Cloudflare Docs
WAF
Edit this page on GitHub
Set theme to dark (⇧+D)

WAF Managed Rules

WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against:

  • Zero-day vulnerabilities
  • Top-10 attack techniques
  • Use of stolen/exposed credentials
  • Extraction of sensitive data

These managed rulesets are regularly updated. You can adjust the behavior of specific rules in these rulesets, choosing from several possible actions.

​​ Managed rulesets

Cloudflare provides the following managed rulesets in the WAF:

RulesetDescription
Cloudflare Managed Ruleset

Created by the Cloudflare security team, this ruleset provides fast and effective protection for all of your applications. The ruleset is updated frequently to cover new vulnerabilities and reduce false positives.

Ruleset ID: efb7b8c949ac4650a09736fc376e9aee

Cloudflare OWASP Core Ruleset

Cloudflare's implementation of the Open Web Application Security Project, or OWASP ModSecurity Core Rule Set. Cloudflare routinely monitors for updates from OWASP based on the latest version available from the official code repository.

Ruleset ID: 4814384a9e5d4991b9815dcfc25d2f1f

Cloudflare Exposed Credentials Check

Deploy an automated credentials check on your end-user authentication endpoints. For any credential pair, the Cloudflare WAF performs a lookup against a public database of stolen credentials.

Ruleset ID: c2e184081120413c86c3ab7e14069605

Cloudflare Free Managed Ruleset

Available on all Cloudflare plans. Designed to provide mitigation against high and wide impacting vulnerabilities. The rules are safe to deploy on most applications. If you deployed the Cloudflare Managed Ruleset for your site, you do not need to deploy this managed ruleset.

Ruleset ID: 77454fe2d30c4220b5701f6fdfb893ba

The following managed rulesets run in a response phase:

RulesetDescription
Cloudflare Sensitive Data Detection

Created by Cloudflare to address common data loss threats. These rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Available in Security > Sensitive Data.

Ruleset ID: e22d83c647c64a3eae91b71b499d988e

​​ Availability

The managed rulesets you can deploy depend on your Cloudflare plan.