6.4. WAF Security Checks#

Checks that evaluate Web Application Firewall configuration including security level, custom rules, rate limiting, and managed rulesets (Cloudflare Managed and OWASP Core).

6.4.1. Check Summary#

6.4.1.1. CFL-WAF-006: Cloudflare Managed Ruleset Deployed#

The Cloudflare Managed Ruleset is curated by Cloudflare security engineers and updated continuously as new CVEs are disclosed.

Remediation: Deploy the ruleset via FlareInspect’s recipe (deploys in log mode by default — promote to block after reviewing false positives).

6.4.1.2. CFL-WAF-007: OWASP Core Ruleset Deployed#

The OWASP ModSecurity Core Rule Set (CRS) is the industry baseline for WAF coverage against the OWASP Top 10.

Remediation: Same as CFL-WAF-006 — deploy in log mode first.

6.4.1.3. CFL-WAF-008: Managed Ruleset Override Posture#

Ruleset overrides that downgrade the action to log (or skip rules) are useful for tuning but weaken the default posture if left indefinitely.

Remediation: Review any log-only overrides — promote to block once false-positive traffic has been ruled out.

6.4.1.4. CFL-WAF-009: Browser Integrity Check#

Browser Integrity Check challenges requests that exhibit suspicious client headers (e.g. headless browsers, bot UAs).

Remediation: Use FlareInspect’s recipe, or toggle the setting in Security → Settings → Browser Integrity Check.

WAF Security Checks

Contents