Security settings

This page describes the settings available in Security > Settings for a given domain.

Security modules

Web application exploits module

In the Web application exploits security module you can enable and configure the following managed rulesets and detections:

• Cloudflare Managed Ruleset
• Cloudflare OWASP Core Ruleset
• Leaked credentials detection
• Malicious upload detection
• Sensitive data detection ruleset
• Firewall for AI

Refer to each linked page for details.

Note

The web application exploits module includes features and settings from the Cloudflare WAF in the previous dashboard navigation structure.

DDoS attacks module

The DDoS protection security module shows the multiple DDoS mitigation services provided by Cloudflare. You can create rules to override these mitigation tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription.

To learn more about DDoS protection overrides, refer to the following resources:

• HTTP DDoS attack protection overrides
• Network-layer DDoS attack protection overrides

Note

You define overrides for the Network-layer DDoS attack protection managed ruleset at the account level in Account Home > L3/4 DDoS > Network-layer DDoS Protection.

Bot traffic module

In the Bot traffic security module you can perform the following tasks:

• Enable Bot fight mode (depending on your Cloudflare plan).
• Enable Super Bot fight mode (depending on your Cloudflare plan).
• Review information about Bot Management (always enabled if included in your Enterprise subscriptions).
• Turn on Block AI Bots.
• Turn on AI Labyrinth.

Note

The bot traffic module includes features and settings from Bots in the previous dashboard navigation structure.

API abuse module

In the API abuse security module you can perform the following tasks:

• Review information about Endpoint Discovery (always enabled if included in your Enterprise subscriptions).
• Enable Sequence Discovery (requires that you configure a session identifier).
• Enable Schema Validation (requires that you upload a schema or apply a learned schema).
• Enable JWT Validation (requires that you add a JWT configuration).

Note

The API abuse module includes features and settings from API Shield in the previous dashboard navigation structure.

Client-side abuse module

In the Client-side abuse security module you can perform the following tasks:

• Turn continuous script monitoring on or off (previously you turned Page Shield on or off).
• Create a client-side resource alert (also known as a Page Shield alert).
• Set the reporting endpoint to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on).
• Adjust the data logged in client-side abuse reports (only the hostname or the full URI).

Note

The client-side abuse module includes features and settings from Page Shield in the previous dashboard navigation structure.

All settings

This section allows you to configure multiple security-related settings. The following table links to additional information about each setting:

Setting	Location in previous dashboard navigation
Endpoint labels	Security > Settings > Labels
Session identifiers	Security > API Shield > Settings
Schemas default action	Security > API Shield > Schema Validation
Uploaded schemas	Security > API Shield > Schema Validation
Learned schemas	Security > API Shield > Schema Validation
Token configuration	Security > API Shield > Settings
Client-side resource alerts	Security > Page Shield > Settings Account Home > Notifications
Reporting endpoint	Security > Page Shield > Settings
Data processing	Security > Page Shield > Settings
IP lists	Account Home > Manage Account > Configurations
Custom username and password location	Security > Settings
Custom content location	Security > Settings
Custom sensitive data deployment	Security > Sensitive Data
Block definitely automated traffic	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Block likely bots	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Managed robots.txt	Security > Bots > Configure Bot Fight Mode Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Allow verified bots	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Static resource protection	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Optimize for WordPress	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
JavaScript detections	Security > Bots > Configure Super Bot Fight Mode Security > Bots > Configure Bot Management
Auto-update machine learning model	Security > Bots > Configure Bot Management
Enable Security.txt	Security > Settings
Challenge Passage	Security > Settings
Browser Integrity Check	Security > Settings
Replace insecure JavaScript libraries	Security > Settings
Security Level	Security > Settings