Cloudflare Demo Shop

Web Application Firewall

Block SQL injection, XSS, command injection, and the rest of the OWASP Top 10 with managed rulesets plus your own custom rules — written once, enforced everywhere.

How do you keep up with web attacks you've never seen before?

New CVEs in popular frameworks (Spring4Shell, Log4Shell, MOVEit, ...) appear with little warning, and exploitation begins within hours. Your application can be patched in days — but in the meantime every request is a roll of the dice. On top of that, custom-built apps have their own logic flaws that no patch will ever fix, and they're constantly targeted by SQLi, XSS, and command-injection payloads.

How it fits together

Cloudflare WAF traffic flow
Every request is inspected against managed and custom rulesets before reaching your origin.

How Cloudflare solves it

Common questions

What happens when there's a new zero-day like Log4Shell?
Cloudflare's security team writes a mitigation rule and ships it to every zone in the Managed Ruleset, usually within hours of public disclosure. Customers on Cloudflare WAF were protected against Log4Shell, Spring4Shell, and MOVEit before most teams had even read the advisory.
Will the WAF break my legitimate traffic?
It can, if your app sends weird-looking payloads (e.g. encoded user input that resembles attacks). The mitigation is to start in log mode, watch for false positives in the WAF analytics, and exclude specific rules for specific paths. Cloudflare's tuning UI surfaces top false-positive rules with one-click exceptions.
Can I write rules that combine multiple signals (IP + path + header)?
Yes. The rules expression language supports boolean logic across any request field — country, ASN, headers, URI path, query string, body content, JA3 fingerprint, bot score, and more. You can build very surgical rules.
Does the WAF inspect request bodies?
Yes, up to a configurable size limit (default 128KB; higher on Enterprise). POST bodies, JSON payloads, and form data are all inspected for attack signatures.

Try it live

Fire real attack payloads against /api/waf/testattack. Cloudflare WAF rules configured on the demo zone evaluate each request — successful blocks return 403 and never reach the Worker. Unblocked attacks reach the Worker and return the simulated exploit data.

Pick an attack. The request goes to /api/waf/testattack?type=<attack>. A properly-tuned WAF rule on this zone will block it before the Worker ever sees the request — you'll get a 403 challenge or block page. If the rule misses, the Worker returns simulated exploit data showing what an attacker would have gotten.

Docs & blogs

← Back to all solutions