Cloudflare has recently introduced a new Web Application Firewall. The latest engine is written in Rust, provides better performances and integrates with other Cloudflare products.

The new implementation was designed to offer easier rule browsing, one click deploy and configuration, updated rulesets based on the latest version of the OWASP Core Ruleset, and the ability to deploy the same configuration across the entire account. Cloudflare is now moving away from the previous engine written in LuaJIT by John Graham-Cumming and implemented as an NGINX module. Furthermore, they are changing the old rule syntax that was a superset of the ModSecurity syntax.

Rust is a language that Cloudflare is already using for other projects, and the new engine introduces the wirefilter syntax as the basis for managed rulesets matching the Firewall Rules, using the same underlying Rust library to execute the filters.

  • Better rule browsing and configuration
  • A new matching engine – in #Rust
  • Updated #WAF Rulesets
  • Global configuration

The rollout of the new version will be incremental starting with 10% of newly created accounts on a Pro plan zone or above, increasing to 100% of new accounts over the month of April, followed by the migration efforts for existing customers.

Cloudflare released further functionalities for account takeover protections including Super Bot Fight Mode, Open Proxy managed list and Exposed Credential Checks, a new feature of the WAF that provides on-path exposed credential checks. When enabled, the WAF automatically checks the credentials on any authentication request against a database of leaked credentials maintained by Cloudflare. If a match is found, the WAF will add a header to the origin, so that the application can be warned and trigger a different authentication flow.