How to Secure AI-Powered Apps with Cloudflare AI Security for Apps (Now GA)
TL;DR
- Enable free AI endpoint discovery in the Cloudflare dashboard to instantly find all LLM-powered endpoints across your web properties.
- Use the always-on detection engine (prompt injection, PII leakage, toxic content, and new custom topics) to inspect traffic to those endpoints.
- Write simple WAF rules that block or log malicious/off-policy prompts in real time.
AI Security for Apps is now generally available. You can start protecting your AI applications today without changing any code.
Prerequisites
- A Cloudflare account (Free, Pro, Business, or Enterprise)
- At least one domain or application proxied through Cloudflare (orange-clouded)
- Traffic flowing to your AI-powered endpoints (the discovery engine needs real traffic to work reliably)
- Basic familiarity with Cloudflare’s WAF rule builder (no coding required)
Step 1: Turn on AI Endpoint Discovery (Free for Everyone)
Cloudflare now automatically discovers LLM-powered endpoints across any plan.
- Log in to the Cloudflare dashboard.
- Go to Security → Web Assets.
- Click the AI Discovery tab (or simply navigate to the Discovery page if you’re on a Free plan).
Discovery behaves differently by plan:
- Free plan: Discovery starts the moment you visit the page.
- Paid plans: Discovery runs automatically in the background on a recurring schedule.
Once complete, you will see endpoints labeled cf-llm.
Note: Discovery looks at behavioral patterns, not just URL paths like
/chat/completions. This catches AI features hidden inside product search, recommendation engines, pricing calculators, or internal agents.
Expected result: A list of discovered AI endpoints with metadata such as traffic volume and first-seen date.
Step 2: Review Discovered AI Endpoints
For each cf-llm endpoint you will see:
- The full URL/path
- Hosting model/provider (when detectable)
- Volume of AI-specific traffic
Review this list carefully. Many organizations discover shadow AI endpoints they didn’t realize were internet-facing.
Action item: Export the list or take a screenshot for your security and engineering teams.
Step 3: Enable AI Security Detections
AI Security for Apps uses an always-on detection layer that inspects every prompt sent to discovered endpoints.
Built-in detections include:
- Prompt injection attempts
- PII exposure (names, emails, credit cards, API keys, etc.)
- Toxic or harmful content
- New in GA: Custom topics detection
To activate protection:
- Go to Security → AI Security for Apps (the new dedicated section).
- Ensure the feature is toggled On for your zone.
- (Optional but recommended) Define your first Custom Topic.
Creating a Custom Topic (New GA Feature)
Custom topics let you enforce business-specific policies.
Example: Block any prompt that discusses “competitor pricing” or “patient health records.”
In the dashboard:
- Click Create Custom Topic
- Give it a name (e.g.,
Competitor-Mention) - Provide 3–10 example phrases or keywords that represent the topic
- Choose the severity (Low / Medium / High)
- Save
Cloudflare’s model will now detect semantically related prompts, not just exact keyword matches.
Step 4: Write WAF Rules to Enforce Your Policy
The real power comes from turning detection metadata into actions using Cloudflare’s familiar WAF.
Go to Security → WAF → Custom rules.
Practical rule examples:
Rule 1: Block high-confidence prompt injections
(http.host eq "api.example.com" and cf.ai.detection.prompt_injection eq "high")
Action: Block
Description: “Block AI prompt injection attempts”
Rule 2: Log PII leakage attempts
(cf.ai.detection.pii eq "medium" or cf.ai.detection.pii eq "high")
Action: Log (or Managed Challenge on lower-confidence hits)
Rule 3: Enforce custom topic policy (new)
(cf.ai.detection.custom_topic eq "Competitor-Mention" and cf.ai.detection.score gt 70)
Action: Block
You can combine multiple conditions and use the new cf.ai.* fields that appear automatically once AI Security is enabled.
Tip: Start with Log actions for the first 24–48 hours to measure false-positive rates before switching to Block.
Step 5: Monitor and Iterate
After rules are deployed:
- Go to Security → Overview or AI Security → Analytics.
- Filter by
cf-llmendpoints. - Review the new AI-specific graphs showing:
- Detected threats by type
- Top custom topics triggered
- Blocked vs. logged requests
- Geographic distribution of malicious prompts
Use this data to refine your custom topics and tighten WAF rules.
Tips and Best Practices
- Start broad: Enable discovery on all zones first, then narrow protection to production AI endpoints.
- Require minimum traffic: Endpoints need sufficient valid traffic before reliable classification. If an endpoint isn’t appearing, drive some legitimate traffic to it first.
- Combine with existing WAF rules: AI Security metadata works alongside your normal bot management, rate limiting, and SQLi/XSS rules.
- Agentic apps need stricter policies: If your AI can call tools (refund processing, account updates, data export), treat every high-confidence detection as critical.
- Document custom topics: Create a shared list of topics with examples so security, legal, and product teams stay aligned.
- Test in staging: Duplicate your production rules in a staging subdomain and test with known prompt-injection examples from the OWASP LLM Top 10.
Common Issues
Why am I not seeing any cf-llm endpoints?
Your AI endpoints may not have received enough traffic yet, or they are not proxied through Cloudflare. Drive some real traffic and refresh the Discovery page. Free-plan users must visit the page to trigger discovery.
Why is my custom topic not triggering?
Custom topics work best with 5+ high-quality example phrases. Use full sentences rather than single keywords. It may take a few hours for the model to warm up.
I’m getting too many false positives on PII detection.
Lower the sensitivity in your WAF rule (use cf.ai.detection.pii eq "high" instead of “medium”) or add exclusions for known internal test traffic using IP lists.
The WAF rule editor doesn’t show cf.ai fields.
Make sure AI Security for Apps is enabled on the zone and you have visited the AI Security section at least once. The fields appear dynamically.
Next Steps
- Explore the new IBM partnership if you use IBM watsonx or IBM Cloud — Cloudflare now delivers AI security directly to IBM cloud customers.
- Connect Cloudflare with Wiz (if you’re a mutual customer) for a unified AI security posture view across cloud assets and runtime traffic.
- Review your OWASP LLM Top 10 coverage and map each risk to a Cloudflare detection + WAF rule.
- Consider adding rate limiting specifically for AI endpoints to mitigate unbounded consumption attacks.
AI Security for Apps turns the unpredictable nature of LLMs into a manageable, observable, and enforceable security layer.
Sources
- Cloudflare Blog: AI Security for Apps is now generally available
- Cloudflare Dashboard – Security → Web Assets and AI Security for Apps sections (as described in the announcement)