Languages
use cases
Modernize applications
Modernize security
Modernize networks
CxO topics
Industries
Resources
Engage
products
SASE and workspace security
Application security
Application performance
Networking
plans & pricing
Global services
documentation
Products
Artificial Intelligence
Compute
Media
Storage & database
Plans & Pricing
Partnership Types
Build
Explore
Support
Company info
Trust, Privacy, & Safety
Public Interest
Cloudflare WAF
How it works
Use cases
Pricing
Block the latest attacks with our industry-leading web application firewall (WAF)
The Cloudflare WAF uses threat intelligence and machine learning powered by platform intelligence from the Cloudflare connectivity cloud to stop the newest threats, including zero-days.
The Cloudflare global network processes 126 million HTTP requests per second at peak, providing unparalleled protection against the latest attacks, including zero-day exploits.
The Cloudflare WAF uses machine learning to automatically block emerging threats in real time.
Customers can set up the WAF with just a few clicks, and our WAF integrates with the rest of our application security for full coverage. No training or professional services needed.
On top of OWASP rules, Cloudflare-managed rules offer fast zero-day protection, and custom rulesets enable organizations to tailor their WAF to implement organization-specific policies.
The Cloudflare WAF runs on the Cloudflare global network and sits in front of web applications to stop a wide range of real-time attacks using powerful rulesets, advanced rate limiting, exposed credential checks, uploaded content scanning, and other security measures.
The WAF integrates with our analyst-recognized, industry-leading application security portfolio for comprehensive protection.
“With the Cloudflare platform, we're getting very high-powered, very technical [application security] detection and protections that take little to no effort to deploy — that's especially important for our organizations that already struggle with limited resources.”
Deputy Director and Interim State CISO
Top WAF use cases
Cloudflare uses core OWASP Top 10 rules to block the most widespread layer 7 attacks.
Our WAF prevents account takeover by detecting and blocking the use of stolen or exposed user login credentials.
WAF content scanning protects your web servers and enterprise network from malware by scanning files as they are uploaded to your application.
Pro
Per month
When billed annually or $25 / mo if billed monthly
For professional websites that aren't business-critical.
Business
When billed annually or $250 / mo if billed monthly
For small businesses operating online.
Contract
Billed annually
For mission-critical applications that are core to your business.
New Externa packages available
Cloudflare Web Application Firewall's intuitive dashboard enables users to build powerful rules through easy clicks and also provides Terraform integration. Every request to the WAF is inspected against the rule engine and the threat intelligence curated from protecting millions of websites. Suspicious requests can be blocked, challenged, or logged per the needs of the user while legitimate requests are routed to the destination, agnostic of whether it lives on-premises or in the cloud.
Cloudflare DDoS protection secures websites and applications while ensuring the performance of legitimate traffic is not compromised.
Mirage automatically optimizes image loading through virtualized and lazyloaded images. It detects the browser type of a visitor and optimizes performance for the particular device, improving the performance of images on a mobile connection.
Polish applies "lossless" or optional "lossy" image optimization to reduce your image sizes by 35% on average.
Tickets + community forums
Tickets + chat + community forums
Tickets 24x7x365 + chat + phone + community forums
Manage good and bad bots in real time with speed and accuracy by harnessing the data from the millions of Internet properties on Cloudflare.
Easy-to-detect bots
Sophisticated bots and basic bot analytics
All bots, anomaly detection, custom CAPTCHAs & threat response, advanced bot analytics, and more
100%
Whitepaper
Product brief
Article
The Cloudflare WAF is a web application firewall that utilizes threat intelligence and machine learning from Cloudflare's connectivity cloud to protect web applications from various real-time attacks, including zero-day threats.
The Cloudflare WAF offers several benefits, including global threat intelligence from its vast network, detection of new threats using machine learning, quick deployment and simple management, and both managed and custom rulesets for tailored protection.
The Cloudflare WAF operates on Cloudflare's global network. Positioned in front of web applications, it stops a variety of attacks through powerful rulesets, advanced rate limiting, exposed credentials detection, and content upload scanning. The Cloudflare WAF has rulesets that are continually updated to block the latest threats, in addition to the top OWASP threats. Using machine learning, Cloudflare identifies new and emerging threats in real time, and updates its WAF rules to block those threats. The WAF also integrates with Cloudflare's other application security services for comprehensive protection.
The Cloudflare WAF helps prevent common attacks like SQL injection and cross-site scripting by applying core OWASP Top 10 rules. It also stops credential stuffing by identifying and blocking the use of stolen login information. And, it detects malware in uploaded files to protect web servers and enterprise networks. Using machine learning, the Cloudflare WAF can also identify and block new and emerging attacks that are not in the OWASP Top 10.
The Cloudflare WAF is designed for fast deployment, requiring only a few clicks to set up. It integrates easily with other application security services, eliminating the need for internal teams to receive extensive training.
Someone from Cloudflare will be in touch with you shortly.
In submitting this form, you agree to receive information from Cloudflare related to our products, events, and special offers. You can unsubscribe from such messages at any time. We never sell your data, and we value your privacy choices. Please see our Privacy Policy for information.