Web Application Firewall(WAF)

The Cloudflare WAF provides both automatic protection from vulnerabilities and the flexibility to create custom rules. The order of the rules tabs below represents the sequence of traffic except for tools.


A. Firewall Rules

    1. Matching Challenge (Known bot traffic): As it is imp to allow, we shall do it as a challenge.

  • Known bots (cf.client.bot) is a Cloudflare defined list of known good bots, which includes bots from Google, Apple, Bing, Linkedin, Pingdom, and Yahoo. You are recommended to add cf.client.bot in an Allowed rule to avoid blocking good crawlers which could affect your SEO and monitoring. The Challenge can be selected as Cloudflare “Managed Challenge”


    2. Threat Score Challenge:

  • The Cloudflare Threat Score is a key item behind the Security Level functionality in the Cloudflare dashboard.

  • (cf.threat_score ge 20)



Enabling a high threat score for sensitive areas, like comment form pages or login forms, can add an effective level of protection. Integrating Threat Score with firewall rules is advantageous because you can specify a CAPTCHA vs. a JS Challenge, or even a block. You can also exclude IP addresses using and not logic.

Threat Score as configured by Security Level is based on:

  • High - for scores greater than 0

  • Medium - for scores greater than 14

  • Low - for scores greater than 24

  • Essentially off - for scores greater than 49

3. Good Bot Rule:

  • A "good" bot is any bot that performs useful or helpful tasks that aren't detrimental to a user's experience on the Internet. Because good bots can share similar characteristics with malicious bots, the challenge is ensuring good bots aren’t blocked when putting together a bot management strategy.

  •  It's especially important that search engine web crawler bots don't get blocked, because without them a website can't show up in search results.

4. Security Scan Bot:

  • Bots that scan content on webpages all over the internet to help Google and other search engines understand how best to answer users' search queries. Spiders download HTML and other resources, such as CSS, JavaScript, and images, and use them to process site content.


B. Rate Limiting

  • Protect your website and API from malicious traffic with rate limiting rules. Configure mitigation criteria and actions for better security.



  1. Managed Challenge - Protect Forgot Password:

  • Represents the URI path and query string of the request to not exceed more than 10 requests in 1 minute Period.


C. Managed Rules

  • Managed rules, a feature of Cloudflare WAF (Web Application Firewall), identifies and removes suspicious activity for HTTP GET and POST requests.