Application security: Cloudflare’s view

Cloudflare, a platform used by developers, bloggers, business owners, and large corporations for security and performance purposes, has reported that 80.6% of all websites use its reverse proxy service. The company's network processes around 32 million HTTP requests per second on average, with more than 44 million at peak times. Of these, approximately 8% are mitigated by Cloudflare to protect against unwanted or malicious traffic. Layer 7 DDoS mitigation is the largest contributor to mitigated HTTP requests, accounting for 66% of the total count. Custom WAF Rules contribute to more than 19%, while Rate Limiting accounts for 10.5%. IP Threat Reputation and Managed WAF Rules each account for around 2.5% and 1.5% respectively. HTTP anomalies are the most common attack vector, with over 54% of HTTP requests blocked by Cloudflare's Managed WAF Rules containing such anomalies. More commonly known attack vectors like XSS and SQLi contribute to about 13% of total mitigated requests. Businesses still rely on IP address-based access lists to protect their assets, with the source IP address or fields easily derived from it being used in approximately 64% of all custom rules. Bot traffic accounted for around 38% of all HTTP requests during the time period analyzed, with customers allowing 41% of bot traffic to pass through to their origins while blocking only 6.4%. More than a third of non-verified bot HTTP traffic is mitigated by Cloudflare's network. API traffic trends showed that API endpoints globally receive more malicious requests compared to standard web applications (10% vs 8%) and that SQL injection attacks are the most common attack vector on API endpoints, with command injection attacks also being much more prominent.