What’s included in free WAF managed ruleset


I would like to know what’s included in the free plan? Xss and sql injection are included? Cloudflare’s documentation isn’t clear. Also I can’t see the option to deploy the feature, or it is enabled by default?

It is enabled by default/automatically. The initial blog post details:

Log4J rules matching payloads in the URI and HTTP headers;
Shellshock rules;
Rules matching very common WordPress exploits;

You can do some sleuthing through the API and see the exact rules in the free ruleset. There’s 20 rules in total, covering Log4j, Shellshock, a bunch of Wordpress exploits/some for wordpress plugin exploits, one for Atlassian Confluence code injection, and a generic validate headers one.

You don’t have the same controls as mentioned in the original blog post, but you can use Custom Rules to bypass it if needed.

There are some rules covering Wordpress xss/sql injection. My understanding, as the blog post details, the free ruleset is targeted at high profile vulnerabilities and “specially designed to reduce false positives to a minimum across a very broad range of traffic types.”, so it is scoped to very specific exploits/vulnerabilities. If you want more generic protection I believe you’re looking for more of the OWASP Ruleset, which is on Pro or higher, and is much more dynamic and configurable for your specific application.


Thank you :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.