WAF Custom Rules

Creating custom WAF rules in Cloudflare to filter malicious traffic.

Rule Structure

Field = Value AND/OR Field = Value → Action

Common Rules

# Block known bot IPs
(ip.src eq 192.0.2.0/24) → block

# Rate limit login endpoints
(http.request.uri.path eq "/login") → rate_limit(threshold=20, period=60)

# Challenge traffic from high-risk countries
(cf.geo.country in {"T1" "T2"}) → managed_challenge

Rule Actions

• Block — Deny the request
• Challenge — JS challenge (CAPTCHA)
• Managed Challenge — Adaptive challenge (JS, CAPTCHA, or none)
• Log — Record but allow (Enterprise)
• Skip — Skip remaining WAF rules

Related

• Ddos Protection — DDoS mitigation
• Zero Trust — Security concepts