top of page

Cloudflare WAF Best Practices: Features, Challenges, and Alternatives

Cloudflare WAF is a cloud-based web application security service that provides additional protection to websites and web applications against various online attacks. It analyzes incoming traffic to a website or application and uses a set of predefined rules to identify and block malicious requests before they reach the origin server. Cloudflare WAF can also be tailored to include custom rules based on the specific needs of a website or application.

Cloudflare WAF Features

One of the key features of Cloudflare WAF is its pre-configured and customizable rulesets. These rulesets are designed to protect web apps from zero-day vulnerabilities, sensitive data extraction, OWASP top 10 attacks, and threats that specifically attack your web application. By implementing these rules, you can enhance the security of your web apps and prevent various types of cyber threats.

Another important feature of Cloudflare WAF is the cloud-based security system that analyzes all the assigned threat scores from user data and shares these scores as threat intelligence with all the Cloudflare WAF users. This feature helps users to stay informed about newly discovered zero-days and gives them time to patch their software before they become victims of cyber attacks.

Cloudflare WAF also provides inbuilt tools for analytics and reporting, eliminating the need for third-party tools. Users can access a quite vast analytics time range filter from 30 minutes to 72 hours, which provides a detailed view of their app's security. This feature helps users to monitor their web apps and identify potential vulnerabilities.

In addition to the features mentioned above, Cloudflare WAF also offers other useful features, such as virtual patching to fix app vulnerabilities quickly, IP address blacklisting and whitelisting, and a full CDN service integration to prevent high web latency. All of these features work together to provide comprehensive security for web applications and protection against cyber threats.

Cloudflare WAF’s Rate Limiting Best Practices You Should Know

Rate limiting is a technique used in WAFs to control the amount of traffic or requests allowed to a web application within a certain period of time. Using the Cloudflare WAF, you can set a threshold limit for the number of requests that can be sent to your web application from a specific IP address or user agent. Once the limit is exceeded, it blocks the requests from the offending IP or user agent.

The main benefit of rate limiting is the ability to prevent Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, which can overwhelm your web application with a flood of requests and render it inaccessible to legitimate users.

Now since rate limiting is arguably one of Cloudflare’s best WAF features, we’ll concentrate on how to help you make the best out of it.

Enforce Granular Access Control

Setting granular control allows you to set specific limits to the number of requests that can be sent to different parts of your web application based on factors such as the type of request, the user role and agent, IP address, country and region, etc.

For instance, you can choose to limit the rate of requests performed by individual user agents within a specified period. You can set the Cloudflare WAF to allow your web app to perform a maximum of X requests in X minutes/seconds. Importantly, Cloudflare WAF allows you to do this for both mobile apps and desktop browsers.

Here’s another instance: you can choose to include or exclude an IP address of an Autonomous System Number (ASN) from a rate limiting. Here, you’ll be instructing the Cloudflare WAF to allow a particular IP address to send up to X number of requests per X minutes without getting flagged as suspicious.

Moreover, if your web app receives requests from other sources like social media ads and affiliate marketing links from third-party websites, then you should consider limiting the number of requests generated by each individual referrer page. This is basically to avoid indirect DDoS attacks.

Protect Against Credential Stuffing

Credential stuffing is a cyber-attack where an attacker uses automated tools to try stolen usernames and passwords on different websites and web apps. This type of attack leads to account takeover, data breaches, damage to brand reputation, etc. However, Cloudflare WAF can provide essential protection. Here’s how you can use Cloudflare WAf’s rate-limiting feature to protect your web app against credential stuffing.

First, you can start by protecting your web app’s login endpoint. And you can do this using three different rate-limiting rules.

  • Rule One - Allow an IP address to send X requests per minute. This is to allow real customers X amount of attempts to remember their login details. If they fail to remember the correct details, the system will assume it’s an automated tool, then the Managed Challenge will be activated, and the client will be blocked. However, if the user gets the login details correctly before the limit set in rule one is exceeded, then rule two will be activated.

  • Rule Two - This rule is set to make sure that it isn’t an automated tool that correctly uses a legitimate user’s login details to access your web app. Here the WAF allows the user to send X requests per X minutes. If they exceed this limit, then the third and final rule is activated.

  • Rule Three - Any IP address that breaks rule two will be blocked for at least a day. This will prevent the automated tool from accessing the site completely until it gains another IP address.

Limit the Number of Operations Performed by a User

Asides from its anti-brute force benefits, other benefits of limiting the number of operations performed by each user include resource utilization and content scraping prevention. Without this Cloudflare WAF best practice, your web app’s limited resources (like server capacity and bandwidth) can be hogged by some users. Not only this, malicious content-scrapping bots can copy your intellectual property or gain a competitive edge. To prevent this, you can limit the number of operations each of your users can perform.

Let’s say you have an ecommerce website: you can decide to limit the number of times your users can look up prices, sizes, items, product details, etc. Such a measure will help in stopping bots from scrapping all the information in your web app’s catalog.

Generally, combining these rate-limiting rules with Cloudflare Bot Management is best, as it provides a bot score that can help you streamline rate limiting and control the actions performed by these automated tools.

Note: An easy way to differentiate bot traffic from legitimate traffic is by monitoring requests that trigger a large number of 403 or 404 response status codes from the origin server. And to stop these content-scrapping bots, place a limit to the number of requests generating these response status codes.

Protect REST APIs

Simply put, REST APIs are used to allow client-side applications to interact with server-side data. It is important to protect REST APIs because they often contain sensitive data and functionality that malicious actors can exploit.

APIs generally cause a considerable burden on your application’s backend because fulfilling their requests can be resource-intensive or costly. API requests may involve intricate operations (like processing data and searching through large datasets) that, if misused, have the potential to cause an origin server to fail.

Take, for instance, your application has a large amount of stored image or video files, and your users can download a file through their specific URL. Ideally, you should consider limiting the number of downloads per user to avoid abuse.

However, it isn’t possible to create rate-limiting rules for each file (due to its size). In this case, you should consider using the file path as the (rate-limiting) rule characteristics to avoid rewriting the rule every time you upload a new file. For example, cut off “" at "" to prevent having to rewrite the rule each time.

Challenges with Cloudflare WAF

Even with all its benefits, Cloudflare WAF presents some challenges for its users, and some of these have been listed below:

  • The maximum file size you can upload in its free version is only 100 MB.

  • Beginners may find it challenging to navigate the platform due to its steep learning curve.

  • You might encounter certain obstacles when integrating with some third-party tools.

  • These obstacles could impact your usability and the effectiveness of the Cloudflare WAF.

Introducing open-appsec as an Alternative to Cloudflare WAF

Are you looking for a way to block attacks on your web application before they happen? Look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Our code has also been published on GitHub, and the effectiveness of our WAF has been successfully proven in numerous tests by third parties.

Admittedly, Cloudflare WAF effectively protects WAFs from attacks, even with its free version. But there's a free, open-source WAF that you might want to explore called open-appsec WAF.

open-appsec WAF uses declarative system configuration to speed up and simplify its configuration process using declarative statements and expressions. It offers simplified maintenance due to the absence of threat signatures, rules, and exception handling.

Its most exciting trait is the use of two machine learning algorithms (offline and online) to detect and prevent known and zero-day attacks. It records very low cases of false positives and uses an effective Content Delivery Network to reduce web latency. Try open-appsec in the Playground today.


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page