IP Whitelisting

IP Access Rules allow/block by IP, range, or ASN. Country-level geo blocking available on Enterprise.

DDoS Mitigation

L3/L4 Network-layer DDoS Attack Protection is always on. Enterprise can customize sensitivity and actions.

Geo Blocking

Block or allow traffic by source country using IP Access Rules. Enterprise plans support country-based filtering.

Source IP Preservation

Proxy Protocol v1/v2 (TCP) and Simple Proxy Protocol (UDP) pass the true client IP to the origin server.

Rate Limiting

WAF Rate Limiting is L7-only. No dedicated L4 rate limiting product exists. DDoS systems implicitly rate-limit attack traffic only.

Bot Management / JA3 / JA4

Bot Management, JA3/JA4 fingerprinting, and TLS fingerprint validation require decrypted L7 traffic. Unavailable with true passthrough.

Note: If HTTPS traffic can be terminated at Cloudflare (not passthrough), JA3/JA4 becomes available via Bot Management.

HTTP Header Inspection

HTTP headers are encrypted end-to-end with TLS passthrough. Cloudflare cannot inspect them without terminating TLS.

IP Reputation Scoring

cf.threat_score is an L7 field. L4 DDoS systems use IP signals but there is no reputation score in Spectrum rules.