Application Security Demo — Cheat Sheet
~25–30 min · Path: Protect & Connect → Application Security · Style: Conversational
Pre-demo setup checklist
- Two windows side-by-side: Terminal (big font) + Application Security → Investigate
nginx.tarheel.us — proxied, WAF on, no Access
eve-ng.tarheel.us — proxied, WAF + Cloudflare Access
- Custom WAF rule active on
nginx.tarheel.us: lower(http.request.uri) contains "union" → Block
- Browser tabs queued to Investigate and Security Analytics
Pre-flight (run 30 sec before going live)
FMT="Status: %{http_code}\n"
echo "T1 nginx ambiguous (expect 200):" && curl -s -o /dev/null -w "$FMT" "https://nginx.tarheel.us/?id=1%27%20OR%20%271%27=%271"
echo "T2 nginx UNION (expect 403):" && curl -s -o /dev/null -w "$FMT" "https://nginx.tarheel.us/?id=1+UNION+SELECT+1,2,3"
echo "T3 eve-ng ambig. (expect 302):" && curl -s -o /dev/null -w "$FMT" "https://eve-ng.tarheel.us/?id=1%27%20OR%20%271%27=%271"
echo "T4 eve-ng UNION (expect 403):" && curl -s -o /dev/null -w "$FMT" "https://eve-ng.tarheel.us/?id=1+UNION+SELECT+1,2,3"
0. Opening — Setting the Stage
"Most companies have five or six tools doing this job today. WAF in one place, DDoS in another, bot management somewhere else, API security from yet another vendor. Each one is its own console, its own logs, its own contract."
"Cloudflare collapses all of that into one platform. Every request to your app already passes through our edge, so we can apply every one of those controls in a single pass — and you see all of it from a single nav."
➡ Nav lives under Protect & Connect → Application Security.
1. Application Security — Landing Overview
▶ CLICK: Protect & Connect → Application Security
"Six things sit under Application Security — each has a job:"
- Security Insights — posture and risk view across everything
- WAF — the rules engine that decides allow, block, challenge, log
- Investigate — forensic view, every request, every decision, searchable
- Infrastructure — API Shield, schema validation, the shape of your traffic
- Brand Protection — phishing and lookalike-domain detection
- Turnstile — privacy-friendly CAPTCHA replacement
"Notice what's not here. No separate 'DDoS' tab, no separate 'Bot Management' tab. DDoS is always on. Bot scoring is built into the WAF as a signal you write rules against. One engine — not seven."
2. Security Insights
▶ CLICK: Application Security → Security Insights
"This page answers one question: 'what does my application security posture actually look like — across every domain on my account?'"
"In the old dashboard you hopped into each zone one at a time. This rolls all of it up — misconfigurations, recommendations, exposure indicators."
"This is the page I open first thing Monday morning. Not because I expect surprises — but because if there's going to be one, I want to see it before someone else does."
3. WAF
▶ CLICK: Application Security → WAF
"Heart of application security. Every request to every domain on this account flows through this engine. Several layers stacked:"
Managed Rulesets
▶ CLICK Managed Rulesets → Deploy
- Cloudflare Managed Ruleset — OWASP Top 10: SQLi, XSS, command injection. Updated by Cloudflare threat research before you'd have time to patch.
- OWASP Core Ruleset — the public OWASP rules, but tuned so you don't fight false positives.
- Exposed Credentials Check — detects logins using passwords from public breaches. Kills credential stuffing at the door.
Custom Rules
"This is where you write business logic. Block countries you don't serve. Lock /admin to your office IP. Block empty user agents. One rule can cut attack noise by 80%."
Rate Limiting
"Different question — not 'is this request bad,' but 'is this user doing this too much.' Password resets, search, checkout."
Bot signals woven through
"Every request gets a bot score 1–99. You don't configure 'bot management' separately — you write WAF rules that reference the score. 'If bot score < 30 and path is /login, block.' One decision."
4. Investigate + LIVE DEMO (the centerpiece)
▶ CLICK: Application Security → Investigate
"Investigate is the dashboard view of every security decision Cloudflare makes. Allow, block, challenge, rate-limit, log — every event with the rule that fired, country, ASN, user agent, unique Ray ID."
"Forty-eight hours of suspicious activity is two filter clicks away. When someone says 'I think we're being attacked,' you answer in about thirty seconds."
The Setup — same attack, two domains
nginx.tarheel.us
Public site. Proxied. WAF on. No Access. Think marketing site or public docs.
eve-ng.tarheel.us
Private app (EVE-NG lab). Same account, same edge. Behind Cloudflare Access.
"Same exact attack payload going to both. Watch what happens."
TEST 1 — nginx.tarheel.us (ambiguous SQLi) → 200
curl -s -o /dev/null -w "Status: %{http_code}\n" \
"https://nginx.tarheel.us/?id=1%27%20OR%20%271%27=%271"
Output: Status: 200
"Single quotes, OR '1'='1'. Textbook SQLi from every tutorial. HTTP 200. The page loaded. The attacker reached my origin."
⏸ Pause — this is the moment people get confused.
"And here's the question your audience is asking: 'Wait, Cloudflare let it through?' Let me answer it."
"The WAF doesn't block what looks suspicious. It blocks patterns that have a HIGH probability of being a real attack. Single quotes and OR appear in totally legitimate URLs — search queries, names like O'Brien, encoded forms. Block every quote in a URL and half the internet breaks."
"So the managed ruleset is calibrated. Maximize block rate on real attacks. Minimize false positives on real users."
TEST 2 — nginx.tarheel.us (UNION SELECT) → 403
curl -s -o /dev/null -w "Status: %{http_code} | Ray: %header{cf-ray}\n" \
"https://nginx.tarheel.us/?id=1+UNION+SELECT+1,2,3"
Output: Status: 403 | Ray: abc123... (copy the Ray ID for the pivot)
"HTTP 403 Forbidden. Cloudflare block page comes up — 'Sorry, you have been blocked. The action you just performed triggered the security solution.'"
▶ Pivot: Domains → tarheel.us → Security → Analytics → search the CF-RAY ID. Show the event with full forensic detail.
"Why did THIS one get blocked when the first didn't? UNION SELECT in a query string is almost never legitimate. It's the technique attackers use to dump your customer database. No real-world URL where that string belongs."
"And here's the moat — that calibration is informed by Cloudflare's view of ~20% of all internet traffic. Threat research sees attack patterns evolve in real time across millions of sites. You don't maintain this. We do."
TEST 3 — eve-ng.tarheel.us (ambiguous SQLi) → 302
curl -s -o /dev/null -w "Status: %{http_code}\nRedirect: %{redirect_url}\n" \
"https://eve-ng.tarheel.us/?id=1%27%20OR%20%271%27=%271"
Output: Status: 302 + Redirect: https://<team>.cloudflareaccess.com/...
"HTTP 302. A redirect. The application didn't respond — Cloudflare did. Look at the location header — sending the attacker to cloudflareaccess.com."
"Before any rule engine even evaluated the payload, Access intercepted: 'Who are you? Authenticate first.' The attacker can't answer — they get bounced to a login they have no chance of completing."
"The application is invisible to anyone who isn't authorized. They didn't even get to confirm the app exists, let alone try a payload."
TEST 4 — eve-ng.tarheel.us (UNION SELECT) → 403
curl -s -o /dev/null -w "Status: %{http_code}\n" \
"https://eve-ng.tarheel.us/?id=1+UNION+SELECT+1,2,3"
Output: Status: 403
"HTTP 403. The WAF still fires on this one — UNION SELECT is severe enough to trip the rule even on the protected domain."
"So eve-ng has BOTH layers in play. Access makes the door invisible to the wrong people. The WAF kills obvious attacks at the edge. Defense in depth on a single domain, in a single platform."
TEST 5 — Simulated DDoS → flood + block
for i in {1..200}; do echo -n "$i: "; curl -o /dev/null -s -w "%{http_code}\n" "http://nginx.tarheel.us/echo?blockme=npvenJAo9gMlnd5yD37xQ9P2qp3934"; done
"200 requests in a few seconds. Now let's see how Cloudflare handled them."
▶ Pivot: Domains → tarheel.us → Security → Analytics. Show the DDoS event and the blocks.
THE ARCHITECTURAL POINT
Same account. Same edge. Same family of attack payloads. Three distinct outcomes — each one the right outcome:
Public + ambiguous → 200 · WAF calibrated to not false-positive on legitimate-looking patterns
Public + unambiguous → 403 · Real attack, real block, no info leaked
Private + ambiguous → 302 · Access intercepts. Attacker can't even reach the app.
Private + unambiguous → 403 · WAF still fires at the edge. Both layers active.
"You can mix and match per domain. Public marketing site doesn't need Access. Private internal tool absolutely does. Right layer, right app, one account, one UI."
5. Infrastructure (Security Center Inventory)
▶ CLICK: Application Security → Infrastructure
"Cloudflare is auto-inventorying your infrastructure and grading it for security posture. Three columns: Domain & Proxied, Access Policy, security.txt."
Domain + Proxied
"First hygiene check: are all my public-facing domains actually being protected? If a record is DNS-only / gray cloud, Cloudflare can't protect it. You'd be surprised how often somebody flipped a record to gray cloud six months ago and never flipped it back."
Access Policy
"eve-ng.tarheel.us shows Secured — Access policy in front. That's why our curl got a 302."
"nginx.tarheel.us shows Not Secured — proxied but no Access. For a public site, that's the right design. For an internal tool, it'd be a finding."
"Cloudflare is doing inventory drift detection for me. I didn't have to hunt through twenty Access apps and forty DNS records."
security.txt
"Standard file at /.well-known/security.txt — tells security researchers how to responsibly report vulnerabilities. Cloudflare can flip it on with a toggle. Free win."
Three questions this page answers in seconds
- What public-facing infrastructure do I actually have?
- Which domains are unprotected?
- Are we following responsible disclosure standards?
6. Brand Protection (Beta)
▶ CLICK: Application Security → Brand Protection
"Class of attack most security tools just don't cover. Brand Protection watches the public internet for lookalike domains, typo-squats, phishing pages spun up to harvest your customers' credentials."
"How? Cloudflare sees an enormous share of all DNS queries — we run 1.1.1.1, plus resolve traffic for millions of domains. When a brand-new domain registers cloudfIare.com (capital I instead of lowercase L), we see it almost immediately."
"You add brands and keywords. Cloudflare matches against new domains, certificate transparency logs, and live web content. From there: block it for your users via Gateway, or trigger takedown workflows."
7. Turnstile
▶ CLICK: Application Security → Turnstile
"Privacy-friendly CAPTCHA replacement. Picking out fire hydrants doesn't stop modern automation and absolutely annoys real users."
"Small JavaScript widget you drop on any form — login, signup, contact, password reset. Runs non-interactive browser challenges in the background. Most users see nothing."
- Free, unlimited — really. No per-request charge.
- Works on any site — you don't have to be behind Cloudflare.
- Privacy-friendly — no third-party cookies, EU-compatible.
8. Closing
"This isn't a tour of seven different security products. It's one security platform, sitting in front of every request to your apps, applying every control in a single pass."
"Posture in Security Insights. Decisions in WAF. Forensics in Investigate. APIs and origin in Infrastructure. Lookalike domains in Brand Protection. Form protection in Turnstile."
"DDoS isn't a tab — it's always on. Bot management isn't a tab — it's a signal woven into every WAF rule. That's the architectural difference."
"The question isn't 'can Cloudflare replace my WAF?' It's 'why am I running six tools when one platform sees every request anyway?'"
"Nothing to install. Change your nameservers, traffic flows through Cloudflare, and from that moment on you have all of this. Sign up today, protected today."
Q&A — back-pocket answers
WAF & Rules
How is Cloudflare's WAF different from F5 / Imperva / AWS WAF?
No appliance, no scaling limits. Automatic updates from Cloudflare threat research. Deployed globally on day one. Same engine for every customer.
How do you handle false positives?
Per-rule overrides. Log-only mode for tuning before going to block. Replay against historical traffic.
Can I bring my own rules?
Yes — custom rules with the full expression language. Plus Cloudflare's managed rules underneath.
Zero-days?
Emergency rules pushed across every customer within hours. You don't patch — we do.
DDoS (always on, no tab)
How big can Cloudflare absorb?
Anycast network in 330+ cities, hundreds of Tbps capacity. Routinely mitigate attacks larger than CF's entire network was 5 years ago.
Application-layer floods?
L7 mitigation plus rate limiting and bot scoring as additional layers.
Cost during an attack?
Unmetered. We don't charge for attack traffic.
Bots
Bot score accuracy?
Trained on ~20% of all internet traffic. Data advantage is real.
Will it block Googlebot?
No — verified bots are scored separately and allowed by default.
Headless browser detection?
Yes — JA3/JA4 fingerprinting, behavioral telemetry, browser API checks.
API Shield (Infrastructure)
Do I need an OpenAPI spec?
Helps. API Discovery can also build one from observed traffic.
mTLS at scale?
Yes — managed CA, certificate issuance and validation handled by Cloudflare.
GraphQL?
Supported — schema validation, query depth limits, rate limiting per operation.
Brand Protection
How fast do new lookalikes get caught?
Often within hours of registration — Cloudflare sees DNS queries and CT log entries at scale.
Can I auto-takedown?
Workflow integrations evolving in beta. You can also push lookalikes to your Gateway block list immediately.
Turnstile
Cost? Free, even at high volume.
Do I have to be behind Cloudflare? No — works on any site.
Privacy? No third-party cookies. No persistent fingerprinting. EU-friendly.
Architecture & Trust
Where does traffic go?
Closest Cloudflare edge to the user. Encrypted in flight, decrypted only for inspection if your config allows.
Compliance?
SOC 2, ISO 27001, PCI DSS, FedRAMP Moderate, HIPAA-eligible.
Data residency?
Regional Services available — keep TLS termination in EU, US, etc.
Curveballs
Origin attacks bypassing Cloudflare?
Authenticated Origin Pulls + Origin CA + IP allowlisting. Or use Cloudflare Tunnel and remove the origin IP entirely.
What if Cloudflare goes down?
Anycast — failures are localized. Multi-region origin + DNS health checks for the rare full-region issue.
Why not AWS WAF or Akamai?
One platform, every layer, every request, no integration tax. Network advantage is structural — we see attacks no one else does.