Skip to content

Concepts

The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and API requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language.

Rules and rulesets

A rule defines a filter and an action to perform on the incoming requests that match the filter.

A ruleset is an ordered set of rules that you can apply to traffic on the Cloudflare global network.

Main components

The Cloudflare WAF includes:

Detection versus mitigation

The two main roles of the Cloudflare WAF are the following:

  • Detection: Run incoming requests through one or more traffic detections to find malicious or potentially malicious activity. The scores from enabled detections are available in the Security Analytics dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules.

  • Mitigation: Blocks, challenges, or throttles requests through different mitigation features such as custom rules, Managed Rules, and rate limiting rules. Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests.

Available traffic detections

The WAF currently provides the following detections for finding security threats in incoming requests:

  • Bot score: Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human).
  • Attack score: Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious).
  • Malicious uploads: Scans content objects, such as uploaded files, for malicious signatures like malware.

To enable traffic detections in the Cloudflare dashboard, go to your domain > Security > Settings.


Rule execution order

Cloudflare evaluates different types of rules when processing incoming requests. The rule execution order is the following:

  1. Firewall rules (deprecated)
  2. Custom rulesets
  3. Custom rules
  4. Rate limiting rules
  5. WAF Managed Rules
  6. Cloudflare Rate Limiting (previous version, deprecated)

Rules are evaluated in order. If there is a match for a rule with a terminating action, the rule evaluation will stop and the action will be executed immediately. Rules with a non-terminating action (such as Log) will not prevent subsequent rules from being evaluated and executed. For more information on how rules are evaluated, refer to Rule evaluation in the Ruleset Engine documentation.

For more information on the phases where each WAF feature will execute, refer to WAF phases.