# Cloudflare WAF Baseline

## Purpose
A hardened, reproducible baseline for Web Application Firewall (WAF) configuration across VaultMesh, OffSec, and associated domains.

---

## 1. Core WAF Mode
- OWASP Core Ruleset: **Enabled (Latest version)**
- Paranoia Level: **1 (default)** – raise to 2 for internal/admin surfaces
- Bot Protection: **Enabled**
- Super Bot Fight Mode: **Enabled (if plan supports)**
- API Shield: **Enabled on `/api/*` paths**

---

## 2. Mandatory Managed Rules
- Cloudflare Managed WAF Rules: **Enabled**
- Directory Traversal: Block
- SQL Injection: Block
- XSS: Block
- File Inclusion: Block
- Broken Authentication: Block
- Common Vulnerabilities: Block

---

## 3. Custom Firewall Rules (Baseline)
### Block non-HTTPS
```
(if not ssl) then block
```

### Restrict admin panels
```
(http.request.uri.path contains "/admin" and ip.src not in {trusted_admin_ips}) -> block
```

### Rate-limit API endpoints
```
Path: /api/
Threshold: 30 req/10s per IP
Action: block for 1 minute
```

### Challenge suspicious countries
```
ip.src.country in {CN, RU, KP, IR} -> managed_challenge
```

---

## 4. TLS Settings
- TLS Mode: **Full (strict)**
- Minimum TLS Version: **1.2**
- HSTS: Enabled (1 yr + includeSubDomains)
- TLS Keyless Origin: Optional (if needed)

---

## 5. Logging & Metrics
- Logpush to R2/SIEM: Enabled
- Track:
  - WAF rule matches
  - Rate-limit triggers
  - Bot detections
  - Country spikes
- Alerts:
  - 10× spike in WAF blocks
  - Repeated blocks for same URI

---

## 6. Change-Control
All modifications:
1. Must be captured in VaultMesh receipt
2. Weekly WAF snapshot → anchored
3. Changes require dual approval for OffSec cluster