WAF Demo

Application Security
WAFFirewallSecurity

Last Updated: March 2025

Overview

The Cloudflare WAF is a Web Application Firewall that protects your HTTP/S web applications from common and new vulnerabilities. It mainly consists of the following components:

Take advantage of a multitude of fields and even functions to create rules.

For practical security recommendations and security rules examples, check out General Application Security Recommendations .

AppSec Demo Page (behind ZTNA) Demo: WAF Managed Rule Demo: HMAC Authentication with WAF Custom Rule

Security Analytics

Zone WAF Security Analytics Dashboard in Cloudflare

Security Rules

Cloudflare-branded Managed Challenge

Demo: Cloudflare-branded Managed Challenge page

Cloudflare-branded Block

Demo: Cloudflare-branded Block page

Custom-branded Managed Challenge

Use Custom Pages to create a custom-branded Managed Challenge. For advanced customization on errors, use the Custom Errors feature.

Demo: Custom-branded Managed Challenge page

Block with Custom JSON Response

Use Custom Response to trigger an action on your native mobile application or for a service to use.

Demo: Block with Custom JSON Response

Leaked Credentials Detection Demo

This demo shows how Cloudflare's WAF can detect and prevent the use of leaked credentials in login attempts.

API Example

Test the leaked credentials detection using curl:

curl -s 'https://turnstile.automatic-demo.com/handler' \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'username=CF_EXPOSED_USERNAME@example.com&password=CF_EXPOSED_PASSWORD' \
  -i

Security Recommendations Database

Explore a curated database of security recommendations, rule templates, and best practices that you can adapt for your own security needs.

Browse Security Rules Database