--- title: Application security dashboard description: The application security dashboard helps you understand the current security posture of your web applications and allows you configure different security rules for those applications. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Application security dashboard The application security dashboard is your starting point to better understand the security posture of your web applications, and to configure rules to protect them. New dashboard experience Cloudflare is gradually making the new **Security** dashboard available by default to users. Users who do not have the new dashboard by default can still manually opt in: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Open any page under **Security**. 3. In the top right-hand corner of the page, select **Try new dashboard**. To opt out of the new security dashboard: 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Turn off the setting **New application security dashboard**. The opt-out option will be available for a limited time. ## Features ### Security overview Get a high-level overview of your domain's security posture. [ Explore Security overview ](https://developers.cloudflare.com/security/overview/) ### Security Analytics Shows information about all incoming HTTP requests or mitigated requests (rule matches). Tailor your security configurations based on sampled logs. [ Explore Security Analytics ](https://developers.cloudflare.com/security/analytics/) ### Web assets Discover your web assets (including API endpoints) and instruct Cloudflare how to best protect them. [ Use Web assets ](https://developers.cloudflare.com/security/web-assets/) ### Security rules Perform security actions on incoming requests that match specified filters. [ Use Security rules ](https://developers.cloudflare.com/security/rules/) --- ## More resources [Plans](https://www.cloudflare.com/plans/#overview) Compare available Cloudflare plans ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}}]} ``` --- --- title: Security overview description: Security overview provides an overview of your domain's security posture and allows you to quickly identify security action items that may need your attention. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/overview.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security overview Security overview provides an overview of your domain's security posture and allows you to quickly identify security action items that may need your attention. To access Security overview in the new security dashboard, go to the **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/security/overview) The Security overview page displays: * Security action items * Detection tools * Traffic overview ## Security action items **Security action items** shows you insights and recommendations related to misconfigurations, exposed infrastructure, and suspicious activity. * **Action item types**: * Suspicious activity * Security insight * **Criticality**: Your action items are ranked by the highest criticality, showing critical first, moderate, and low respectively. * **Filters**: You can filter your action items by Criticality, Insight Type, and Security Category. * Criticality: * Low * Moderate * Critical * Insight Types: * Suspicious activity * Exposed infrastructure * Insecure configuration * Configuration suggestion * Compliance Violation * Email Security * Weak Authentication * Security Category: * Web application exploits * AI exploits * DDoS attacks * Bot traffic * API abuse * Client-side abuse * Fraud * **Review**: Review your security action items for more detailed information and recommended actions to resolve. * **Archiving**: You can archive security action items you do not wish to display in the main list. * **Load more**: View the full list of security action items. ## Detection tools Review the available detection tools and what services are currently running to protect your domain against threats. ## Traffic overview View the patterns and highlights from your domain's traffic in the past 30 days. The Cloudflare dashboard displays: * **Monthly requests**: View the monthly requests and traffic that has been mitigated by Cloudflare. * **How you compare to your peers**: For enterprise plans, understand how your security posture compares to others in your industry protected by Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/overview/","name":"Security overview"}}]} ``` --- --- title: Security Analytics (new dashboard) description: Security Analytics shows information about all incoming HTTP requests or mitigated requests (rule matches). image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security Analytics (new dashboard) Security Analytics shows information about all incoming HTTP requests or only about requests mitigated by Cloudflare. Use Security Analytics as your starting point to understand and analyze traffic patterns, and to create security rules based on the filters you applied. To access Security Analytics in the new security dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) By default, Security Analytics queries filter on `requestSource = 'eyeball'`, which represents requests from end users. Note that requests from Cloudflare Workers (subrequests) are not visible in Security Analytics. ## Traffic The **Traffic** tab displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. In this tab you can perform several tasks: * View the traffic distribution for your domain. * Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or [origin server ↗](https://www.cloudflare.com/learning/cdn/glossary/origin-server/)). * Analyze suspicious traffic and create tailored custom [security rules](https://developers.cloudflare.com/security/rules/) based on applied filters. * [Find an appropriate rate limit](https://developers.cloudflare.com/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. For information on how to use the **Traffic** tab, refer to [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/#adjusting-displayed-data). If you need to modify existing security-related rules you already configured, consider also using the [Events](#events) tab. This tab displays information about requests affected by Cloudflare security products. Note The **Traffic** tab includes functionality available in the [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/) page in the previous dashboard navigation structure. ## Events Use the **Events** tab to review mitigated requests and to tailor your security configurations. The **Events** tab displays information about requests actioned or flagged by Cloudflare security products. Each incoming HTTP request might generate one or more security events. The tab only shows these events, not the HTTP requests themselves. To obtain information on all incoming HTTP requests, use the [Traffic](#traffic) tab. Users on a Free plan can view summarized events by date in sampled logs. Customers on paid plans have access to additional graphs and dashboards that summarize the most relevant information about the current behavior of Cloudflare's security features on your domain. For more information on the **Events** tab, refer to [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). Note The **Events** tab corresponds to the [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) page in the previous dashboard navigation structure. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/analytics/","name":"Security Analytics (new dashboard)"}}]} ``` --- --- title: Web assets description: Discover web assets such as your API endpoints and instruct Cloudflare how to best protect them. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/web-assets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Web assets Discover web assets such as your API endpoints and instruct Cloudflare how to best protect them. To access web assets in the new security dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) ## Endpoints Use the **Endpoints** tab to manage endpoints available on your domain and monitor their health. You can save endpoints directly from [API Discovery](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-api-discovery), [manually](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-manually) by method, path, and host, or via [Schema Validation](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-schema-validation). This will add the specified endpoints to your list of managed endpoints. You can view your list of managed endpoints in the **Endpoints** tab. For saved endpoints: * Cloudflare will start collecting [performance data](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#endpoint-analysis) per endpoint. * You can use the [labeling service](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) to organize your endpoints by use case. For more information on how to manage your endpoints, refer to the following resources. * [Endpoint Management](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) * [Schema learning](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/schema-learning/) * [Endpoint Analysis](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#endpoint-analysis) ## Discovery **Discovery** continuously finds your active API endpoints via path normalization. [Add endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-api-discovery) to produce recommendations and analytics of your APIs. Your [session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) must match your API traffic. Otherwise, API endpoints are also discoverable via [Machine Learning](https://developers.cloudflare.com/api-shield/security/api-discovery/#machine-learning-based-discovery). Note **Discovery** is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team. ## Sequences Use **Sequences** to discover how users interact with your API, by tracking the order of API session requests over time. Sequences will group and highlight popular user journeys across your API. Once you configure [session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/), the **Sequences** tab will start grouping and highlighting important user journeys (sequences) across your API. To configure session identifiers: 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Next to **Session identifiers**, select **Configure session identifiers** . For more information on how Cloudflare identifies API sequences and how you can configure API sequence rules, refer to the following resources: * [Sequence analytics](https://developers.cloudflare.com/api-shield/security/sequence-analytics/) * [Sequence mitigation](https://developers.cloudflare.com/api-shield/security/sequence-mitigation/) Note The **Sequences** tab includes functionality available in [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ## Schema validation Use **Schema validation** to check if your incoming traffic complies with a previously supplied API Schema. API Schemas are defined by the validity of the API request's properties such as target endpoint, path or query variable format, and HTTP method. A rule is created for incoming traffic and defines which traffic is allowed and which traffic is logged or blocked based on the API schema that you provide or select from the list of learned schemas. You can add schema validation by: * [Uploading a schema](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-uploading-a-schema) * [Applying a learned schema to a single endpoint](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-a-single-endpoint) * [Applying a learned schema to an entire hostname](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-an-entire-hostname) * [Adding a fallthrough rule](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) Note The **Schema validation** tab includes functionality available in [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ## Client-side resources Use **Client-side resources** to [monitor scripts, connections, and cookies](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) on your domain. If you notice unexpected scripts or connections on the dashboard, check them for signs of malicious activity. You should also check for any new or unexpected cookies. Customers with Client-Side Security Advanced will have their connections and scripts [classified as potentially malicious](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/) based on threat feeds. Note The **Client-side resources** tab includes functionality available in [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly known as Page Shield) in the previous dashboard navigation structure. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/web-assets/","name":"Web assets"}}]} ``` --- --- title: Security rules description: Security rules perform security actions on incoming requests that match specified filters. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security rules Security rules perform security-related actions on incoming requests that match specified filters. Rules are evaluated and executed in order, from first to last. To access security rules in the new security dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) ## Security rules The **Security rules** tab includes a list of different types of rules configured in your domain/zone to protect your applications and resources. To create a security rule: 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. (Optional) Select **Templates**, and then select a template from the list. You can customize the default configuration of the template before deploying the new rule. Refer to the resources listed in the next step. 3. Select **Create rule** \> select the type of rule you want to create. Refer to the following resources about each rule type: * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/#rule-form) * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/#rule-form) * [API sequence rules](https://developers.cloudflare.com/api-shield/security/sequence-mitigation/#rule-form) * [API JWT validation rules](https://developers.cloudflare.com/api-shield/security/jwt-validation/#rule-form) (requires a [token configuration](https://developers.cloudflare.com/security/settings/#all-settings)) * [Managed rules exceptions](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-dashboard/#2-define-basic-exception-parameters) * [Content security rules](https://developers.cloudflare.com/client-side-security/rules/create-dashboard/#rule-form) (previously known as policies) Notes To deploy a managed ruleset, go to the Security **Settings** page. For more information, refer to [Deploy a managed ruleset](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/#deploy-a-managed-ruleset). The **Security rules** tab includes functionality available in different products in the previous dashboard navigation structure, such as the [WAF](https://developers.cloudflare.com/waf/), [API Shield](https://developers.cloudflare.com/api-shield/), and [client-side security](https://developers.cloudflare.com/client-side-security/). The tab may show additional rule types if you have configured at least one of the following: * [IP access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/) * [User agent blocking rules](https://developers.cloudflare.com/waf/tools/user-agent-blocking/) * [Zone lockdown rules](https://developers.cloudflare.com/waf/tools/zone-lockdown/) ## DDoS protection The **DDoS protection** tab shows the multiple DDoS mitigation services provided by Cloudflare. You can create rules to override these mitigation tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription. To learn more about DDoS protection overrides, refer to the following resources: * [HTTP DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/) * [Network-layer DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/) Note You define [overrides for the Network-layer DDoS attack protection managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/configure-dashboard/) at the account level. ## Interaction between different app security features If you are using several app security features like custom rules, Managed Rules, and Super Bot Fight Mode, it is important to understand how these features interact and the order in which they execute. Refer to [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/rules/","name":"Security rules"}}]} ``` --- --- title: Security settings description: Configure different Cloudflare security features that protect your web applications, APIs, and resources. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security/settings.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security settings This page describes the security settings available in the new security dashboard for a given domain. To access security settings in the new security dashboard, go to the **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) ## Security setting categories Security settings and detection tools are categorized by the type of threat that they detect and mitigate. ### Web application exploits In the **Web application exploits** security category you can manage the following settings: * Detection tools: * [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/) * [Malicious uploads detection](https://developers.cloudflare.com/waf/detections/malicious-uploads/) * [Sensitive data detection](https://developers.cloudflare.com/waf/managed-rules/reference/sensitive-data-detection/) * [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) * [OWASP Core](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/) ruleset * [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) * [Under Attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) in Security Level * Managed [security.txt](https://developers.cloudflare.com/security-center/infrastructure/security-file/) Refer to each linked page for details. Note The web application exploits security category includes features and settings from the [Cloudflare WAF](https://developers.cloudflare.com/waf/) in the previous dashboard navigation structure. ### DDoS attacks The **DDoS attacks** security category shows the multiple mitigation services against DDoS attacks provided by Cloudflare. You can create rules to override DDoS attack protection tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription. To learn more about DDoS protection overrides, refer to the following resources: * [HTTP DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/) * [Network-layer DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/) Note You define overrides for the Network-layer DDoS attack protection managed ruleset at the account level in Account Home > **L3/4 DDoS** \> **Network-layer DDoS Protection**. Additionally, you can manage the following settings: * [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) (depending on your Enterprise subscriptions) * [Browser Integrity Check](https://developers.cloudflare.com/waf/tools/browser-integrity-check/) * [Challenge Passage](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) * [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) * [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) * [Schema learning](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/schema-learning/) * [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/) (requires you to upload a schema or apply a learned schema) * [Under Attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) (under Security Level) * SSL/TLS DDoS attack protection ### Bot traffic In the **Bot traffic** security category you can manage the following settings: * [AI Labyrinth](https://developers.cloudflare.com/bots/additional-configurations/ai-labyrinth/) * [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) * [Bot fight mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan) * [Super Bot fight mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan) * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) (depending on your Enterprise subscriptions) * AI bot traffic management with [robots.txt](https://developers.cloudflare.com/bots/additional-configurations/managed-robots-txt/) * API [sequence detection](https://developers.cloudflare.com/api-shield/security/sequence-analytics/) (requires you to configure a session identifier) Note The bot traffic security category includes features and settings from [Bots](https://developers.cloudflare.com/bots/) in the previous dashboard navigation structure. ### API abuse In the **API abuse** security category you can manage the following settings: * [Developer portal](https://developers.cloudflare.com/api-shield/management-and-monitoring/developer-portal/) creation * Web asset discovery (always enabled if included in your Enterprise subscriptions. For Enterprise subscriptions, [API endpoint discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/) is also included, which requires you to configure a [session identifier](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/)) * [Endpoint labels](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) * [JWT validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/) (requires you to add a [JWT configuration](https://developers.cloudflare.com/api-shield/security/jwt-validation/api/#token-configurations)) Note The API abuse security category includes features and settings from [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ### Client-side abuse In the **Client-side abuse** security category you can manage the following settings: * [Continuous script monitoring](https://developers.cloudflare.com/client-side-security/how-it-works/): * [Reporting endpoint](https://developers.cloudflare.com/client-side-security/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on) * [Data logged in client-side abuse reports](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) (only the hostname or the full URI) * [Email Address Obfuscation](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) * [Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/) Note The client-side abuse security category includes features and settings from [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly known as Page Shield) and [Scrape Shield](https://developers.cloudflare.com/waf/tools/scrape-shield/) in the previous dashboard navigation structure. ## All settings The following table links to additional information about each available setting: | Setting | Location in previous dashboard navigation | | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [AI Labyrinth](https://developers.cloudflare.com/bots/additional-configurations/ai-labyrinth/) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) | _N/A_ | | [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/): | **Security** \> **Bots** | | — [JS detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) | **Security** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | — [Auto-update machine learning](https://developers.cloudflare.com/bots/reference/machine-learning-models/) | **Security** \> **Bots** \> **Configure Bot Management** | | [Browser integrity check](https://developers.cloudflare.com/waf/tools/browser-integrity-check/) | **Security** \> **Settings** | | Challenge Passage: [Timeout](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) | **Security** \> **Settings** | | [Client certificates](https://developers.cloudflare.com/ssl/client-certificates/) | **SSL** \> **Client Certificates** | | [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) | **Security** \> **WAF** \> **Managed rules** tab | | [Continuous script monitoring](https://developers.cloudflare.com/client-side-security/how-it-works/): | **Security** \> **Client-side security** | | — [Reporting endpoint](https://developers.cloudflare.com/client-side-security/reference/settings/#reporting-endpoint) | **Security** \> **Client-side security** \> **Settings** | | — [Data processing](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) | **Security** \> **Client-side security** \> **Settings** | | — [Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) | **Security** \> **Client-side security** \> **Settings**Account Home > **Notifications** | | [Create a developer portal](https://developers.cloudflare.com/api-shield/management-and-monitoring/developer-portal/) | **Security** \> **API Shield** \> **Settings** | | [Custom fallthrough rules](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) | **Security** \> **API Shield** \> **Settings** | | [Email Address Obfuscation](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) | **Scrape Shield** | | [API endpoint discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/): | **API Shield** \> **Discovery** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Endpoint labels](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | **Security** \> **Settings** \> **Labels** | | [Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/) | **Scrape Shield** | | [HTTP DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/): | **Security** \> **DDoS** | | — [Configure overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/configure-dashboard/) | **Security** \> **DDoS** | | [Instruct AI bot traffic with robots.txt](https://developers.cloudflare.com/bots/additional-configurations/managed-robots-txt/) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [IP access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | | [IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** \> **Configurations** | | [JWT validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/): | **Security** \> **API Shield** \> **Settings** | | — [JWT validation rules](https://developers.cloudflare.com/api-shield/security/jwt-validation/#add-a-jwt-validation-rule) | **Security** \> **API Shield** \> **API Rules** | | — [Token configurations](https://developers.cloudflare.com/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** \> **API Shield** \> **Settings** | | [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/): | **Security** \> **Settings** | | — [Custom username and password location](https://developers.cloudflare.com/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** \> **Settings** | | [Malicious uploads detection](https://developers.cloudflare.com/waf/detections/malicious-uploads/): | **Security** \> **Settings** | | — [Custom content location](https://developers.cloudflare.com/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** \> **Settings** | | [mTLS rules](https://developers.cloudflare.com/api-shield/security/mtls/configure/) | **SSL/TLS** \> **Client Certificates** | | [Network-layer DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/) | Account Home > **L3/4 DDoS** \> **Network-layer DDoS Protection** | | [OWASP Core](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/) ruleset | **Security** \> **WAF** \> **Managed rules** tab | | Rate limit authentication requests | **Security** \> **WAF** \> **Rate limiting rules** tab | | [Replace insecure JavaScript libraries](https://developers.cloudflare.com/waf/tools/replace-insecure-js-libraries/) | **Security** \> **Settings** | | [Schema learning](https://developers.cloudflare.com/api-shield/security/schema-validation/): | **Security** \> **API Shield** \> **Schema Validation** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/) | **Security** \> **API Shield** \> **Schema Validation** | | — [Endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) | **Security** \> **API Shield** | | — [Active schemas](https://developers.cloudflare.com/api-shield/security/schema-validation/#view-active-schemas) | **Security** \> **API Shield** \> **Schema Validation** | | — [Default action](https://developers.cloudflare.com/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** \> **API Shield** \> **Schema Validation** | | [Security level: I'm under attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) | **Security** \> **Settings** | | [Security.txt](https://developers.cloudflare.com/security-center/infrastructure/security-file/) | **Security** \> **Settings** | | [Sensitive data detection](https://developers.cloudflare.com/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) ruleset | **Security** \> **Sensitive Data** | | [Sequence detection](https://developers.cloudflare.com/api-shield/security/sequence-analytics/): | **Security** \> **API Shield** \> **API Rules** | | — [Endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) | **Security** \> **API Shield** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [SSL/TLS DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/) | **Security** \> **DDoS** | | [Token configurations](https://developers.cloudflare.com/api-shield/security/jwt-validation/) | **Security** \> **API Shield** \> **Settings** | | [User agent blocking](https://developers.cloudflare.com/waf/tools/user-agent-blocking/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | | [Zone lockdown](https://developers.cloudflare.com/waf/tools/zone-lockdown/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/settings/","name":"Security settings"}}]} ```