In this section we will deploy key components of Cloudflare Application Security, including:

• WAF Rulesets
• Custom Rules
• Rate Limiting

Why

The Cloudflare Managed Ruleset is a comprehensive set of security rules created and maintained by the Cloudflare security team. It is designed to provide fast and effective protection for all types of applications, and it is frequently updated to cover new vulnerabilities and reduce false positives.

By following these exercises, you will learn how to deploy these features to protect your web applications.

Steps

1. What can we see before deploying the WAF?

The Cloudflare WAF provides comprehensive protection right out of the box. A common problem with web applications is accidental exposure of sensitive files and folders.

For example navigate to /.git/secrets.txt on your Cloudflare zone:

https://discreet-prototype.sxplab.com/.git/secrets.txt

This simulates the scenario of an exposed git version control repository. Oh no, the credentials are exposed! So to avoid this from ever happen, we need to create rules to prevent it

2. Deploy the Cloudflare Managed Ruleset

In the Cloudflare Dashboard go to Security ‣ Settings ‣ Detection Tools and toggle on Cloudflare Managed ruleset.

The 'Deploy managed ruleset' configuration settings will launch. On this screen, you can configure:

• Execution scope with custom filter expression to apply the ruleset only to a subset of incoming requests
• Set the action to perform (Managed Challenge, Block, JS Challenge, Log, Interactive Challenge, or Default)