← Back
Cloudflare
Cloudflare launches Always-On Attack Signature Detection for WAF, separating detection from blocking to eliminate tuning trade-offs
Cloudflare · featuresecurityapirelease · blog.cloudflare.com ↗

Traditional WAF Limitations

Web Application Firewalls have long forced security teams into a difficult trade-off: operate in logging-only mode for visibility, or switch to blocking mode for protection. When a rule blocks a request, analysis stops, and teams lose valuable insight into how other signatures would have assessed it. This creates a lengthy, manual tuning process whenever new applications are deployed.

Attack Signature Detection: Separation of Concerns

Cloudflare has solved this by introducing Attack Signature Detection, which inspects every request for malicious payloads and attaches rich detection metadata before any action is taken. This fundamentally changes the workflow:

  • Complete visibility into every signature match without sacrificing protection
  • Simpler onboarding: traffic is analyzed passively, data accumulates, and you see exactly which signatures fire and why
  • Precise policies: build mitigation rules based on past traffic patterns, dramatically reducing false positive risk

Always-On Framework

The new framework separates detection from mitigation. Detection runs continuously on all traffic and populates three key fields accessible in Security Analytics and Security Rules:

  • cf.waf.signature.request.confidence - confidence scores of matching signatures (High or Medium)
  • cf.waf.signature.request.categories - attack vectors detected (SQLi, XSS, RCE, CVEs, etc.)
  • cf.waf.signature.request.ref - matching Ref IDs (up to 10)

Critically, there's no performance penalty for the detection itself. If no blocking rule is created for a detection, the analysis runs after the request reaches the origin server, introducing zero additional latency.

Full-Transaction Detection (Coming Soon)

Beyond request-only analysis, Cloudflare is developing Full-Transaction Detection, which correlates the entire HTTP transaction (request and response). This approach dramatically reduces false positives and uncovers threats that request-only engines miss:

  • Reflective SQL injection
  • Data exfiltration patterns
  • Dangerous misconfigurations revealed in responses

Availability & Next Steps

  • Attack Signature Detection is available now in Early Access. Sign up here to express interest.
  • Full-Transaction Detection is under development. Register here for early access when ready.

The new detection provides the same coverage as Cloudflare's existing Managed Ruleset (700+ active rules covering SQLi, XSS, RCE, and CVEs) while eliminating the manual tuning burden.