[WAF] Update threat score (#18537)

pedrosousa · hyperlint-ai[bot] · web-flow · commit 255ea46d6495 · 2024-12-04T17:34:08.000Z
---------

Co-authored-by: hyperlint-ai[bot] &lt;154288675+hyperlint-ai[bot]@users.noreply.github.com&gt;
diff --git a/src/content/docs/learning-paths/application-security/default-traffic-security/security-level.mdx b/src/content/docs/learning-paths/application-security/default-traffic-security/security-level.mdx
@@ -3,11 +3,12 @@ title: Security level
 pcx_content_type: learning-unit
 sidebar:
   order: 2
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 <Render file="security-level-description" product="waf" />
 
+<Render file="threat-score-definition" product="waf" />
+
 <Render file="security-level-scores" product="waf" />
diff --git a/src/content/docs/waf/tools/security-level.mdx b/src/content/docs/waf/tools/security-level.mdx
@@ -2,22 +2,23 @@
 pcx_content_type: reference
 source: https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level
 title: Security Level
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 <Render file="security-level-description" product="waf" />
 
-***
+---
+
+<Render file="threat-score-definition" product="waf" />
 
 <Render file="security-level-scores" product="waf" />
 
-***
+---
 
 ## Customize security level
 
-The default security level is *Medium*.
+The default security level is _Medium_.
 
 ### Update globally
 
@@ -31,16 +32,14 @@ To update the security level for your entire zone:
 
 To set the security level more selectively, do one of the following:
 
-* Configure it via a [configuration rule](/rules/configuration-rules/).
-* Use the **Threat Score** as a **Field** criteria within [custom rules](/waf/custom-rules/). If you are using the Expression Editor, use the `cf.threat_score` field.
+- Configure it via a [configuration rule](/rules/configuration-rules/).
+- Use the **Threat Score** as a **Field** criteria within [custom rules](/waf/custom-rules/). If you are using the Expression Editor, use the `cf.threat_score` field.
 
-***
+---
 
 ## Recommendations
 
 To prevent bot IPs from attacking a website:
 
-* A new website owner might set a *Medium* or *High* **Security Level** and lower [**Challenge Passage**](/waf/tools/challenge-passage/) to a value below **30 minutes** to ensure that Cloudflare is constantly protecting the site.
-* An experienced website administrator confident in their security settings might set **Security Level** to *Essentially Off* or *Low* while setting a higher [**Challenge Passage**](/waf/tools/challenge-passage/) for a week, month, or even year to provide a less obtrusive visitor experience.
-
-You can also create [WAF custom rules](/waf/custom-rules/) to protect sensitive areas of your website — like comment form pages or login forms — using the [threat score](#threat-score) in your rule expression. The flexibility of custom rules allows you to select the action to take (for example, challenge or block) and exclude specific IP addresses.
+- A new website owner might set a _Medium_ or _High_ **Security Level** and lower [**Challenge Passage**](/waf/tools/challenge-passage/) to a value below **30 minutes** to ensure that Cloudflare is constantly protecting the site.
+- An experienced website administrator confident in their security settings might set **Security Level** to _Essentially Off_ or _Low_ while setting a higher [**Challenge Passage**](/waf/tools/challenge-passage/) for a week, month, or even year to provide a less obtrusive visitor experience.
diff --git a/src/content/partials/waf/security-level-scores.mdx b/src/content/partials/waf/security-level-scores.mdx
@@ -1,40 +1,29 @@
 ---
 {}
-
 ---
 
-## Threat score
-
-The threat score measures IP reputation across Cloudflare services. This score is calculated based on [Project Honeypot](https://www.projecthoneypot.org/), external public IP information, as well as internal threat intelligence from our [WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/) and [DDoS](/ddos-protection/about/).
-
-The threat score of a request has a value from 0 to 100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.
-
 ## Security levels
 
-Security levels are based on the threat score (except *Off* and *I’m Under Attack!*). You can adjust the security level to challenge incoming requests based on the threat they pose.
+Security levels are based on the threat score (except _Off_ and _I'm Under Attack!_). You can adjust the security level to challenge incoming requests based on the threat they pose.
 
 The available security levels are the following:
 
-
-
-| Security Level                      | Threat score range | Description                                                                          |
-| ----------------------------------- | ------------------ | ------------------------------------------------------------------------------------ |
-| Off (Enterprise<br/>customers only) | *N/A*              | Does not challenge IP addresses.                                                     |
-| Essentially off                     | 50–100             | Only challenges IP addresses with the worst reputation.                              |
-| Low                                 | 25–100             | Challenges only threatening visitors.                                                |
-| Medium                              | 15–100             | Challenges both threatening and moderately threatening visitors.                     |
-| High                                | 0–100              | Challenges all visitors that exhibited threatening behavior within the last 14 days. |
-| I’m Under Attack!                   | *N/A*              | Only for use if your website is currently under a DDoS attack.                       |
-
-
+| Security Level                      | Description                                                                          |
+| ----------------------------------- | ------------------------------------------------------------------------------------ |
+| Off (Enterprise<br/>customers only) | Does not challenge IP addresses.                                                     |
+| Essentially off                     | Only challenges IP addresses with the worst reputation.                              |
+| Low                                 | Challenges only threatening visitors.                                                |
+| Medium                              | Challenges both threatening and moderately threatening visitors.                     |
+| High                                | Challenges all visitors that exhibited threatening behavior within the last 14 days. |
+| I'm Under Attack!                   | Only for use if your website is currently under a DDoS attack.                       |
 
 Selecting a higher **Security Level** value means that even requests with a lower risk (that is, with a low [threat score](#threat-score)) will be challenged. Selecting a lower **Security Level** value means that only requests posing a higher risk (that is, with a high threat score) will be challenged.
 
-Security levels from *Essentially off* to *High* will challenge the visitor using a Managed Challenge. When you select *I'm Under Attack!*, which enables [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/), Cloudflare will present a JS challenge page.
+Security levels from _Essentially off_ to _High_ will challenge the visitor using a Managed Challenge. When you select _I'm Under Attack!_, which enables [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/), Cloudflare will present a JS challenge page.
 
 :::caution
 
-Only use [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/) when a website is under a DDoS attack. I'm Under Attack mode may affect some actions on your domain, such as your API traffic.
+Only use [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/) when a website is under a DDoS attack. I'm Under Attack mode may affect some actions on your domain, such as your API traffic.
 
-To set a custom security level for your API or any other part of your domain, create a [configuration rule](/rules/configuration-rules/). 
+To set a custom security level for your API or any other part of your domain, create a [configuration rule](/rules/configuration-rules/).
 :::
diff --git a/src/content/partials/waf/threat-score-definition.mdx b/src/content/partials/waf/threat-score-definition.mdx
@@ -0,0 +1,13 @@
+---
+{}
+---
+
+## Threat score
+
+The threat score measures IP reputation across Cloudflare services. This score is calculated based on [Project Honeypot](https://www.projecthoneypot.org/), external public IP information, as well as internal threat intelligence from our [WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/) and [DDoS](/ddos-protection/about/).
+
+The threat score of a request has a value from 0 to 100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.
+
+:::note[Recommendation]
+Currently we do not recommend creating rules based on the threat score, since this score is no longer being populated.
+:::
