Managed rules

WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against:

Zero-day vulnerabilities
Top-10 attack techniques
Use of stolen/exposed credentials
Extraction of sensitive data

These managed rulesets are regularly updated. Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions.

Rules of managed rulesets have associated tags (such as wordpress) that allow you to search for a specific group of rules and configure them in bulk.

Managed rulesets

Cloudflare provides the following managed rulesets in the WAF:

The following managed rulesets run in a response phase:

Availability

The managed rulesets you can deploy depend on your Cloudflare plan.

	Free	Pro	Business	Enterprise
Availability	Yes	Yes	Yes	Yes
Free Managed Ruleset	Yes	Yes	Yes	Yes
Cloudflare Managed Ruleset	No	Yes	Yes	Yes
Cloudflare OWASP Core Ruleset	No	Yes	Yes	Yes
Cloudflare Exposed Credentials Check	No	Yes	Yes	Yes
Cloudflare Sensitive Data Detection	No	No	No	Yes

Customize the behavior of managed rulesets

To customize the behavior of managed rulesets, do one of the following:

Create exceptions to skip the execution of WAF managed rulesets or some of their rules under certain conditions.
Configure overrides to override the default rule action or disable one or more rules of managed rulesets. Overrides can affect an entire managed ruleset, specific tags, or specific rules in the managed ruleset.

Exceptions have priority over overrides.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings