Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)


The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on sets of rules called rulesets. The matching engine that powers the WAF rules supports the wirefilter syntax using the Rules language.

​​ Rules and rulesets

Refer to the Ruleset Engine documentation for more information on the following concepts:

  • Rule: Defines a filter and an action to perform on the incoming requests that match the filter.
  • Ruleset: An ordered set of rules that you can apply to traffic on the Cloudflare global network.

​​ WAF Managed Rules

WAF Managed Rules allows you to deploy managed rulesets preconfigured by Cloudflare, and adjust their rules’ behavior if necessary.

When you enable these managed rulesets, you get immediate protection from a broad set of security rules that are regularly updated. Each of these rules has a default action that varies according to the severity of the rule.

You can override the default action or disable one or more rules included in managed rulesets. To customize the rules behavior you define specific configurations or overrides.

You can define a configuration that affects an entire managed ruleset, or configure the action and status of one or more rules in the ruleset. Rules have associated tags that allow you to search for a specific group of rules and configure them in bulk.

​​ Rule execution order

Cloudflare evaluates different types of rules when processing incoming requests. The rule execution order is the following:

  1. Firewall rules
  2. Custom rulesets
  3. Custom rules
  4. Rate limiting rules
  5. WAF Managed Rules
  6. Rate Limiting (previous version)

For more information on the Ruleset Engine phases where each WAF feature will execute, refer to WAF phases.