| Feature | Description | Plan | Docs |
|---|---|---|---|
| Managed Rules | Pre-built, continuously updated rulesets covering OWASP Top 10, CVEs, and CMS-specific apps (Magento, WordPress, Drupal, Joomla). Zero-day protection with low false-positive rates. | All paid | waf/managed-rules |
| Custom Rules | Build tailored rules using the Ruleset Engine — match on IP, country, URI, headers, request body, and WAF score. Ideal for protecting checkout and login endpoints. | All | waf/custom-rules |
| Rate Limiting Rules | Define request rate thresholds per endpoint (e.g., login page, cart, coupon validation). Prevents brute-force and abuse of sensitive e-commerce flows. | All | waf/rate-limiting-rules |
| WAF Attack Score | ML model scoring each request 1–99 for SQLi, XSS, and RCE attack likelihood. Catches obfuscated/fuzzing variants that signature-based rules miss. Fields: cf.waf.score cf.waf.score.sqli cf.waf.score.xss cf.waf.score.rce | Business+ | waf/detections/attack-score |
| Security Analytics | Full traffic visibility across all incoming requests — including those not affected by any rule. Use before enabling blocking to safely calibrate thresholds. | All | waf/analytics/security-analytics |
| Security Events | Sampled log of rule-matched (mitigated) requests. Helps fine-tune WAF rules and understand attack patterns in real time. | All | waf/analytics/security-events |
| Feature | Description | Plan | Docs |
|---|---|---|---|
| Bot Fight Mode | Basic bot detection and mitigation. Challenges traffic matching known bot patterns. Limited configuration options. | Free / Pro | bots/get-started/bot-fight-mode |
| Super Bot Fight Mode | Identifies known-bot traffic patterns, challenges or blocks bots, protects static resources, and provides Bot Analytics to understand bot traffic composition. | Pro / Business | bots/get-started/super-bot-fight-mode |
| Bot Management for Enterprise | Full ML + behavioural analysis. Exposes cf.bot_management.score (1–99), JA3/JA4 fingerprints, bot tags, and detection IDs for precise custom rules. Detects simple bots, sophisticated bots, and headless browsers. Includes Block AI bots, AI Labyrinth, and verified bots allowlist. | Enterprise | bots/plans/bm-subscription |
| Bot Analytics | Dedicated analytics tool inside Security Analytics. Visualise bot score distribution, bot categories, and traffic trends over time. | Business+ | bots/bot-analytics |
| Verified Bots Allowlist | Allow verified good bots (Googlebot, Bingbot, etc.) to pass through while blocking or challenging all unverified automated traffic. | Enterprise | bots/concepts/bot/verified-bots |
| Signal / Field | Description | Plan | Docs |
|---|---|---|---|
| cf.waf.credential_check.password_leaked | Boolean — password found in breach databases (HIBP 15B+ dataset). Use in custom rules to challenge or force a password reset flow. | Free+ | leaked-credentials |
| cf.waf.credential_check.username_and_password_leaked | Boolean — the full username + password pair was previously leaked as a pair. Strong signal for credential stuffing attacks. | Pro+ | leaked-credentials |
| cf.waf.credential_check.username_leaked | Boolean — username is known to be in a breach database, regardless of the password used in this request. | Enterprise | leaked-credentials |
| cf.waf.credential_check.username_password_similar | Boolean — a similar variant of the submitted credentials was previously leaked. Catches slight password modifications of known breached pairs. | Enterprise | leaked-credentials |
| cf.waf.auth_detected | Boolean — Cloudflare detected authentication credentials in the request, regardless of whether they are leaked. Useful for monitoring all auth attempts. | Enterprise | leaked-credentials |
| Exposed-Credential-Check Header | Managed transform that adds an Exposed-Credential-Check: 1–4 request header to flag the type of leak to your origin server. Trigger 2FA, password reset, or account lock from your own application. | All | managed-transforms/reference |
| Custom Detection Locations | Configure where Cloudflare should find credentials in requests (JSON body, URL-encoded forms, multipart, headers) when using a custom authentication format. | Enterprise | leaked-credentials/get-started |
| Feature | Description | Plan | Docs |
|---|---|---|---|
| HTTP DDoS Protection (L7) | Autonomous detection and mitigation of application-layer floods targeting HTTP/HTTPS endpoints — including checkout pages, product listings, and APIs. | All | ddos-protection/managed-rulesets |
| Network-layer DDoS (L3/L4) | Protects the network infrastructure behind your storefront against UDP floods, SYN floods, and ACK floods — unmetered on all plans. | All | ddos-protection/managed-rulesets |
| Adaptive DDoS Protection | Learns your traffic baseline and adapts mitigation thresholds automatically. Reduces false positives during legitimate traffic spikes (e.g., flash sales, product launches). | Business+ | managed-rulesets/adaptive-protection |
| Advanced DDoS Protection | Additional traffic profiling signals for Adaptive DDoS: ML scores, client country, user agent, query string. Supports up to 10 ruleset overrides and advanced filtering alerts. | Enterprise + add-on | ddos-protection |
| Feature | Description | Plan | Docs |
|---|---|---|---|
| Script Monitoring | Tracks every JavaScript resource loaded in your pages. Inventory of all third-party and first-party scripts with origin, page, and frequency data. | All | page-shield/detection |
| Connection Monitoring | Monitors outbound network connections initiated by scripts on your pages. Detects if a script starts exfiltrating data to an unknown domain. | Business+ | page-shield/detection |
| Cookie Monitoring | Tracks cookie access patterns by scripts. Flags unexpected access to session or payment-related cookies. | Business+ | page-shield |
| Malicious Script Detection | Uses ML and threat intelligence to classify scripts as malicious. Alerts when a skimmer or known malware script is detected on your checkout or account pages. | Enterprise + add-on | review-malicious-scripts |
| Code Change Detection | Alerts when the content of a known script changes. Key for detecting supply chain attacks where a legitimate CDN-hosted library is compromised. | Enterprise + add-on | review-changed-scripts |
| Policies (CSP Enforcement) | Define allowlists of permitted scripts and connections. Blocks any resource not explicitly approved — effectively a managed Content Security Policy for your storefront. | Enterprise + add-on | page-shield/policies |
| Widget Type | Description | Plan | Docs |
|---|---|---|---|
| Non-interactive | Fully silent — visitors never see any UI element. Best for flows where experience is paramount (luxury checkout pages). | Free | turnstile/concepts/widget |
| Managed | Shows an interactive checkbox only to suspected bots. Humans see nothing. Best balance for login and account creation forms. | Free | turnstile/concepts/widget |
| Invisible | No visible widget at all. Embedded and runs entirely in the background. Suitable for API-backed payment flows. | Free | turnstile/concepts/widget |
| Pre-clearance (SPA support) | Issues a clearance cookie so that Turnstile works correctly in Single Page Applications without repeated challenge prompts across page transitions. | Free | pre-clearance |
| Feature | Description | Plan | Docs |
|---|---|---|---|
| Endpoint Management | Maintain a full inventory of your API endpoints (method + path). Track new, changed, and deprecated endpoints in real time. | All | api-shield/management-and-monitoring |
| Schema Validation | Upload an OpenAPI schema and block requests that don't conform to it. Prevents malformed payloads from reaching your origin payment or order APIs. | All (basic) | api-shield/security/schema-validation |
| API Discovery | Automatically discovers all API endpoints from traffic — including shadow APIs you didn't know existed. Helps inventory third-party integrations (payment gateways, shipping, reviews). | Enterprise + add-on | api-shield/security/api-discovery |
| JWT Validation | Verifies and enforces JSON Web Tokens at the edge. Blocks requests with invalid, expired, or tampered tokens before they reach your API servers. | Enterprise + add-on | api-shield/security/jwt-validation |
| Mutual TLS (mTLS) | Require client certificates for API access. Ensures only authorised devices or services (e.g., your mobile app, payment processor webhooks) can call your APIs. | All (CF CA) | api-shield/security/mtls |
| Volumetric Abuse Detection | Detects brute-force attacks against specific API endpoints (e.g., price check, stock level, coupon validation) by analysing per-endpoint request rates. | Enterprise + add-on | volumetric-abuse-detection |
| Sequence Analytics | Analyses sequences of API calls to detect anomalous patterns — e.g., accessing product data → cart → payment without browsing, which may indicate BOLA or scraping bots. | Enterprise + add-on | api-shield/security/sequence-analytics |
| Field / Feature | Description | Plan | Docs |
|---|---|---|---|
| cf.waf.content_scan.has_malicious_obj | Boolean — request contains at least one file identified as malware. Use in a custom rule to block the upload before it reaches your origin. | Enterprise + add-on | malicious-uploads |
| cf.waf.content_scan.obj_results | Array of scan results per uploaded file: clean,
suspicious, infected, or not scanned. Enables
granular per-file decisions. |
Enterprise + add-on | malicious-uploads |
| Custom Scan Expressions | Tell the scanner where to find files in your request body — useful when files arrive as Base64-encoded JSON payloads rather than standard multipart uploads. | Enterprise + add-on | malicious-uploads/get-started |
| Supported File Types | Executables (.exe, .bat, .dll), documents (.doc, .pdf, .xls), archives (.zip, .rar, .gz), images (.jpg, .png, .gif), video/audio files, and more. | Enterprise + add-on | malicious-uploads |
| Feature | Description | Plan | Docs |
|---|---|---|---|
| Universal SSL | Free, automatically provisioned TLS certificate covering your apex domain and www subdomain. Active within 24 hours of zone creation. No renewal needed. | All (Free) | ssl/edge-certificates/universal-ssl |
| Total TLS | Automatically issues certificates for all subdomain levels — essential for multi-brand storefronts with deeply nested subdomains (e.g., shop.brand.puig.com). | Advanced Certificate Manager | ssl/total-tls |
| Advanced Certificate Manager | Custom hostnames, wildcard certificates, custom certificate validity periods, and SAN certificates. For multi-domain e-commerce portfolios. | Enterprise | ssl/advanced-certificate-manager |
| Custom TLS Settings | Enforce minimum TLS version (e.g., TLS 1.2+) and restrict allowed cipher suites. Helps meet PCI-DSS compliance requirements for payment card processing. | All paid | ssl/minimum-tls |
| Automatic HTTPS Rewrites & HSTS | Automatically upgrades HTTP links to HTTPS and sets Strict-Transport-Security headers. Prevents mixed-content warnings on checkout pages. | All | ssl/automatic-https-rewrites |
💉
SQLi / XSS / RCE on storefront
🔐
Credential stuffing / Account takeover
💳
Magecart / Payment card skimming
🌊
DDoS on checkout / product pages
🤖
Scalping / Inventory hoarding
🕷️
Price / catalog scraping
🔌
API abuse (cart, payment, stock APIs)
📁
Malicious file uploads (product images)
🎟️
Fake accounts / Coupon abuse
🔗
Supply chain JS attacks
🔓
Broken API authentication (BOLA/IDOR)
🌐