Management
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Protecting Against Zero-Day Vulnerabilities
Cloudflare security engineers have dealt with a lot of zero-day vulnerabilities over the years. Read our developer blog to learn how every website on our network benefits from their virtual patches.
A Look at the New WP Brute Force Amplification Attack
A vulnerability in the XML remote procedure protocol allowed potentially thousands of brute force password attempts in a single HTTP request.
The Joomla Unserialize Vulnerability
The Joomla Unserialize Vulnerability allowed remote code execution via a poorly sanitized User-Agent and X-Forwarded-For headers.
Protection Against Critical Windows Vulnerability (CVE-2015-1635)
Cloudflare WAF protected users from a critical bug that allowed unpriviledeged users to hang a Windows web server.
Threat Blocking & Privacy Features
Collective intelligence to identify new threats
Reputation-based threat protection
Comment spam protection
Block or challenge visitors by IP address
Block or challenge visitors by AS number
Block or challenge visitors by country code
Security level configuration
Differentiate between humans and bots using Tor
Setting Up Cloudflare Is Easy
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Cloudflare Pricing
Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.
Free
Pro
Business
Enterprise
Technical Details
Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default, as well as the following application-specific rule sets:
- Drupal
- WordPress
- Joomla
- Flash
- Magento
- PHP
- Plone
- WHMCS
- Atlassian Products
You can enable entire rule sets or select individual rules that you want to apply to your website. For content management systems that use an admin interface, it’s possible to create a Cloudflare Page Rule to apply stronger WAF rules to your admin section.
Business and Enterprise customers can request custom WAF rules by providing attack traffic logs and suggesting the appropriate mod_security rule syntax.
Cloudflare WAF also includes an IP firewall that lets you whitelist or blacklist traffic based on IP address, IP ranges, Autonomous System Number (ASN), or country (including Tor).