Frequently Asked Questions

What are WAF rules

Updated Time:2023-04-27  Views:19104

Zone-level Web Application Firewall (WAF) detects and mitigates malicious requests across all traffic under this zone.

Protect your website and API from malicious traffic with custom rules. Configure mitigation criteria and actions for better security.


WAF rules require proxy DNS records to be turned on in order for your page rules to take effect.

WAF rules do not apply to hostnames that do not exist in DNS records or are not directed to Cloudflare.


Summary of WAF rule settings

1.ANS:(ip.geoip.asnum):Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with client IP address.

2.Cookie:(http.cookie):Represents the entire cookie as a string.

    Example value:

3.Country:( the 2-letter country code in ISO 3166-1 Alpha 2 format.

    Example value:

4.Continent:(ip.geoip.continent):Represents the continent code associated with client IP address:

    AF – Africa

    AN – Antarctica

    AS – Asia

    EU – Europe

    NA – North America

    OC – Oceania

    SA – South America

    T1 – Tor network

5.Hostname:( the host name used in the full request URI.

    Example value:

6.IP Source Address:(ip.src):Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such as X-Forwarded-For or X-Real-IP.

    Example value:

7.Referer:(http.referer):Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

    Example value:
    Referer: htt­ps://

8.Request Method:(http.request.method):Represents the HTTP method, returned as a string of uppercase characters.

    Example value:

9.SSL/HTTPS:(ssl):Returnstrue when the HTTP connection to the client is encrypted.

10.URI Full:(http.request.full_uri):Represents the full URI as received by the web server (does not include #fragment, which is not sent to web servers).

    Example value:

11.URI:(http.request.uri):Represents the URI path and query string of the request.

    Example value:

12.URI Path:(http.request.uri.path):Represents the URI path of the request.

    Example value:

13.URI Query String:(http.request.uri.query):Represents the entire query string, without the ? delimiter.

    Example value:

14.HTTP Version:(http.request.version):Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.

    Example Values:



15.User Agent:(http.user_agent):Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser.

    Example value:
    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

16.X-Forwarded-For:(http.x_forwarded_for):Represents the full X-Forwarded-For HTTP header.

    Example value:,

17.Client Certificate Verified:(cf.tls_client_auth.cert_verified):Returns true when a request presents a valid client certificate.

    Also returns true when a request includes a valid certificate that was revoked (see cf.tls_client_auth.cert_revoked).

18.Known Bots:( true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot.

19.Threat Score:(cf.threat_score):Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.

    It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.

20.MIME Type:(http.request.body.mime):The MIME type of the request detected from the request body.

    Supports the most common MIME types of the following general categories: video, audio, image, application, text.


    This field is available on all Cloudflare plans.

21.Header:(http.request.headers):Represents HTTP response headers as a Map (or associative array).

    When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.

    Decoding: no decoding performed
    Whitespace: preserved
    Non-ASCII: preserved

    any(http.response.headers["server"][*] == "nginx")

    Example value:
    {"server": ["nginx"]}

22.European Union:(ip.geoip.is_in_european_union):Returns true when the request originates from a country in the European Union.

23.WAF Attack Score Class:(cf.waf.score.class):The attack score class of the current request, based on the WAF attack score.
    Can have one of the following values: attacklikely_attacklikely_cleanclean.