Cloudflare WAF

CloudflareSecurityFree tier available

L7 web application firewall protecting against OWASP Top 10 risks with Cloudflare-managed rule sets, custom expression-based rules, exposed-credentials detection, rate-limiting integration, and machine-learning attack-score signals tuned across the global traffic graph

FluffyStack tools
Add to Service BuilderAdd to CompareCompare with equivalentsExplore Cloudflare in TreemapExplore security in HoneycombSee Cloudflare regions on the World MapSee security as a networkScore jurisdiction exposure
DocumentationPricingCloudflare website

Jurisdictional exposure

Provider HQ
USSan Francisco, USA

Subject to CLOUD Act, FISA-702, DPF

Region locations
APACCNEEAEUUKUSOther29 regions across 7 jurisdictions
Sovereign option
No sovereign-flagged regions in the catalogue for this service.
Full scorecard for this service →US lens detail →Sovereign cloud coverage map →

Attributes

Ga Year
2020

Sub-services (4)

Managed Rule Sets

Cloudflare-maintained rule packages for OWASP Top 10 and CVE coverage

Custom Rules

Customer-authored expression rules with full request-attribute access

Exposed Credentials Check

Detect login attempts using credentials known to be breached

Attack Score

ML-driven anomaly scoring across XSS / SQLi / RCE patterns

Compliance & Certifications

This service is attested for the following frameworks. Always verify with the provider before relying on a specific compliance posture.

GDPRSOC 2ISO 27001HIPAAPCI DSS

Where this runs

29 regions
26 countries
Commercial regions (29)

Europe (10)

  • Paris
  • Frankfurt
  • Dublin
  • Milan
  • Amsterdam
  • Warsaw
  • Madrid
  • Stockholm
  • Zurich
  • London

North America (4)

  • Toronto
  • Ashburn
  • Chicago
  • San Jose

South America (2)

  • Buenos Aires
  • São Paulo

Asia (6)

  • Hong Kong
  • Mumbai
  • Tokyo
  • Singapore
  • Seoul
  • Taipei

Oceania (2)

  • Sydney
  • Auckland

Middle East (2)

  • Tel Aviv
  • Dubai

Africa (3)

  • Lagos
  • Cape Town
  • Johannesburg

Tags

wafowaspsecurityedgeddos-adjacent

Equivalent services on other platforms

Alibaba Web Application FirewallAlibaba

Managed WAF protecting web apps from OWASP Top 10 attacks, bot traffic, API abuse, and data scraping, with global and China regional deployment, custom rule engine, and unified consoles across Anti-DDoS and Security Center

AWS WAFAWS

Web application firewall that protects against common exploits with managed rule groups, custom rules, rate-based rules, Bot Control, and CAPTCHA challenges

Azure Application GatewayAzure

Layer 7 load balancer with integrated web application firewall, SSL termination, URL-based routing, cookie-based session affinity, and autoscaling based on traffic

Cloud ArmorGCP

Edge DDoS protection and web application firewall with managed rule sets for OWASP Top 10, adaptive bot protection, and reCAPTCHA Enterprise integration

Huawei Web Application FirewallHuawei

Managed web application firewall with OWASP Top 10 rule sets, bot management, anti-crawler, CC (challenge-collapsar) attack mitigation, custom rule engine, and regional deployment with integrated DDoS protection

OCI Web Application FirewallOracle

Layer-7 protection against OWASP Top 10 attacks (SQLi, XSS, RCE), bot traffic, and DDoS at the application layer. Edge-deployed for global protection or regional for backend-fronted apps.

Web Application FirewallT Cloud

L7 web application firewall protecting against OWASP Top 10 risks — SQL injection, XSS, command injection — with managed rule sets, custom rules, IP allow/block lists, and bot-detection heuristics tuned for OTC-hosted apps

Pricing

Pricing model:subscription