WAF Introduction -- Core Rules and Managed Rulesets
In this tutorial, you'll learn about WAF Introduction. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
The Cloudflare Web Application Firewall (WAF) is a rules-based security layer that inspects incoming HTTP requests and blocks, challenges, or logs traffic matching defined attack patterns. It includes pre-built managed rulesets (Cloudflare Managed, OWASP, and technology-specific rules) as well as custom rules you write yourself. The WAF operates at Cloudflare's edge network, filtering traffic before it reaches your origin server.
Why WAF Matters
Web application attacks -- SQL Injection, cross-site scripting (XSS), remote file inclusion, and Command Injection -- are among the most common and damaging security threats. A WAF acts as a shield between the internet and your application, blocking malicious payloads without requiring changes to your application code. For organizations without dedicated security teams, managed rulesets provide production-grade protection out of the box. For security teams, the WAF offers granular control with custom rules, Rate Limiting, and bot management integration.
Real-World Use Case
A SaaS platform running a PHP application on shared hosting was hit by a SQL Injection attack that exfiltrated user data. After migrating behind Cloudflare and enabling the Cloudflare Managed Ruleset with WAF, the same attack payloads were blocked at the edge. The application code remained unchanged. Over the next six months, the WAF blocked an average of 1,500 SQL Injection attempts per week without any false positives affecting legitimate users.
WAF Architecture and Rule Processing
flowchart TD
R[Incoming Request] --> P[Phase 1: Request Review]
P --> M[Cloudflare Managed Ruleset]
M --> O[OWASP Core Ruleset]
O --> C[Custom Rules]
C --> E[Rate Limiting]
E --> A[Allow / Block / Challenge / Log]
A -->|Block| D[Drop Request]
A -->|Challenge| J[JS Challenge or CAPTCHA]
A -->|Allow| F[Forward to Origin]
A -->|Log| F
style M fill:#3498db,color:#fff
style O fill:#9b59b6,color:#fff
style C fill:#e67e22,color:#fff
style D fill:#e74c3c,color:#fff
WAF rules are evaluated in phases. Cloudflare Managed Rules run first, followed by OWASP rules, then custom rules, and finally Rate Limiting. Each rule can produce one of four actions: Block (drop the request), Challenge (present a JS challenge or CAPTCHA), Allow (skip remaining rules), or Log (record for analytics).
Enabling Cloudflare Managed Ruleset
# List available managed rulesets for a zone
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/rulesets" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
for rs in data['result']:
if 'managed' in rs.get('kind', '') or 'managed' in rs.get('phase', ''):
print(f'ID: {rs[\"id\"]}, Name: {rs[\"name\"]}, Phase: {rs.get(\"phase\", \"\")}')
"
# Expected output:
# ID: cloudflare-managed-ruleset-id, Name: Cloudflare Managed Ruleset, Phase: http_request_firewall_managed
Managed rulesets are pre-built by Cloudflare and cover the OWASP Top 10, common CVEs, and platform-specific attacks. You can deploy them with default settings or customize individual rule actions and sensitivity levels.
Deploying the Cloudflare Managed Ruleset
# Deploy Cloudflare Managed Ruleset with recommended settings
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/rulesets" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"name": "Default WAF Ruleset",
"kind": "zone",
"phase": "http_request_firewall_managed",
"rules": [
{
"action": "execute",
"action_parameters": {
"id": "CLOUDFLARE_MANAGED_RULESET_ID",
"version": "latest]
},
"expression": "true",
"description": "Deploy Cloudflare Managed Ruleset"
}
]
}' | python3 -m json.tool
# Expected output:
# {
# "result": {
# "id": "new-ruleset-id",
# "name": "Default WAF Ruleset",
# "rules": [
# {
# "id": "rule-id", "# "action": "execute"", "# "description": "Deploy Cloudflare Managed Ruleset"",
# "enabled": true
# }
# ]
# },
# "success": true
# }
The ruleset is deployed at the zone level. The "expression": "true" means it applies to all incoming requests. You can scope it to specific paths, hostnames, or countries by changing the expression.
Testing WAF Rules
# Simulate a SQL injection attack to verify WAF blocking
curl -s "https://example.com/search?q=1%27%20OR%20%271%27%3D%271" | head -5
# Expected output (WAF blocks it):
# <html>
# <head><title>Attention Required! | Cloudflare</title></head>
# <body>
# <h1>This request was blocked by Cloudflare</h1>
# Simulate an XSS attack
curl -s "https://example.com/search?q=<script>alert(1)</script>" | head -5
# Expected output (WAF blocks it):
# <html>
# <head><title>Attention Required! | Cloudflare</title></head>
When the WAF detects a malicious payload, it returns a Cloudflare block page (HTTP 403). Legitimate requests pass through normally. Test these payloads on your staging environment first to understand what gets blocked and to tune the ruleset sensitivity.
Viewing WAF Event Logs
# Get recent WAF events for a zone
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/security/events" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"limit": 5,
"actions": ["block", "challenge"],
"ray_ids": []
}' | python3 -c "
import sys, json
data = json.load(sys.stdin)
for event in data['result']:
print(f'Time: {event[\"occurred_at\"]}, Action: {event[\"action\"]}, Rule: {event.get(\"rule_id\", \"N/A\")}, Path: {event.get(\"request\", {}).get(\"path\", \"N/A\")}')
"
# Expected output:
# Time: 2025-06-22T14:30:00Z, Action: block, Rule: cloudflare-managed-sqli, Path: /search
# Time: 2025-06-22T14:29:00Z, Action: challenge, Rule: cloudflare-managed-xss, Path: /comment
Security event logs show which rules triggered, what action was taken, and the request details. Review these logs regularly to fine-tune your WAF configuration. A high number of false positives indicates the ruleset sensitivity is too strict for your application.
Common Errors and Troubleshooting
WAF Blocking Legitimate Traffic
If the WAF blocks legitimate requests (false positives), add an allow rule above the managed ruleset. For example, if your API uses JSON payloads that trigger SQL Injection patterns, create a custom rule that allows requests to /api/ before the managed ruleset evaluates them.
Managed Ruleset Too Strict or Too Lenient
Cloudflare Managed Rulesets have three sensitivity levels: Low, Medium, and High. Start with Medium and monitor false positives for a week. Increase to High if you see attacks slipping through. Decrease to Low if too many legitimate requests are blocked.
Rules Not Applying to Specific Paths
WAF rules apply to the entire zone by default. Use expressions to scope rules to specific paths, such as http.request.uri.path contains "/admin". This is useful for applying stricter rules to sensitive endpoints.
Delayed Rule Propagation
When you create or modify a WAF rule, it takes 30-60 seconds to propagate across Cloudflare's global edge network. During this window, old rules may still apply. Avoid making rapid consecutive changes while testing.
WAF Exhaustion on Very Large Requests
The WAF inspects the first portion of the request body. Very large request bodies (over 100 MB) may not be fully inspected. Solution: set a maximum request size at the origin or use Cloudflare's request size limits.
Practice Questions
- What four actions can a Cloudflare WAF rule perform?
- Which command simulates a SQL Injection payload to test WAF blocking?
- How can you scope a WAF rule to apply only to a specific URL path?
FAQ
Summary
Cloudflare WAF provides defense-in-depth against web application attacks through managed rulesets, OWASP integration, and custom rules. The Cloudflare Managed Ruleset covers the OWASP Top 10 and common CVEs out of the box. WAF rules execute at the edge in phases -- managed, OWASP, custom, and Rate Limiting -- with four possible actions: allow, block, challenge, or log. Regular monitoring of security events and tuning of rule sensitivity ensures optimal protection without excessive false positives.
This guide is brought to you by the developers of Cloudflare, Web Security, and Durga Antivirus Pro at DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro