Cloudflare provides large variety of Security settings you can configure. From a DDoS protection to fully integrated WAF(Web Application Firewall) such as the one we are using on our services. Cloudflare has simplified the security options to only two main ones which we will discuss in this tutorial.
To access your security options click on the Firewall icon located at the top of your Cloudflare Client Area. The main option is the Security Level Cloudflare which will be applied when it detects an offending user on your website. There are 5 protection levels which are quite different when it comes to filtering the users on your website. For example if you use the High value of that settings basically every user detected as offending in the past 14 dayse will be challenged while the Essentially off will challenge only the most abusive users.
The recommended value of this setting by Cloudflare is Medium as this value will protect your website in the most adequate way without actually causing inconvenience to your visitors.
The last option on the list is the I am Under Attack one which is used when your website is under DDoS attack. This setting will display a temporary placeholder page for every user you have on your website for a brief period of time. During this period Cloudflare will determinate if the user is an actual user or part of the attack.
The next setting is the Challenge Passage. Using this setting in particular will serve as a counter for how long a user can remain unchallenged by a human verification check on your website. Please feel free to choose whatever period suits your needs the most.
If you choose the Web Application Firewall tab you will find the Browser integrity check setting. This setting will read the HTTP headers usually sent to the webservice by the Internet Browser your visitors are using to reach your website. In these headers Cloudflare will check for any suspicious or security denied User Agents and also will generally check the whole HTTP header for malicious contents.
Above it is the actual Web Application Firewall. WAF is filtering all the incoming traffic on your website but not on your web server as this will cause load. Instead the requests made to your website are matched against specific rules the WAF features introduces. Unfortunately the setting is not available on the free Cloudflare plans. Instead it is available on all other plans they offer.
The IP Firewall tab contains an Access Rule tool which you can use to whitelist,block or challenge IPs and even leave a note if needed.
The last setting is the Advanced DDoS protection. The role that settings plays is when your website is under constant DDoS attack. This setting will provide a solution for denying that type of attack.
If you are using the Free plan Cloudflare provides you will be unable to use this feature as it is available only on their Business and Enterprise plans.
That is all! Congratulations! You can now properly configure the Security Settings for your entire website via the Cloudflare client area.