Cloudflare just released a version of its WAF (Web Application Firewall)  technology for free to website owners. This has just been announced on the 15th of March 2022 in the article: WAF for everyone and A new WAF experience (cloudflare.com)

WAF is important for websites as it adds an extra protection layer to the request that is coming to your webserver. From malicious requests to vulnerabilities Cloudflare Free WAF will protect your website better and diminish the risc of your webserver to go down or be hacked.

The free plan will include the free protection that will be constantly updated by CloudFlare, so you will have protection against most know threats like:

• Log4J rules matching payloads in the URI and HTTP headers;
• Shellshock rules;
• Rules matching very common WordPress exploits;

The good part is that the threts are updated weekly by cloudflare and you don’t need to do anything. This features that will be included are under roll and at the time of the article writing are not fully released. Some of them are already in use as I see automatic blocking that is happening to some of my websites.

What Else is Included in Cloudflare Free WAF

Bellow will gona check some of the things that can be configured in the Cloudflare free WAF and the free plan limitations.

Firewall Rules

In one side you have the automatic protection that is added by CloudFlare but with the free option you have also some flexibility to add your own rules. For instance you can add up to 5 firewall rules in the free plan. You can block access to certain pages, cookies, IP, countries,etc:

Rate limiting

In case you want to limit the traffic to a specific zone or API you have the option to enable that, with free plan you have: First 10,000 requests are free then $0.05 per 10,000 legitimate (non-blocked) requests thereafter.

Managed rules

You can choose from their free rules. At this time they are not available yet, this is a new service and the details are just being created.

Tools

In here you have the option to block ranges of IP’s, countries. There is also the option to block certain user agents if you want to.

All of this things are working if the website is proxyed thru Cloudflare, if you only use cloudflare as DNS and don’t proxy the traffic thru them you will not take advantage of this features.

All of this are free to use and from my point of view will make the web a safer place, I am waiting to see the final version of the Free WAF (Web Application Firewall) to see exactly what it has to offer.