Why use Cloudflare WAF for security

The primary reason Cloudflare has become popular is the ability to stop DDOS in its tracks. This has proved to be a very effective tool to mitigate any major issues on websites. DDOS protection is offered as a free service.

There are other tools which Cloudflare offers which are also free and for general use should provide a good layer of protection. If you want more "rules" then upgrading to the Pro plan is definitely worth the cost.

We will look at the following areas which are listed in the order in which Cloudflare executes them on their security layer.

  • DDoS
  • Page Rules
  • IP Access Rules
  • Bots
  • WAF (Web application firewall)

DDoS protection

This is provided out of the box from Cloudflare and covers network layer attack protection, SSL/TLS DDoS attack protection and HTTP DDoS attack protection. The last one has configuration options, but generally leaving this alone should suffice.

Page Rules

Page rules allows you to control what happens within your application via the Cloudflare network. For example, if you want to force a Browser Integrity check on the login page of your app, then this can be set using a page rule. 

You can control rules using wild cards, which allows you to cover a wider variety of domains and or folders based on the rule you create. 

IP Access Rules

An IP access rule allows you to either allow or block access to your application by IP Address, IP range or Country. 

Bots

In the free plan you only have the option to turn this on/off. When this is turned on, Cloudflare will automatically filter known malicious bots to your app. If you upgrade to the Pro Plan you have more control in terms of bot management. If this is important we suggest upgrading to the Pro plan to use this feature.

WAF (Web application firewall)

Deciding on a firewall is always a hot topic, and you should ensure you still use the default firewall you might have on your own server. As this will be used to block direct access to the IP address of the server. 

Knowing which firewall is preventing which traffic is important for troubleshooting.

WAF by Cloudflare has 4 components

  • Firewall rules
  • Rate limiting rules
  • Managed rules
  • Tools (IP Access rules - see above)

Firewall rules

The rules under this area are extremely powerful and since they load from the edge network, they are active immediately. 

Some use cases for firewall blocking

  • Block specific countries or entire continents 
  • Block Specific ASN's or IP ranges
  • Block a specific url pattern match

In total there are 19 rules which can be applied in any combination. These options are very powerful and you can protect your application and server environment with this deployment. 

Rate limiting rules

If you find that you are receiving a lot of requests to your API or Signup page. Integrating rate limiting is the easiest way to prevent malicious traffic from bringing down the access to this area.

Example rate limit rule

Rate limiting is deployed to the edge of Cloudflare's network and is active immediately. 

Managed rules

These rules on the free plan are active by default, however if you want to add custom managed rules you have to upgrade to Pro. 

Summary

Taking time to setup Cloudflare WAF requires a certain amount of patience and trial and error. However for the protection that is provided and the uptime your application will have, it is certainly hard to beat this offering from Cloudflare. 

It is important to note that the WAF deployment happens at DNS edge level, so all traffic is filtered before it reaches your server. This approach reduces server load and bandwidth, two very important factors which keep your server healthy.