6.23. DDoS and Account-WAF#

Detects whether the account has DDoS protection rules and reusable account-level WAF rulesets.

6.23.1. Check Summary#

6.23.1.1. CFL-DDOS-001: L7 DDoS Managed Ruleset Deployed#

Severity: medium | Category: ddos

Cloudflare’s L7 DDoS managed ruleset inspects incoming HTTP traffic and applies adaptive thresholds to detect and mitigate application-layer DDoS attacks.

Remediation: Review the L7 DDoS ruleset posture in Security → DDoS. FlareInspect does not auto-modify DDoS rulesets.

6.23.1.2. CFL-ACCTWAF-001: Account-level WAF Ruleset Coverage#

Severity: medium | Category: account-waf

Account-scoped custom WAF rulesets allow you to share a single rule across many zones. The check verifies that at least one custom or managed ruleset is present at the account level.

Remediation: Create a shared custom ruleset in Account → WAF → Custom Rulesets and reference it from each zone’s ruleset phase.

DDoS and Account-WAF

Contents

6.23. DDoS and Account-WAF#

6.23.1. Check Summary#

6.23.1.1. CFL-DDOS-001: L7 DDoS Managed Ruleset Deployed#

6.23.1.2. CFL-ACCTWAF-001: Account-level WAF Ruleset Coverage#