Cloudflare Advanced WAF: Application Layer Protection Beyond the Basics
What Is the Advanced WAF?
Cloudflare’s Advanced WAF (Web Application Firewall) is a Layer 7 application security product that inspects HTTP and HTTPS traffic before it reaches your origin server. It goes significantly beyond a basic WAF by combining traditional signature-based detection with machine learning models, behavioral analysis, and Cloudflare’s global threat intelligence.
Every HTTP request passing through Cloudflare is inspected against the WAF ruleset. Malicious requests are blocked at the edge — your origin server never sees them.
What It Protects Against
OWASP Top 10 threats including:
- SQL injection
- Cross-site scripting (XSS)
- Command injection
- Local and remote file inclusion
- XML external entity attacks (XXE)
- Insecure deserialization
- Server-side request forgery (SSRF)
Zero-day vulnerabilities. When a critical CVE drops (Log4Shell, Spring4Shell, etc.), Cloudflare deploys emergency WAF rules within hours — often before most organizations have even assessed whether they’re vulnerable. The Advanced WAF gives you that coverage automatically.
Account takeover attacks. Credential stuffing, brute force, and password spraying attempts are detected and blocked based on request patterns and Cloudflare’s threat intelligence.
API abuse. The WAF can inspect JSON and XML payloads, detect malformed API requests, and enforce schema validation against your API endpoints.
What Sets the Advanced Tier Apart
The standard WAF is rule-based. The Advanced WAF adds:
Leaked Credentials Detection — Cloudflare maintains a database of billions of compromised credential pairs from breach datasets. When a login request uses credentials that appear in that database, the WAF can flag or block it automatically — without you having to integrate a separate breach detection service.
WAF Attack Score (ML-based) — Every request receives an AI-generated attack score from 1–99 based on machine learning models trained on Cloudflare’s global traffic. This catches obfuscated or novel attacks that evade signature-based rules. You can set thresholds to block or challenge requests above a certain score.
Sensitive Data Detection — Identify and alert when responses contain patterns matching credit card numbers, Social Security numbers, or API keys being leaked from your application.
Advanced Rate Limiting — Combine WAF rules with rate limiting based on request characteristics, not just IP address. Rate limit based on cookies, headers, request body fields, or WAF rule matches.
Custom Rules with Full Ruleset Flexibility — Write custom firewall rules using Cloudflare’s expression language to handle application-specific logic that generic rulesets can’t cover.
Key Managed Rulesets
| Ruleset | Purpose |
|---|---|
| Cloudflare Managed Rules | Cloudflare’s own rules covering common attack patterns, updated continuously |
| OWASP Core Ruleset | Industry-standard OWASP ruleset tuned for low false positives |
| Exposed Credentials Check | Matches login requests against known compromised credential pairs |
| Free Managed Rules | Baseline protection enabled for all plans |
Each managed ruleset can be tuned — individual rules can be set to log, challenge, or block independently. You’re not stuck with all-or-nothing.
Best Practices
Start in Log Mode, Then Enforce
Never deploy WAF rules directly in block mode against production traffic without first observing what they match. Set all rules to log for at least a week, review the logs for false positives, tune as needed, then flip to block. Skipping this step is how you block your own legitimate users.
Tune the OWASP Ruleset Paranoia Level
The OWASP Core Ruleset has four paranoia levels. Level 1 is conservative and low-noise. Level 4 is aggressive and will generate significant false positives without careful tuning. Start at level 1 or 2 and only increase if you need coverage for specific threat profiles.
Use WAF Attack Score as a Secondary Signal
Don’t rely solely on managed rules. Enable WAF Attack Score and set a custom rule to challenge or block requests with scores above a threshold (e.g., score > 50 = challenge, score > 85 = block). This catches obfuscated payloads that sneak past signature rules.
# Custom rule example
(cf.waf.score gt 85) → Block
(cf.waf.score gt 50 and cf.waf.score le 85) → Managed Challenge
Separate API and Web Traffic Rules
Your API endpoints and your web application have very different traffic profiles. Create separate WAF rule sets or use custom rules with path matching to apply stricter controls to API endpoints while maintaining flexibility for web pages.
# Apply strict JSON inspection only to API paths
(http.request.uri.path matches "^/api/.*")
Enable Leaked Credentials Check on Auth Endpoints
Configure the Exposed Credentials Check ruleset specifically against your login, registration, and password reset endpoints. These are the targets for credential stuffing. Blocking requests with known-compromised credentials stops account takeover before it starts.
Create Exceptions for Known-Good Traffic
Your monitoring tools, CI/CD pipelines, and internal scanners will trigger WAF rules. Create WAF exceptions for these known sources based on IP, ASN, or custom headers to prevent alert fatigue and ensure legitimate traffic isn’t disrupted.
Regularly Review Custom Rules
Custom WAF rules accumulate. Schedule a quarterly review to remove rules that are no longer needed, update rules referencing deprecated services, and verify that rule logic still reflects your current application architecture.
Set Up Alerting for Spike Detection
Configure alerts when WAF block counts spike significantly above baseline. A sudden 10x increase in WAF blocks often signals the beginning of a targeted attack campaign, giving your team time to investigate and respond before it escalates.
