Opt-in vs. opt-out Security Model for Firewall rules

ethan7 · March 9, 2023, 9:09pm

Hello,

We are using the “free” version to evaluate the product prior to purchasing a subscription.

Is it correct that the WAF tool follows the discretionary / opt-out security model of “allow access if you do not fail a WAF rule”?

If this is true, which it appears to be in practice, is there an option to flip it to a opt-out security model of “deny access unless a WAF rule explicitly allows access”?

( see url [https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority](https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority) )

Sorry if this has been previously asked. The documentation is light, and does not appear to fully address the topic.

Thanks,
E

cscharff · March 9, 2023, 10:17pm

By default Cloudflare is designed to provide security to publicly accessible websites. You could create rules to only allow specific IPs or user agents or you could look at Cloudflare Access as a mechanism to require users meet authentication requirements to accessing a resource.