Overview
Get started
Concepts
WAF attack score
Uploaded content scanning

Get started
Example rules
Common API calls
Custom rules
Create in the dashboard
Create via API
Configure a rule with the Skip action

API examples
Skip options

Common use cases

Allow traffic from IP addresses in allowlist only
Allow traffic from search engine bots
Allow traffic from specific countries only
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Block traffic from specific countries
Challenge bad bots
Configure token authentication
Exempt partners from Hotlink Protection
Require a specific cookie
Require known IP addresses in site admin area
Require specific HTTP headers
Require specific HTTP ports
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update custom rules for customers or partners

Custom rulesets

Use the dashboard
Use the API
Rate limiting rules
Request rate calculation
Create in the dashboard for a zone
Create in the dashboard for an account
Create via API
Find appropriate rate limit
Rate limiting parameters
Rule examples
Best practices
Managed rules
Deploy in the dashboard for a zone
Deploy in the dashboard for an account
Deploy via API
Handle false positives
Create exceptions

Add an exception in the dashboard
Add an exception via API

Log the payload of matched rules

Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Store decrypted matched payloads in logs
Command-line operations

Generate a key pair
Decrypt the payload content

Check for exposed credentials

How it works
Configure via API
Test your configuration
Monitor exposed credentials events

Rulesets reference

Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset

Concepts
Example
Configure in the dashboard
Configure via API
Configure in Terraform

Cloudflare Exposed Credentials Check Managed Ruleset
Cloudflare Sensitive Data Detection
Additional tools
Lists

Custom lists
Bulk Redirect Lists
Managed Lists
Create in the dashboard
Use lists in expressions
Lists API

JSON object
Endpoints

IP Access rules

Create a rule
Parameters
Actions

Scrape Shield

Email Address Obfuscation
Server-side Excludes (SSE)
Hotlink Protection

User Agent Blocking
Zone Lockdown
Browser Integrity Check
Challenge Passage
Privacy Pass
Replace insecure JS libraries
Security Level
Analytics
Security Analytics
Security Events

Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Challenges
迁移指南

WAF Managed Rules migration
Firewall Rules to WAF custom rules migration
Rate limiting (previous version) deprecation

Legacy features

WAF managed rules (previous version)

Troubleshooting

Rate Limiting (previous version)

Troubleshooting
Troubleshooting
Bing's Site Scan blocked by a managed rule
Issues sharing to Facebook
SameSite cookie interaction with Cloudflare
FAQ
Glossary
Changelog
General updates
Scheduled changes
2024-06-18 - Emergency
2024-06-06 - Emergency
2024-05-30 - Emergency
2024-05-29 - Emergency
2024-05-21
2024-05-14
2024-05-08
2024-05-06
2024-04-24
2024-04-22
2024-04-16 - Emergency
2024-04-15
2024-04-08
2024-03-18
2024-03-11
2024-03-04
2024-02-26
2024-02-20
2024-02-12
2024-02-05
2024-01-22 - Emergency
2024-01-17 - Emergency
2024-01-16
2024-01-04
Historical (2023)
Historical (2022)
Historical (2021)
Historical (2020)
Historical (2019)
Historical (2018)

Scheduled changes

Announcement Date	Release Date	Release Behavior	Legacy Rule ID	Rule ID	Description	Comments
2024-07-03	2024-07-10	Log	100700_BETA	`...d4c44dad`	Apache SSRF vulnerability CVE-2021-40438 Beta	This will replace rule 100700 in old WAF and `...69fe1e0d` in new WAF
2024-07-03	2024-07-10	Log	100648	`...98760cfd`	Groovy - Remote Code Execution	New Detection
2024-07-03	2024-07-10	Log	100079A	`...afae3d67`	Java - Deserialization - 2	New Detection
2024-07-03	2024-07-10	Log	100656	`...b57f700d`	MoveIT - Auth Bypass - CVE:CVE-2024-5806	New Detection
2024-07-03	2024-07-10	Log	100647	`...85c293eb`	pgAdmin - Remote Code Execution - CVE:CVE-2024-3116	New Detection
2024-07-03	2024-07-10	Log	100655	`...ff9f8ca6`	Rejetto HTTP File Server - Remote Code Execution - CVE:CVE-2024-23692	New Detection
2024-07-03	2024-07-10	Log	100654	`...a0c03e6f`	Telerik Report Server - Auth Bypass - CVE:CVE-2024-4358, CVE:CVE-2024-1800	New Detection