Structured learning path for application security.
Application security
Protect your website or application from attacks, bots, and abuse. Cloudflare's application security (also known as Web Application Firewall or WAF) blocks SQL injection, XSS, and OWASP Top 10 vulnerabilities. DDoS Protection mitigates volumetric and application-layer attacks automatically. Bot Security uses machine learning to score every request. API Shield validates API traffic against your OpenAPI specification. Client-side security monitors third-party scripts for malicious behavior.
- Block application attacks
- Mitigate DDoS attacks
- Stop malicious bots
- Protect against client-side threats
- Secure API endpoints
Protect a website or web application from common attacks:
- SSL/TLS encrypts all traffic between visitors and Cloudflare
- Security rules managed rulesets block SQL injection, XSS, and OWASP Top 10 vulnerabilities
- DDoS Protection mitigates volumetric and application-layer attacks automatically
- Bot Security scores every request and blocks automated threats
Secure Application Programming Interface (API) endpoints with schema enforcement and authentication:
- API Shield validates requests against your OpenAPI specification
- Rate Limiting prevents abuse with per-endpoint request limits
- mTLS authenticates known clients with mutual TLS certificates
Protect visitors from threats that execute in the browser:
- Client-side security monitors third-party scripts loading on your pages
- Turnstile replaces CAPTCHAs on forms with a privacy-preserving challenge
- Content security rules block requests from known malicious sources
- A Cloudflare account ↗.
- A domain added to Cloudflare. All solutions in this use case require your domain's DNS records to be proxied through Cloudflare so that traffic passes through Cloudflare's network before reaching your origin.
Analyze security events and fine-tune your configuration.
Explore how companies secure their applications with Cloudflare.