Improve your site with free and paid apps:

Cloudflare Developer Fund

Cloudflare and world class investment firms invest $100 Million to deliver powerful tools for the Internet. The Cloudflare Developer Fund is looking for companies that are building apps on Cloudflare’s platform.

Cloud Web Application Firewall

444,528,000

WAF rules triggered in the last day

Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

WAF Triggers Map

Cloudflare sees roughly 2.9 million requests every second and our WAF is continually identifying and blocking new potential threats.

WAF map

    WAF Type

Automatic WAF Updates

Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. When we find threats that apply to a large portion of our users, we automatically apply WAF rules to protect their Internet properties. Let us take care of tracking state-of-the-art hacking techniques so you can focus on creating useful features instead of protecting them from would-be attackers.

Automatic WAF updates

On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released. Rules created by Cloudflare in response to new threats are responsible for mitigating the vast majority of threats on our network. While traditional OWASP rules and customer specific rules are important, they are not enough without Cloudflare's automatic WAF updates.

Collective Intelligence

Cloudflare sees roughly 2.9 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.

Intelligent WAF

When one customer requests a new custom WAF rule, we analyze whether it applies to all 6 million domains on our network. If it does, we automatically apply that rule to everybody on our network. The more web properties on our network, the stronger our WAF gets, and the safer the Cloudflare community becomes.

Multi-Cloud Holistic Security Framework

Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers.

Muti-Cloud diagram

Built for Performance

At Cloudflare, we’re just as concerned with performance as with security. Our web application firewall sits on the same Anycast network that powers our global CDN, HTTP/2, and web optimization features. Our WAF rule sets result in latency of less than 1 millisecond.

PCI Compliance

Utilizing Cloudflare’s WAF helps you cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:

  • Deploy a WAF in front of your website
  • Or, conduct application vulnerability security reviews of all of your in-scope web applications

OWASP, Application-Specific, and Custom Rules

Cloudflare’s WAF protects your web properties from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules that you can apply with the click of a button. Business and Enterprise customers can also request custom WAF rules to filter out specific attack traffic.

OWASP Top 10 Vulnerabilities

  • Injection
  • Broken authentication and session management
  • Cross-site scripting (XSS)
  • Insecure direct object references
  • Security misconfiguration
  • Sensitive data exposure
  • Missing function-level access control
  • Cross-Site Request Forgery (CSRF)
  • Using components with known vulnerabilities
  • Unvalidated redirects and forwards

Protecting Against Zero-Day Vulnerabilities

Cloudflare security engineers have dealt with a lot of zero-day vulnerabilities over the years. Read our developer blog to learn how every website on our network benefits from their virtual patches.

A Look at the New WP Brute Force Amplification Attack

A vulnerability in the XML remote procedure protocol allowed potentially thousands of brute force password attempts in a single HTTP request. Read more ›

The Joomla Unserialize Vulnerability

The Joomla Unserialize Vulnerability allowed remote code execution via a poorly sanitized User-Agent and X-Forwarded-For headers. Read more ›

Protection Against Critical Windows Vulnerability (CVE-2015-1635)

Cloudflare WAF protected users from a critical bug that allowed unpriviledeged users to hang a Windows web server. Read more ›

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Bypass Cache on Cookie
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Trusted By

Read our Buzzlie case study to learn how they used CloudFlare WAF.

Technical Details

Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default, as well as the following application-specific rule sets:

  • Drupal
  • WordPress
  • Joomla
  • Flash
  • Magento
  • PHP
  • Plone
  • WHMCS
  • Atlassian Products

You can enable entire rule sets or select individual rules that you want to apply to your website. For content management systems that use an admin interface, it’s possible to create a Cloudflare Page Rule to apply stronger WAF rules to your admin section.

Business and Enterprise customers can request custom WAF rules by providing attack traffic logs and suggesting the appropriate mod_security rule syntax.

Cloudflare WAF also includes an IP firewall that lets you whitelist or blacklist traffic based on IP address, IP ranges, Autonomous System Number (ASN), or country (including Tor).