Cloud Web Application Firewall

With web threats on the rise, the risks and costs involved to keep websites and data secure have increased. CloudFlare’s Web Application Firewall (WAF) makes it easy for you to respond to attacks in just seconds while not slowing down your website.

Enterprise-class security by CloudFlare

CloudFlare’s WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers. It covers both desktop and mobile websites as well as applications.

  • Automatic protection from diverse threats, with strong default rule sets and extensive customization providing Layer 7 protection that is fully integrated with DDoS mitigation
  • Lightning-fast 0.3 ms processing times with instant global updates
  • Cost-effectively fulfill PCI compliance by utilizing CloudFlare’s WAF to meet requirement 6.6
  • Real-time reporting and robust logging lets you see what’s happening instantaneously
  • Easy set up with no hardware, software, or tuning required

OWASP logo

CloudFlare is a member of OWASP

Running on our global network, CloudFlare’s WAF eliminates the headaches with setting up, tuning, and maintaining your own WAF. Getting started is simple and takes about 5 minutes.

Automatic protection, strong defaults, and customization

CloudFlare’s Web Application Firewall (WAF) automatically protects your website from these types of attacks:

  • SQL injection, comment spam
  • Cross-site scripting (XSS)
  • Distributed denial of service (DDoS) attacks
  • Application-specific attacks (WordPress, CoreCommerce)

The CloudFlare WAF engine runs the OWASP ModSecurity Core Rule Set by default, making sure you’re protected against the OWASP Top 10 common vulnerabilities, and CloudFlare rule sets.

We also make it easy to customize the WAF and extend your protection further. You can instantly integrate rule sets developed by industry experts (additional fees may apply), import existing ModSecurity rule sets, or write your own custom rules (available for Business and Enterprise customers).

With our easy-to-use web interface, you choose how aggressively you want security settings enforced based on your business needs, easily see which attacks have been blocked, and turn off rules that might generate false positives based on your custom application.

Screenshot of waf rules dashboard

CloudFlare’s WAF lets you easily set-up rules to block diverse web threats.

Lightning-fast, highly responsive performance, with instant global updates

Don’t sacrifice speed for security. In the event of a new attack, CloudFlare’s WAF makes sure your customers are protected quickly and that your website continues to load fast.

  • New rules take effect globally in under 30 seconds
  • Less than 1 millisecond latency for web visitors
  • CloudFlare monitoring team can apply globally applicable defenses

Compliance for PCI DSS requirement 6.6

Utilizing CloudFlare’s WAF to meet Requirement 6.6 enables customers to cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:

  • Deploy a WAF in front of your website
  • Or, conduct application vulnerability security reviews of all of your in-scope web applications

CloudFlare’s WAF can be set-up in minutes, is included in plans that start at $20 per month and provides the data you can use for reporting to your PCI assessor. Use it today to meet your compliance obligations.

Easy set-up with no hardware, software, or tuning required

As a cloud-based service, CloudFlare’s WAF requires no hardware or software to install and maintain. You can turn on the WAF in seconds, customizing it to meet your needs.

Its integration into the overall CloudFlare service also means you get additional functionality to help you secure your website against DDoS attacks and make it run faster using our global content delivery network.

Any attack against one of our customers helps the whole CloudFlare community (more than 2,000,000 websites) learn from new attack vectors faster than anyone else.

How it works

The Web Application Firewall (WAF) works by examining HTTP requests to your website. It looks at both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. You can decide whether to block, challenge or simulate an attack. With blocking and challenging, CloudFlare’s WAF will block any traffic identified as illegitimate before it reaches your origin web server.


You may set the WAF to Simulate mode, which will record the response to possible attacks without challenging or blocking. In this mode, attack traffic will not be stopped by the CloudFlare WAF and will reach your origin server.

WAF dropdown dashboard

You choose what action the WAF should take in response to specific rules.


Blocking an attack will stop any action before it is posted to your website. It may also stop legitimate traffic if the rule set is too broadly defined.


If you are unsure whether suspicious web visitor behavior is illegitimate traffic, you can set up a challenge page. This page asks visitors to submit a CAPTCHA successfully to continue their action. If the web visitor fails the challenge, they will be blocked from your website.

Real-time reporting

Robust logging lets you see what’s happening instantaneously. Reporting on WAF events shows what actions have been taken in response to rules that you have set up. Search by IP, IP address or rule ID to narrow down to a specific WAF event for further fine-tuning.

WAF event dashboard

WAF Events reports on what actions it has taken in regards to specific web threats.

Get started

The WAF is available as part of the Pro, Business and Enterprise plans. These plans offer a broad range of security and performance benefits, all for a flat monthly fee. Compare plans here.

Contact us for Enterprise inquires

CloudFlare makes more than 2,000,000 web properties faster and safer. Join today!

Sign up