Cloudflare's Web Application Firewall (WAF) is designed to protect against various layer 7 attacks by utilizing a suite of tools including managed, custom, and rate-limiting rules, all built on the Rulesets engine. These tools help mitigate attacks by executing actions when rule expressions are matched, but they can also generate false positives due to the high volume of requests processed. To address this, Cloudflare has introduced payload logging, which provides detailed insights into which specific request fields triggered a rule, thereby aiding in fine-tuning rules and reducing ambiguities. The underlying technology includes a compiler written in Rust, which supports the evaluation and re-evaluation of expressions, logging fields that match rule conditions. These logs, encrypted with customer-provided public keys, can be decrypted and analyzed through various methods, allowing customers to better understand rule matches and refine their WAF configurations. Improvements have been made to handle array-type fields, enhancing the precision and clarity of the logging process.