Back to all labs
LAB 02

Application Security

Fortifying the Edge -- Mastering Cloudflare WAF, DDoS, and Rate Limiting

45 minutes Level 3 2 Captains
Access Lab Guide
DDoS Protection (L7)Managed RulesetsCustom WAF RulesRate LimitingBot ManagementLog ExplorerCDNArgo Smart RoutingTransform Rules

Summary

This hands-on BlazeHack workshop offers a comprehensive exploration of Cloudflare's Application Security and Performance features. Participants will gain practical experience in configuring the Web Application Firewall (WAF) to combat the OWASP Top 10, setting up and validating Rate Limiting rules, and optimizing the Content Delivery Network (CDN) by configuring cache rules and enabling Argo Smart Routing. The core objective is to empower customers to confidently deploy and fine-tune Cloudflare's edge security and performance products, establishing robust, defense-in-depth protection and acceleration for their web applications.

Objectives

  • Onboard applications onto Cloudflare using Cloudflare's Managed DNS
  • Implement and understand the benefits of Cloudflare's Universal SSL
  • Understand how Cloudflare's WAF Managed Ruleset secures web applications and APIs against known vulnerabilities and zero-day attacks
  • Create Custom WAF Rules based on threat logs (e.g., to block suspicious user agents or paths)
  • Design and configure Advanced Rate Limiting rules to safeguard API endpoints and login forms from brute-force attacks and volumetric API abuse
  • Understand the mechanisms of Cloudflare's L7 DDoS mitigation
  • Configure Cloudflare's CDN to achieve optimal cache hit rate through cache rules
  • Implement and understand the benefits of Cloudflare's Argo Smart Routing
  • Navigate the Cloudflare Analytics and Logs platform to analyze blocked traffic and identify threat patterns
  • Monitor security logs and refine WAF rule sensitivity to minimize false positives

Lab Authors

SRT
Sze Rong Tham Solutions Engineer
SL
Sean Lim Digital Solutions Engineer

Lab Modules

Step-by-step hands-on modules

1

Building a Digital Fortress -- Web Application and API Security

15 min

This module covers the essential layers of modern web defense. You will start by deploying Cloudflare's Managed Rulesets and understand the DDoS stack to stop known threats, then move into Rate Limiting to prevent brute-force attacks. Finally, you will craft Custom WAF Rules for geographic control and optionally create Transform Rules to harden your site's security headers.

Objective: Deploy a multi-layered security posture that protects against automated exploits, controls traffic based on origin and behavior, and optimizes server response headers for browser-side safety.

Key Steps:

  • Deploy Cloudflare's Managed Rulesets for OWASP Top 10 protection
  • Understand the DDoS protection stack and its automatic mitigation
  • Configure Advanced Rate Limiting rules for API endpoints
  • Create Custom WAF Rules for geographic and behavioral control
  • (Optional) Set up Transform Rules for security headers
2

Need for Speed -- Global Delivery & Resilience

15 min

This module focuses on minimizing latency and optimizing the end-user experience. You will explore the Cloudflare Cache architecture to serve content from the edge, use Cache Rules for granular control over what stays in memory, and deploy Argo Smart Routing to bypass internet congestion. As an optional bonus, you'll set up Custom Error Pages for a professional brand presence.

Objective: Accelerate content delivery by maximizing edge cache hit ratios, optimizing network paths via smart routing, and maintaining a seamless user experience with branded error handling.

Key Steps:

  • Explore Cloudflare Cache architecture and edge serving
  • Configure Cache Rules for granular content caching
  • Deploy Argo Smart Routing to optimize network paths
  • (Optional) Create Custom Error Pages for branded error handling
3

Eyes in the Skies -- Surveillance & Incident Response

15 min

This module focuses on Cloudflare's analytics and logs to help you leverage the platform as a powerful data engine. You will learn to navigate Security Analytics to spot trends, dive into Payload Logging to investigate why specific requests were flagged, and use the Log Explorer to perform deep-forensics on your traffic patterns.

Objective: Establish a comprehensive monitoring strategy that allows you to identify emerging threats in real-time and audit security events with forensic precision.

Key Steps:

  • Navigate Security Analytics dashboards to identify threat trends
  • Use Payload Logging to investigate flagged requests
  • Perform deep-forensics with Log Explorer
  • Correlate blocked traffic with WAF rules and rate limits
B

Bonus -- Secure AI

5 min

This module enables you to secure your AI-powered applications. You will configure policies to prevent PII exposure, block prompt injection attacks, and filter unsafe topics to ensure safe and secure interactions with AI applications using Large Language Models (LLMs).

Objective: Configure and understand Cloudflare's Firewall for AI with a custom LLM endpoint.

Key Steps:

  • Discover how Cloudflare auto-detects LLM/AI endpoints
  • Configure Firewall for AI security policies
  • Block PII exposure and prompt injection attacks
  • Filter unsafe content and topics

Ready to start this lab?

Join the hands-on session and build something real.

Access Lab Guide View All Labs