1# Cloudflare WAF Expert Skill Reference
2 
3**Expertise**: Cloudflare Web Application Firewall (WAF) configuration, custom rules, managed rulesets, rate limiting, attack detection, and API integration
4 
5## Overview
6 
7Cloudflare WAF protects web applications from attacks through managed rulesets and custom rules.
8 
9**Detection (Managed Rulesets)**
10- Pre-configured rules maintained by Cloudflare
11- CVE-based rules, OWASP Top 10 coverage
12- Three main rulesets: Cloudflare Managed, OWASP CRS, Exposed Credentials
13- Actions: log, block, challenge, js_challenge, managed_challenge
14 
15**Mitigation (Custom Rules & Rate Limiting)**
16- Custom expressions using Wirefilter syntax
17- Attack score-based blocking (`cf.waf.score`)
18- Rate limiting with per-IP, per-user, or custom characteristics
19- Actions: block, challenge, js_challenge, managed_challenge, log, skip
20 
21## Quick Start
22 
23### Deploy Cloudflare Managed Ruleset
24```typescript
25import Cloudflare from 'cloudflare';
26 
27const client = new Cloudflare({ apiToken: process.env.CF_API_TOKEN });
28 
29// Deploy managed ruleset to zone
30await client.rulesets.create({
31  zone_id: 'zone_id',
32  kind: 'zone',
33  phase: 'http_request_firewall_managed',
34  name: 'Deploy Cloudflare Managed Ruleset',
35  rules: [{
36    action: 'execute',
37    action_parameters: {
38      id: 'efb7b8c949ac4650a09736fc376e9aee', // Cloudflare Managed Ruleset
39    },
40    expression: 'true',
41    enabled: true,
42  }],
43});
44```
45 
46### Create Custom Rule
47```typescript
48// Block requests with attack score >= 40
49await client.rulesets.create({
50  zone_id: 'zone_id',
51  kind: 'zone',
52  phase: 'http_request_firewall_custom',
53  name: 'Custom WAF Rules',
54  rules: [{
55    action: 'block',
56    expression: 'cf.waf.score gt 40',
57    description: 'Block high attack scores',
58    enabled: true,
59  }],
60});
61```
62 
63### Create Rate Limit
64```typescript
65await client.rulesets.create({
66  zone_id: 'zone_id',
67  kind: 'zone',
68  phase: 'http_ratelimit',
69  name: 'API Rate Limits',
70  rules: [{
71    action: 'block',
72    expression: 'http.request.uri.path eq "/api/login"',
73    action_parameters: {
74      ratelimit: {
75        characteristics: ['cf.colo.id', 'ip.src'],
76        period: 60,
77        requests_per_period: 10,
78        mitigation_timeout: 600,
79      },
80    },
81    enabled: true,
82  }],
83});
84```
85 
86## Managed Ruleset Quick Reference
87 
88| Ruleset Name | ID | Coverage |
89|--------------|----|---------| 
90| Cloudflare Managed | `efb7b8c949ac4650a09736fc376e9aee` | OWASP Top 10, CVEs |
91| OWASP Core Ruleset | `4814384a9e5d4991b9815dcfc25d2f1f` | OWASP ModSecurity CRS |
92| Exposed Credentials Check | `c2e184081120413c86c3ab7e14069605` | Credential stuffing |
93 
94## Phases
95 
96WAF rules execute in specific phases:
97- `http_request_firewall_managed` - Managed rulesets
98- `http_request_firewall_custom` - Custom rules
99- `http_ratelimit` - Rate limiting rules
100- `http_request_sbfm` - Super Bot Fight Mode (Pro+)
101 
102## Reading Order
103 
1041. **[api.md](api.md)** - SDK methods, expressions, actions, parameters
1052. **[configuration.md](configuration.md)** - Setup with Wrangler, Terraform, Pulumi
1063. **[patterns.md](patterns.md)** - Common patterns: deploy managed, rate limiting, skip, override
1074. **[gotchas.md](gotchas.md)** - Execution order, limits, expression errors
108 
109## See Also
110 
111- [Cloudflare WAF Docs](https://developers.cloudflare.com/waf/)
112- [Ruleset Engine](https://developers.cloudflare.com/ruleset-engine/)
113- [Expression Reference](https://developers.cloudflare.com/ruleset-engine/rules-language/)