Cloud Web Application Firewall

Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

WAF Triggers Map

Cloudflare sees roughly 2.9 million requests every second and our WAF is continually identifying and blocking new potential threats.

    WAF Type

Automatic WAF Updates

Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. When we find threats that apply to a large portion of our users, we automatically apply WAF rules to protect their Internet properties. Let us take care of tracking state-of-the-art hacking techniques so you can focus on creating useful features instead of protecting them from would-be attackers.

On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released.

Collective Intelligence

Cloudflare sees roughly 2.9 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.

When one customer requests a new custom WAF rule, we analyze whether it applies to all 4,000,000 domains on our network. If it does, we automatically apply that rule to everybody on our network. The more web properties on our network, the stronger our WAF gets, and the safer the Cloudflare community becomes.

Built for Performance

At Cloudflare, we’re just as concerned with performance as with security. Our web application firewall sits on the same Anycast network that powers our global CDN, HTTP/2, and web optimization features. Our WAF rule sets result in latency of less than 1 millisecond.

PCI Compliance

Utilizing Cloudflare’s WAF helps you cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:

  • Deploy a WAF in front of your website
  • Or, conduct application vulnerability security reviews of all of your in-scope web applications

OWASP, Application-Specific, and Custom Rules

Cloudflare’s WAF protects your web properties from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules that you can apply with the click of a button. Business and Enterprise customers can also request custom WAF rules to filter out specific attack traffic.

OWASP Top 10 Vulnerabilities

  • Injection
  • Broken authentication and session management
  • Cross-site scripting (XSS)
  • Insecure direct object references
  • Security misconfiguration
  • Sensitive data exposure
  • Missing function-level access control
  • Cross-Site Request Forgery (CSRF)
  • Using components with known vulnerabilities
  • Unvalidated redirects and forwards

Protecting Against Zero-Day Vulnerabilities

Cloudflare security engineers have dealt with a lot of zero-day vulnerabilities over the years. Read our developer blog to learn how every website on our network benefits from their virtual patches.

A Look at the New WP Brute Force Amplification Attack

A vulnerability in the XML remote procedure protocol allowed potentially thousands of brute force password attempts in a single HTTP request. Read more ›

The Joomla Unserialize Vulnerability

The Joomla Unserialize Vulnerability allowed remote code execution via a poorly sanitized User-Agent and X-Forwarded-For headers. Read more ›

Protection Against Critical Windows Vulnerability (CVE-2015-1635)

Cloudflare WAF protected users from a critical bug that allowed unpriviledeged users to hang a Windows web server. Read more ›

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /mo per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /mo per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /mo per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to TLS 1.2 only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / mo
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / mo
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.
MOST POPULAR

Business

$ 200 / mo
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Trusted By

Read our Buzzlie case study to learn how they used CloudFlare WAF.

Technical Details

Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default, as well as the following application-specific rule sets:

  • Drupal
  • WordPress
  • Joomla
  • Flash
  • Magento
  • PHP
  • Plone
  • WHMCS
  • Atlassian Products

You can enable entire rule sets or select individual rules that you want to apply to your website. For content management systems that use an admin interface, it’s possible to create a Cloudflare Page Rule to apply stronger WAF rules to your admin section.

Business and Enterprise customers can request custom WAF rules by providing attack traffic logs and suggesting the appropriate mod_security rule syntax.

Cloudflare WAF also includes an IP firewall that lets you whitelist or blacklist traffic based on IP address, IP ranges, Autonomous System Number (ASN), or country (including Tor).