Enterprise-class security by CloudFlare
CloudFlare’s WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers. It covers both desktop and mobile websites as well as applications.
- Automatic protection from diverse threats, with strong default rule sets and extensive customization providing Layer 7 protection that is fully integrated with DDoS mitigation
- Lightning-fast 0.3 ms processing times with instant global updates
- Cost-effectively fulfill PCI compliance by utilizing CloudFlare’s WAF to meet requirement 6.6
- Real-time reporting and robust logging lets you see what’s happening instantaneously
- Easy set up with no hardware, software, or tuning required
CloudFlare is a member of OWASP
Running on our global network, CloudFlare’s WAF eliminates the headaches with setting up, tuning, and maintaining your own WAF. Getting started is simple and takes about 5 minutes.
Automatic protection, strong defaults, and customization
CloudFlare’s Web Application Firewall (WAF) automatically protects your website from these types of attacks:
- SQL injection, comment spam
- Cross-site scripting (XSS)
- Distributed denial of service (DDoS) attacks
- Application-specific attacks (WordPress, CoreCommerce)
The CloudFlare WAF engine runs the OWASP ModSecurity Core Rule Set by default, making sure you’re protected against the OWASP Top 10 common vulnerabilities, and CloudFlare rule sets.
We also make it easy to customize the WAF and extend your protection further. You can instantly integrate rule sets developed by industry experts (additional fees may apply), import existing ModSecurity rule sets, or write your own custom rules (available for Business and Enterprise customers).
With our easy-to-use web interface, you choose how aggressively you want security settings enforced based on your business needs, easily see which attacks have been blocked, and turn off rules that might generate false positives based on your custom application.
CloudFlare’s WAF lets you easily set-up rules to block diverse web threats.
Lightning-fast, highly responsive performance, with instant global updates
Don’t sacrifice speed for security. In the event of a new attack, CloudFlare’s WAF makes sure your customers are protected quickly and that your website continues to load fast.
- New rules take effect globally in under 30 seconds
- Less than 1 millisecond latency for web visitors
- CloudFlare monitoring team can apply globally applicable defenses
Compliance for PCI DSS requirement 6.6
Utilizing CloudFlare’s WAF to meet Requirement 6.6 enables customers to cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:
- Deploy a WAF in front of your website
- Or, conduct application vulnerability security reviews of all of your in-scope web applications
CloudFlare’s WAF can be set-up in minutes, is included in plans that start at $20 per month and provides the data you can use for reporting to your PCI assessor. Use it today to meet your compliance obligations.
Easy set-up with no hardware, software, or tuning required
As a cloud-based service, CloudFlare’s WAF requires no hardware or software to install and maintain. You can turn on the WAF in seconds, customizing it to meet your needs.
Its integration into the overall CloudFlare service also means you get additional functionality to help you secure your website against DDoS attacks and make it run faster using our global content delivery network.
Any attack against one of our customers helps the whole CloudFlare community (more than 2,000,000 websites) learn from new attack vectors faster than anyone else.
How it works
The Web Application Firewall (WAF) works by examining HTTP requests to your website. It looks at both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. You can decide whether to block, challenge or simulate an attack. With blocking and challenging, CloudFlare’s WAF will block any traffic identified as illegitimate before it reaches your origin web server.
You may set the WAF to Simulate mode, which will record the response to possible attacks without challenging or blocking. In this mode, attack traffic will not be stopped by the CloudFlare WAF and will reach your origin server.
You choose what action the WAF should take in response to specific rules.
Blocking an attack will stop any action before it is posted to your website. It may also stop legitimate traffic if the rule set is too broadly defined.
If you are unsure whether suspicious web visitor behavior is illegitimate traffic, you can set up a challenge page. This page asks visitors to submit a CAPTCHA successfully to continue their action. If the web visitor fails the challenge, they will be blocked from your website.
Robust logging lets you see what’s happening instantaneously. Reporting on WAF events shows what actions have been taken in response to rules that you have set up. Search by IP, IP address or rule ID to narrow down to a specific WAF event for further fine-tuning.
WAF Events reports on what actions it has taken in regards to specific web threats.
The WAF is available as part of the Pro, Business and Enterprise plans. These plans offer a broad range of security and performance benefits, all for a flat monthly fee. Compare plans here.