Cloudflare WAF constantly monitors the Internet for new vulnerabilities and continually identifies and blocks new potential threats. When one customer requests a new custom WAF rule, Cloudflare security engineers analyze whether it applies to all Internet properties on their network. If it does, they will automatically apply it.
By default, WAF is disabled in the 101domain Cloudflare features panel.
To enabling WAF for a domain, please follow the steps provided:
- Log in to my.101domain.com.
- Select "Domain Names" from the main menu.
- Click on the domain name presented in the list or search for the domain name in the portfolio using the search field provided.
- In the CLOUDFLARE management box, click the grey WAF toggle switch in the "Enable Web Application Firewall" menu to turn it orange.
Upgrading to SWA Plus is required.
Which rules are available for WAF?
The Cloudflare WAF contains 3 packages:
- Cloudflare Managed Ruleset
- Package: OWASP ModSecurity Core Rule Set
- Customer Requested Rules
The Cloudflare Managed Ruleset contains security rules written and curated by Cloudflare. Cloudflare Specials is a Group that provides core WAF security against common attacks. Cloudflare recommends that you always leave Cloudflare Specials enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the Cloudflare WordPress group.
For more information please visit, Understanding the Cloudflare Web Application Firewall (WAF) and Cloud Web Application Firewall.