Web Application Firewall

Web application firewall protection is important for protecting state assets exposed to the wider internet. It is a highly recommended component for any public-facing web application because, as a protocol Layer 7 defense in the OSI model, it restricts public inbound traffic’s would-be attack vectors on infrastructure to Cloudflare’s IP ranges.

The service provides a scalable and easily implemented set of core protections from common attacks, including SQL injection, cross-site scripting and distributed denial-of-service. These protections are managed and routinely updated at the enterprise level to enable additional protections from the latest exploits. It is not designed to defend against all types of attacks.

The WAF service is implemented on most web applications using a DNS proxy through Cloudflare. Changes that are made to the DNS when implementing Cloudflare can prevent the need to expose an individual load balancer or server Intrusion Protection System to the wider internet.

Implementing WAF includes powerful real-time traffic monitoring tools to identify traffic that may be getting blocked, the type of traffic it is and where it originated.

Request Web Application Firewall

Getting Help

Support Get Technical Support
NCDIT Service Desk: 919-754-6000
Support Hours 24/7
Tab/Accordion Items

NCDIT’s Web Application Firewall service is compatible with most web application configurations.


  • WAF typically protects web applications from attacks such as:
    • Cross-site forgery
    • Cross-site-scripting (XSS)
    • File inclusion
    • SQL injection
  • Detailed features covering Cloudflare’s managed rulesets (Core and OWASP) for filtering inbound web traffic to your applications can be found at: 


  • Increased security – most malicious traffic will receive a 403 (Forbidden) response and not reach your applications.
  • Improved performance – blocking malicious traffic reserves compute cycles and memory for legitimate traffic. Rate limiting rules can be optionally configured to ensure that DDoS or request flood attacks are promptly blocked upon reaching a certain time-period ratio request.
  • Simplified management – it’s easier to assess threats as well as day to day application activity with Cloudflare’s dashboard which logs application traffic in real time.

Request Process

To request this service, or for more information, submit a ticket using the NCDIT Service Portal.


Please contact the service team via the NCDIT Service Portal for more information.

Requirements & Customer Responsibility

Required NCDIT Services None
Other Technical Requirements & Prerequisites None
Customer Responsibility
  • Submit a ticket using the NCDIT Service Portal for additional support or information regarding this service. 
  • Make available the appropriate application and infrastructure administrators within the agency to assist in the implementation of the WAF service.
  • Designate at least two agency WAF administrators (primary/backup) to be onboarded for the service. NCDIT will assist in providing training and support to these users in the management of the service.

Expected Delivery

Acknowledgment Time The service team should acknowledge a service request within about 2-3 business days.
Turnaround Time The service team should be able to complete a well-defined service request within about 2-3 weeks.


Suggested For State agencies
Required For None
Spotlight Customers
  • N.C. Department of Health and Human Services
  • N.C. Department of Information Technology

Support Process
  • Submit a ticket using the NCDIT Service Portal or contact the NCDIT Service Desk at 919-754-6000.
  • NCDIT can provide expert resources to assess your application and infrastructure configuration to ensure WAF can be implemented successfully without impacting functionality.
  • If your application is behind a load balancer or utilizes session cookies, additional configuration may be required to fully implement the service.
Service Support Hours Support for the service is available 24/7.
Service Availability The service is available 24/7, excluding planned outages and maintenance windows.
Standard Maintenance Windows Not available
Service Communications
  • Changes or outages that might have an impact on customers are communicated through the NCDIT Communications Hub and Agency Change Advisory Board. 
  • The agency's admin for this service will support communications to the agency users of the service.
Service Level Agreements NCDIT Global Service Level Agreement

The service is funded through appropriated funds, and there is no cost to the agency. 

Training & Help

Understanding WAF Managed Rules

Other Related Links


Related NCDIT Services

Not available