Cloud Web Application Firewall

Consolidated protection for web applications

Cloudflare’s cloud Web Application Firewall (WAF) protects public-facing web applications from vulnerabilities and attacks. It helps protect brand reputation by stopping malicious traffic and preventing data loss, and website defacement.

Cloudflare's WAF is part of an integrated and comprehensive web application security suite that also includes DDoS mitigation, DNS, SSL/TLS, Bot Management, and Access Control, helping organizations minimize the cost of cloud security.

Screen Shot 2019 03 05 at 3

2018 Gartner Magic Quadrant for Web Application Firewalls - Cloudflare is a Challenger

GartnerMQWAF

Gartner has named Cloudflare a Challenger in the 2018 “Magic Quadrant for Web Application Firewalls” report, based on Cloudflare’s ability to execute and completeness of vision.

Read the Report

Gartner, “Magic Quadrant for Web Application Firewalls”, Analyst(s): Jeremy D'Hoinne, Adam Hils, Ayal Tirosh, Claudio Neiva, August 29, 2018.

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Cloudflare. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The Cloudflare Difference

icon learning center orange

Inbuilt Intelligence for faster rule updates

Protect web applications by applying Cloudflare's range of battle-tested rule sets and by utilizing intelligence gathered from a network of 18 million Internet properties.

icon configuration orange

Full customization

Build fully customizable and granular rules based upon multiple request attributes such as user-agent, path, country, query string, IP address, and more, to stop emerging and sophisticated threats.

icon performance orange

Security without sacrificing performance

Prevent downtime and unavailability with Cloudflare’s global Anycast network consisting of 180 data centers spanning 80 countries, and offering a scalable infrastructure backbone.

Key Features

<a href='https://support.cloudflare.com/hc/en-us/articles/200170126-How-does-Cloudflare-know-which-IPs-to-challenge-' class='link--bolder'>Collective intelligence</a> to identify threats

Collective intelligence to identify threats

 Block or challenge visitors by <a href='https://support.cloudflare.com/hc/en-us/articles/217074967-How-do-I-control-IP-access-to-my-site-' class='link--bolder'>IP address</a>

Block or challenge visitors by IP address

Differentiate between humans and bots using Tor

Differentiate between humans and bots using Tor

Reputation-based threat protection

Reputation-based threat protection

Block or challenge visitors by AS number

Block or challenge visitors by AS number

Zone lockdown

Zone lockdown

Comment spam protection

Comment spam protection

Block or challenge visitors by country code

Block or challenge visitors by country code

waf firewall rules

Application-Specific, and Custom Rules to stop malicious traffic

Quickly build granular firewall rules to stop emerging and sophisticated threats. A rule can be based upon multiple request attributes such as user-agent, path, country, query string, IP address, and more.

Address your specific use cases, including:

  • Block bad crawlers
  • Allow valid user-agents specific to routes and endpoints
  • Stop malicious injection attacks using URL parameters

Use an intuitive rule builder that also supports regular expressions (regex), then deploy globally to over 180 data centers in seconds.

Firewall Rules provide customers the ability to control requests, in a flexible and intuitive way, inspired by the widely known Wireshark® language. Rules can be configured through not just Cloudflare's Dashboard and API, but also through Terraform.

Screen Shot 2019 02 25 at 12

Powerful Analytics and Reporting Capabilities

Insights into security events are critical for monitoring the health of your web applications. Additionally, easily distinguishing between actual threats from false positives is essential for maintaining an optimal security configuration.

Firewall Analytics enable you to:

  • Visualise and analyse Firewall Events in one place
  • Understand your threat landscape
  • Identify, mitigate, and review attacks more effectively
waf multi cloud

Multi-Cloud Security Framework

Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers.

Shared Intelligence At Scale





Cloudflare’s WAF helps you stay ahead of threats by automatically updating worldwide when new security vulnerabilities are released. Cloudflare protects 18,000,000 Internet properties and processes 449,281,633,098 encrypted requests a day. The WAF leverages the learning from this traffic and

  • Protects against emerging threats
  • Identifies and blocks repeat offenders proactively using machine learning
  • Reduces risk of data loss
  • Defends against DDoS attacks including both Layer 4 (transport layer) and Layer 7 (application layer) attacks
“The fact that Cloudflare handles 10% of all Internet traffic, gives us the confidence that they’re able to handle attacks on our behalf that we don’t even know about. The onboarding experience with Cloudflare's WAF was excellent and surprisingly easy."
Gavin Rimmington
Head of Business Change and IT

Trusted By

Over 18,000,000 Internet properties

trustedby crunchbase black
trustedby ao com black
trustedby zendesk black
trustedby mapbox black
trustedby log me in black
trustedby digital ocean black
trustedby okcupid black
trustedby montecito black
trustedby discord black
trustedby library of congress black
trustedby udacity black
trustedby marketo black