Cloudflare Announces New Web Application Firewall

Cloudflare recently introduced a new web application firewall. The latest engine is written in Rust, offers better performance, and integrates with other Cloudflare products.

The new implementation was designed to provide easier rules navigation, one-click deployment and configuration, updated rulesets based on the latest version of the OWASP Core Ruleset, and the ability to deploy the same configuration across the entire account. Cloudflare is now moving away from the previous engine written in LuaJIT by John Graham Cumming and implemented as an NGINX module. Additionally, they modify the old rule syntax which was a superset of the ModSecurity syntax.

Michael Tremante, Product Manager at Cloudflare, explains why the new product required replacing the code base of the existing WAF, one of the most widely used products at Cloudflare:

Cloudflare’s Web Application Firewall (WAF) blocks over 57 billion cyber threats daily. This represents 650,000 blocked HTTP requests per second. The original code that filters this traffic was written by the current CTO of Cloudflare (…) Because we value replacing code when it is no longer as maintainable, performing or scalable as it once was , we regularly rewrite key parts of the Cloudflare stack (…) For some time we have been working on replacing the original LuaJIT code that John wrote with new code, written in Rust.

Rust is a language that Cloudflare already uses for other projects, and the new engine introduces the wirefilter syntax as the basis for managed rulesets matching firewall rules, using the same underlying Rust library to run the filters. Tomas Pytel, Python developer at IBM, summarizes in a Tweeter the advantages of the new WAF:

– Better navigation and rules configuration
– A new matching engine – written in #Rust
– Updated #WAF rulesets
– Global settings

According to Cloudflare, the rollout of the new version will be gradual starting with 10% of newly created accounts on a Pro plan area or above, increasing to 100% of new accounts during the month of April, followed by migration efforts to existing customers. .


In a separate announcement, Cloudflare released other features for Account Takeover Protections, including Super Bot Fight Mode, Open Proxy Managed List, and Exposed Credential Checks, a new feature of the WAF which provides credential checks exposed on the path. When enabled, the WAF automatically checks the credentials of any authentication request against a database of leaked credentials maintained by Cloudflare. If a match is found, the WAF will add a header to the origin, so the application can be notified and trigger a different authentication flow.

Comments are closed.