Cloudflare WAF
By Cloudflare
An edge WAF running on Cloudflare's global network, paired with the separately named API Shield for schema validation and API-specific abuse detection. A distinct product line from the same company's Cloudflare One SASE platform and Magic Transit DDoS service.
Verified Source: 1
- Product type
- Software
- Deployment
- SaaS
- Organization size
- SMBMid-marketEnterprise
- Pricing tier
- Freemium
Capability checklist
WAFHow Cloudflare WAF measures up against the full WAF & API Security taxonomy.
- Attack signature blocking — supported
- Blocks OWASP Top 10 style attacks like SQL injection and XSS at the edge.
- API discovery — supported
- Automatically inventories known and shadow API endpoints from observed traffic.
- Schema validation — supported
- Enforces that requests match the declared API schema, blocking anything that doesn't.
- Bot management — supported
- Distinguishes automated and malicious bot traffic from legitimate users.
- Rate limiting — supported
- Throttles abusive request volumes per client or endpoint.
- Runtime API protection — not supported
- Detects and blocks data leakage and abuse in live API traffic.
Alternatives
Other WAF & API Security tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Cloudflare WAF.