Enabling SWA Web Application Firewall (WAF)

SWA Plus and SWA Professional enabled domains may enable the Cloudflare® extensive managed WAF rule sets for web assets passing through the Cloudflare global network. Cloudflare WAF identifies and removes suspicious activity, protecting your internet properties from automated attacks, common keywords used in comment spam, SQL injection, XSS JavaScript injections, and other real-time POST requests. 

Cloudflare WAF constantly monitors the Internet for new vulnerabilities and continually identifies and blocks new potential threats. When one customer requests a new custom WAF rule, Cloudflare security engineers analyze whether it applies to all Internet properties on their network. If it does, they will automatically apply it.


By default, WAF is disabled in the 101domain Cloudflare features panel.

To enabling WAF for a domain, please follow the steps provided: 

  1. Log in to my.101domain.com.
  2. Select "Domain Names" from the main menu.
  3. Click on the domain name presented in the list or search for the domain name in the portfolio using the search field provided.
  4. In the CLOUDFLARE management box, click the grey WAF toggle switch in the "Enable Web Application Firewall" menu to turn it orange.

Upgrading to SWA Plus is required.

Which rules are available for WAF?

The Cloudflare WAF contains 3 packages:

  • Cloudflare Managed Ruleset
  • Package: OWASP ModSecurity Core Rule Set
  • Customer Requested Rules

The Cloudflare Managed Ruleset contains security rules written and curated by Cloudflare. Cloudflare Specials is a Group that provides core WAF security against common attacks. Cloudflare recommends that you always leave Cloudflare Specials enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the Cloudflare WordPress group.

For more information please visit, Understanding the Cloudflare Web Application Firewall (WAF) and Cloud Web Application Firewall