CAI Technology
Book a demo
Menu ☰
aegis · · 7 min read

WAF/CDN: First Line of Defense at $0 — Cloudflare Free vs. On-Prem ModSecurity

A WAF blocks 80% of automated attacks before reaching your server. Cloudflare Free offers basic coverage at no cost; ModSecurity + OWASP CRS for those requiring full control.

CAI Technology · Last reviewed: 5/9/2026
WAF/CDN: First Line of Defense at $0 — Cloudflare Free vs. On-Prem ModSecurity

In Short

A WAF (Web Application Firewall) is a filtering layer in front of your application that blocks automated attacks (bots, scanners, exploit kits, brute-force, SQL Injection, and XSS from OWASP wordlists). Major CDNs (Cloudflare, Akamai, Fastly) integrate WAF + DDoS protection + bot mitigation + rate limiting.

Without a WAF, your application is exposed directly to the internet — any script kiddie with Burp Suite or ZAP scans you 24/7. Imperva 2024 estimates: applications without a WAF receive ~5,000 automated attacks/day.

Cloudflare Free offers basic coverage free of charge (L3/L4 DDoS, basic WAF, bot detection), sufficient for 80% of SMB sites. For total control, ModSecurity + OWASP Core Rule Set (CRS) on-prem is the free standard.

What a WAF Blocks in 2026

1. Bot Scanners + Exploit Kits

Mirai-variant bots scan port 80/443 all day, attempting popular CVEs (Log4Shell, Spring4Shell, ProxyLogon, Confluence). The WAF blocks based on pattern; without a WAF, the bot has 100ms to send the payload, and if it finds a vulnerability → instant exploit.

2. Brute-force Login

A bot attempts the top 1000 passwords on /admin/login at 50 req/sec. WAF rate-limits to 10 req/min per IP + CAPTCHA. Without a WAF, the bot attempts 4 million passwords/day — efficient credential guessing.

3. SQL Injection / XSS from Wordlists

ZAP / Burp Suite with Active Scan sends standard OWASP payloads (' OR 1=1--, <script>alert(1)</script>). The WAF detects patterns and blocks. A WAF is not infallible against customized manual attacks, but it eliminates 95% of automated volume.

4. L7 DDoS (Application Layer)

10,000 req/sec targeting /api/search?q=expensive_query. The CDN absorbs traffic at the edge (Cloudflare has 248 Tbps global capacity in 2026). A direct origin server crashes at 100 Mbps.

5. OWASP Top 10:2025 Patterns

CRS (Core Rule Set) comes with pre-defined rules for:

Cloudflare Free — Setup in 30 Minutes

Step 1 — Free Cloudflare Account

https://www.cloudflare.com/ → Sign Up → add your site.

Step 2 — Change NS at Registrar

Cloudflare provides 2 nameservers (e.g., lila.ns.cloudflare.com, pablo.ns.cloudflare.com). Set these at your domain registrar (RoTLD for .ro, others for .com/.eu).

Propagation: 24-48h.

Step 3 — Enable “Proxy” (Orange Cloud)

On public DNS records (A, AAAA): enable the orange cloud → traffic is proxied through Cloudflare. Origin IP hidden.

Step 4 — Default WAF Rules

Security → WAF → “Managed Rules” activated by default:

Step 5 — Security Level

Security → Settings → Security Level: Medium or High for sensitive assets. Bots fight = JS challenge for suspicious users.

Step 6 — TLS Strict

SSL/TLS → Mode: Full (strict) — Cloudflare verifies the origin certificate. Do not use “Flexible” (HTTP between Cloudflare and origin = internal MITM attack risk).

Step 7 — Origin Allowlist (Defense in Depth)

On the origin firewall (iptables / nginx / cloud security group), allow only Cloudflare IPs: https://www.cloudflare.com/ips/

Thus, attackers who discover the origin IP via Censys or old DNS history cannot bypass Cloudflare.

ModSecurity On-Prem — For Total Control

Advantages: zero external dependency, local logs, total rule customization. Disadvantages: ops effort, does not cover L3/L4 DDoS (additional network layer required).

Setup nginx + ModSecurity (Debian/Ubuntu)

sudo apt install libmodsecurity3 libnginx-mod-http-modsecurity

Enable in nginx config:

load_module modules/ngx_http_modsecurity_module.so;

server {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

Add OWASP Core Rule Set:

git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/modsec/owasp-crs

Effort: 2-3 days setup + tuning. Maintenance: regular CRS rule updates (recommended quarterly).

Recommendations for Your Case

Organization ProfileRecommendation
SMB (under 50 employees), marketing/blog siteCloudflare Free
Medium E-commerce / B2B SaaS (50-500 employees)Cloudflare Pro ($20/month) or AWS WAF ($5/month + per req)
Enterprise, regulated (PCI-DSS Level 1)Cloudflare Enterprise or Imperva or F5 BIG-IP
Org with strict NO-CDN-third-party complianceModSecurity + OWASP CRS on-prem

PCI-DSS 4.0 Req. 6.6 explicitly requires “public-facing web apps protected by automated solution” = WAF mandatory for organizations processing cards.

Common Misconceptions

“Cloudflare slows down my site.” — The opposite. CDN caches at the edge → the user receives responses from the nearest Cloudflare node (Bucharest for RO users), not from the origin in New York. Average latency decreases by 30-60%.

“I have to give Cloudflare my customer data.” — Cloudflare does not see cached content (which is public anyway). For private data, traffic only transits (TLS termination at Cloudflare → re-encrypt at origin). Cloudflare DPA is GDPR-compliant + EU-only routing available.

“WAF doesn’t protect against customized manual attacks.” — True. A WAF blocks ~95% of attack volume (all automated). Experienced manual attackers can bypass. Solution = WAF + manual pentest with contractual authorization + monitoring + internal IDS/IPS.

Check Now

ARTEMIS detects WAF/CDN presence in any Site scan (2 EUR) — signatures for Cloudflare, Akamai, Sucuri, Imperva, F5 BIG-IP, Fastly, and others.

🔗 Complementary CAI Technology Solutions

tehnic@caitech.ro

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →