Cloudflare web application firewall WAF

Cloudflare security engineers constantly monitor the Internet for new vulnerabilities. Cloudflare’s WAF helps you stay ahead of threats by automatically updating when new security vulnerabilities are released. Rules created by Cloudflare in response to new threats are responsible for mitigating the vast majority of threats on our network. While traditional OWASP rules and customer specific rules are important, they are not enough without Cloudflare's automatic WAF updates. Cloudflare sees roughly 2.9 million requests every second, and our WAF is continually identifying and blocking new potential threats. If you’re using a web application firewall that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own. Multi-Cloud Holistic Security Framework Cloudflare offers a single source of control for the security of websites, applications, and APIs, hosted across multiple cloud environments. Multi-cloud security provides visibility into security events, while allowing for consistent security controls, across all clouds in which Internet assets are deployed. Any attack traffic seen by Cloudflare is recorded and analyzed. Cloudflare’s network then shields Internet assets across all cloud providers. PCI Compliance Utilizing Cloudflare’s WAF helps you cost effectively fulfill PCI compliance. If you’re a merchant who handles consumer credit card information, PCI DSS 2.0 and 3.0 Requirement 6.6 allows for two options to meet this requirement: Deploy a WAF in front of your website Or, conduct application vulnerability security reviews of all of your in-scope web applications OWASP, Application-Specific, and Custom Rules Cloudflare’s WAF protects your web properties from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules that you can apply with the click of a button. Business and Enterprise customers can also request custom WAF rules to filter out specific attack traffic. OWASP Top 10 Vulnerabilities

• Injection
• Broken Authentication and Session Management
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring

Protecting Against Zero-Day Vulnerabilities Cloudflare security engineers have dealt with a lot of zero-day vulnerabilities over the years. Read our developer blog to learn how every website on our network benefits from their virtual patches. A Look at the New WP Brute Force Amplification Attack A vulnerability in the XML remote procedure protocol allowed potentially thousands of brute force password attempts in a single HTTP request. The Joomla Unserialize Vulnerability The Joomla Unserialize Vulnerability allowed remote code execution via a poorly sanitized User-Agent and X-Forwarded-For headers. Protection Against Critical Windows Vulnerability (CVE-2015-1635) Cloudflare WAF protected users from a critical bug that allowed unpriviledeged users to hang a Windows web server. Threat Blocking & Privacy Features

• Collective intelligence to identify new threats
• Reputation-based threat protection
• Comment spam protection
• Block or challenge visitors by IP address
• Block or challenge visitors by AS number
• Block or challenge visitors by country code
• User agent blocking
• Zone lockdown
• Security level configuration