OWASP Top 10

Can someone confirm if the enabling WAF does protect you from the OWASP top 10 out of the box or do you still need to apply each rule from the top 10 separately?

see https://support.cloudflare.com/hc/en-us/articles/115000223771

Hi, yes I’ve seen that. So what if you enable the WAF and rule 9 has an impact to your application? I’ll take it you can only disable all 10?

You have per rule control there’s 20 OWASP mod security groups which cover 2,498 OWASP mod security rule sets you can individually control :slight_smile:

1 Like

I think there might still be a problem here. The way which we turn Cloudflare on is from our internal application which connects to your API. There maybe a bug in our system.

If I turn on the WAF using our system, all the rules in ModSecuirty Core ruleset are set to off. What would you expect to see? How do I determine which ones are top ten OWASP?

Please see below an example customer where the WAF has been turned on by our system:

Hi, Can anyone reply to my last question please?

I assume they were not off before, right? So, you are saying disabling and eventually re-enabling WAF resets all rules to off?!

I guess that would be a question best for the support team.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.