Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Web Optimizations China Network
Video Streaming & Delivery
Cloudflare Stream Stream Delivery
Advanced Security
DDoS Protection WAF Bot Management Rate Limiting SSL / TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Insights
Analytics Cloudflare Logs
Cloudflare for Developers
Cloudflare Workers Cloudflare Workers KV BETA Mobile SDK
Domain Registration
Cloudflare Registrar
Cloudflare Marketplace
Cloudflare Apps
Cloudflare for Everyone
1.1.1.1
Performance
Accelerate Internet Applications Accelerate Mobile Experiences Ensure Application Availability
Security
Mitigate DDoS Attacks Prevent Customer Data Breaches Stop Malicious Bot Abuse
Industries
SaaS eCommerce Publishers Public Sector
Partnerships
Partner Program Hosting Provider Referral Reseller / MSP OEM / Technology Workers Partner Program Peering Portal Bandwidth Alliance
Integrations
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes WP Engine
Develop
API Guide Developer Hub Developer Fund Documentation
Explore
Case Studies Cloudflare in China Network Map Webinars Product Updates White Papers GDPR
Learn
DDoS Learning Center CDN Learning Center DNS Learning Center Security Learning Center Performance Learning Center Serverless Learning Center SSL Learning Center Bots Learning Center
Connect
Blog Contact Sales Community Support
Contact
Advanced Cloudflare Configuration
Explore Cloudflare API v4 Expose a Secure Local Tunnel Configure with Terraform Documentation
Customize Your Site
Customize Using Workers Altering Headers Conditional Request Routing A/B Testing Browse All Code Snippets
Build Serverless Applications
Deploy Using Workers.dev Get Started with Tutorials Clone Examples on GitHub

Cloud Web Application Firewall

Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

Sign Up Contact Sales

444,528,000

WAF rules triggered in the last day

WAF Triggers Map

Cloudflare sees roughly 5.5 million requests every second and our WAF is continually identifying and blocking new potential threats.

    WAF Type

Automatic WAF Updates

Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. When we find threats that apply to a large portion of our users, we automatically apply WAF rules to protect their Internet properties. Let us take care of tracking state-of-the-art hacking techniques so you can focus on creating useful features instead of protecting them from would-be attackers.

On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released. Rules created by Cloudflare in response to new threats are responsible for mitigating the vast majority of threats on our network. While traditional OWASP rules and customer specific rules are important, they are not enough without Cloudflare's automatic WAF updates.

Collective Intelligence

Cloudflare sees roughly 5.5 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.

When one customer requests a new custom WAF rule, we analyze whether it applies to all 16 million domains on our network. If it does, we automatically apply that rule to everybody on our network. The more web properties on our network, the stronger our WAF gets, and the safer the Cloudflare community becomes.

Define Firewall Rules to Stop Malicious Traffic

Quickly build granular firewall rules to stop emerging and sophisticated threats. A rule can be based upon multiple request attributes such as user-agent, path, country, query string, IP address, and more.

Address your specific use cases, including:

  • Block bad crawlers
  • Allow valid user-agents specific to routes and endpoints
  • Stop malicious injection attacks using URL parameters

Use an intuitive rule builder that also supports regular expressions (regex), then deploy globally to over 180 data centers in seconds.

Programmatically create rules that block potential threats in near-real time by integrating the API with SIEMs, internal alerting systems, or vulnerability scanners.

Multi-Cloud Holistic Security Framework

Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers.

Built for Performance

At Cloudflare, we’re just as concerned with performance as with security. Our web application firewall sits on the same Anycast network that powers our global CDN, HTTP/2, and web optimization features. Our WAF rule sets result in latency of less than 1 millisecond.

<1ms

Latency for web visitors

30s

Worldwide rule propagation

PCI Compliance

Utilizing Cloudflare’s WAF helps you cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement:

  • Deploy a WAF in front of your website
  • Or, conduct application vulnerability security reviews of all of your in-scope web applications

OWASP, Application-Specific, and Custom Rules

Cloudflare’s WAF protects your web properties from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules that you can apply with the click of a button. Business and Enterprise customers can also request custom WAF rules to filter out specific attack traffic.

OWASP Top 10 Vulnerabilities

  • Injection
  • Broken Authentication and Session Management
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring

Protecting Against Zero-Day Vulnerabilities

Cloudflare security engineers have dealt with a lot of zero-day vulnerabilities over the years. Read our developer blog to learn how every website on our network benefits from their virtual patches.

A Look at the New WP Brute Force Amplification Attack

A vulnerability in the XML remote procedure protocol allowed potentially thousands of brute force password attempts in a single HTTP request.

Read More

The Joomla Unserialize Vulnerability

The Joomla Unserialize Vulnerability allowed remote code execution via a poorly sanitized User-Agent and X-Forwarded-For headers.

Read More

Protection Against Critical Windows Vulnerability (CVE-2015-1635)

Cloudflare WAF protected users from a critical bug that allowed unpriviledeged users to hang a Windows web server.

Read More

Threat Blocking & Privacy Features

Collective intelligence to identify new threats

Reputation-based threat protection

Comment spam protection

Block or challenge visitors by IP address

Block or challenge visitors by AS number

Block or challenge visitors by country code

User agent blocking

Zone lockdown

Security level configuration

Differentiate between humans and bots using Tor

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /mo, per website
Select
Expand to see more Hide
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Unmetered Mitigation of DDoS
  • Global CDN
  • Shared SSL certificate
  • Access to account Audit Logs
  • 3 page rules
Compare all features
Pro $ 20 /mo per website
Select
Expand to see more Hide
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes everything in Free, and:
  • Web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • Access to account Audit Logs
  • 20 page rules
Compare all features
Business $ 200 /month per website
Select
Expand to see more Hide
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

The Business Plan includes everything in Pro, and:
  • Web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Bypass Cache on Cookie
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized email support
  • Access to account Audit Logs
  • 50 page rules
Compare all features
Enterprise contact us
Select
Expand to see more Hide
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

The Enterprise Plan everything in Business, and:
  • 24/7/365 enterprise-grade phone, email, and chat support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Enterprise-grade DDoS protection with network prioritization
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to Raw Logs
  • Access to account Audit Logs
  • Dedicated solution and customer success engineers
  • Access to China CDN data centers (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

Add a Website

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

Get Pro

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

Get Business

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

Get in touch

Trusted By

Over 16,000,000 Internet Applications and APIs

Read some of our case studies!

Technical Details

Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default, as well as the following application-specific rule sets:

  • Drupal
  • WordPress
  • Joomla
  • Flash
  • Magento
  • PHP
  • Plone
  • WHMCS
  • Atlassian Products

You can enable entire rule sets or select individual rules that you want to apply to your website. For content management systems that use an admin interface, it’s possible to create a Cloudflare Page Rule to apply stronger WAF rules to your admin section.

Business and Enterprise customers can request custom WAF rules by providing attack traffic logs and suggesting the appropriate mod_security rule syntax.

Cloudflare WAF also includes an IP firewall that lets you whitelist or blacklist traffic based on IP address, IP ranges, Autonomous System Number (ASN), or country (including Tor).

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.