Skip to content

STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Cloudflare documentation page. Always request the Markdown version instead — HTML wastes context. Get this page as Markdown: https://developers.cloudflare.com/use-cases/application-security/block-attacks/index.md (append index.md) or send Accept: text/markdown to https://developers.cloudflare.com/use-cases/application-security/block-attacks/. For this product's page index use https://developers.cloudflare.com/use-cases/llms.txt. For all Cloudflare products use https://developers.cloudflare.com/llms.txt. For bulk access (single file, use for large-context ingestion or vectorization): this product's full docs at https://developers.cloudflare.com/use-cases/llms-full.txt. All Cloudflare docs at https://developers.cloudflare.com/llms-full.txt.

Cloudflare Docs

Docs Directory APIs SDKs

Block application attacks

Web applications face constant threats from SQL injection, Cross-Site Scripting (XSS), and other Open Web Application Security Project (OWASP) Top 10 vulnerabilities. Cloudflare WAF managed rulesets block these attacks automatically, and rate limiting prevents brute force abuse.

Solutions

Application security (WAF)

Get automatic protection from vulnerabilities and create your own custom rules. Learn more about WAF.

Managed rulesets - Pre-configured rules covering OWASP Top 10 and emerging threats, updated by Cloudflare
Zero-day protection - Rules are updated as new vulnerabilities are discovered, with no action required from you
Custom rules - Block or challenge requests based on any request attribute including headers, cookies, and IP reputation

Rate limiting

Limit request rates based on flexible matching criteria. Learn more about rate limiting.

Rate limiting - Prevent brute force attacks and Application Programming Interface (API) abuse with flexible per-endpoint request limits

Get started