Is it a good practice to keep both waf rules enabled all the time. Do you guys keep OWASP enabled all the time? (I do not remember if it was default ON/OFF when we created Cloudflare account for the first time) What do u keep its sensitivity level (Low/High/Medium)?


Yes, in general you should always keep them enabled. Unless you experience issues with managing your website (some admin dashboards get caught up in the WAF), it’s best practice to keep it enabled all the time in case a new exploit is found.

(Note that you should just whitelist your IP if you’re having trouble managing your website; you should never turn off the WAF globally)

It depends on the website. I would keep it on high unless you start seeing OWASP events for regular users.

This topic was automatically closed after 30 days. New replies are no longer allowed.