Cloudflare's Always-On WAF: No More Log vs. Block
Alps Wang
Mar 5, 2026 · 1 views
The Always-On Detection Revolution
Cloudflare's 'Attack Signature Detection' represents a substantial leap forward in Web Application Firewall (WAF) capabilities by fundamentally altering the detection-mitigation paradigm. The core innovation lies in decoupling detection from immediate blocking, allowing for comprehensive logging and analysis of all potential threats without the prior constraint of choosing between visibility (logging mode) and immediate protection (blocking mode). This 'always-on' framework, which enriches every request with rich detection metadata before any action is taken, promises to streamline the onboarding process for new applications, reduce the risk of false positives through historical data analysis, and empower security teams with more granular control over their security posture. The introduction of 'Full-Transaction Detection' further elevates this by analyzing both request and response, enabling the identification of sophisticated attacks and misconfigurations that traditional request-only WAFs would miss.
While the benefits are clear, a potential concern might be the operational overhead for customers to effectively leverage the vast amount of metadata generated. Although Cloudflare provides Security Analytics and the Edge Rules Engine, the efficacy of this new system hinges on users' ability to interpret and act upon this data. Furthermore, the article mentions that 'detection is enabled by default but does not impact traffic performance' if no blocking rule is created, and 'upon onboarding... the detection is enabled by default'. This default enablement, even without immediate blocking impact, could still introduce a subtle performance consideration for extremely high-traffic scenarios or applications sensitive to even minimal processing overhead. The transition to 'always-on' also implies a greater reliance on Cloudflare's infrastructure and processing capabilities, which, while generally robust, could be a factor for organizations with specific data residency or control requirements. Nevertheless, the move toward a more intelligent, context-aware, and less intrusive security posture is a significant advancement.
This new approach is particularly beneficial for organizations that have struggled with the manual tuning and false positive management inherent in traditional WAFs. Developers will appreciate the reduced friction in deploying new applications, as the system provides immediate visibility into potential threats without requiring extensive pre-configuration. Security teams gain a more powerful tool for understanding attack patterns, proactively identifying vulnerabilities, and creating highly customized mitigation policies. The comparison to existing solutions is stark: traditional WAFs force a compromise, whereas Cloudflare's Attack Signature Detection offers a unified approach to visibility and protection. The ongoing development of Full-Transaction Detection signals a commitment to addressing increasingly complex threats, making this a critical update for anyone serious about web application security.
Key Points
- Cloudflare introduces "Attack Signature Detection," an "always-on" WAF framework that decouples detection from mitigation.
- This eliminates the traditional trade-off between visibility (log mode) and protection (block mode).
- The system inspects every request for malicious payloads, attaching rich metadata for analysis without impacting performance by default.
- "Full-Transaction Detection" analyzes both request and response to reduce false positives and uncover sophisticated threats.
- Security Analytics and Edge Rules Engine are provided to help users analyze data and create custom mitigation policies.
- The new system aims to simplify WAF onboarding and enhance confidence in deploying new security rules.
📖 Source: Always-on detections: eliminating the WAF “log versus block” trade-off
Related Articles
Comments (0)
No comments yet. Be the first to comment!