WAF vs CDN in 2026: What Each One Actually Does

The door and the bullhorn

Two pictures that have stuck with me:

A CDN is a bullhorn. Your web server speaks once to the CDN. The CDN speaks to millions of users at the same time from hundreds of points near them. Your origin server stays unburdened. Pages arrive fast because there is no round-trip across the ocean for every image.

A WAF is a guard at the door. Every request walks past it. It asks: does this look like a SQL injection? Is this IP on a block list? Is this bot rate-limited? Is there a known exploit pattern in the URL? Bad requests get bounced. Good ones walk in.

Some products bundle both. Some do one well and the other poorly. That is the distinction worth knowing before you tick a single box.

What a CDN does

A CDN (Content Delivery Network) solves three problems:

1. Latency. A user in Tokyo loading a server in Virginia waits around 170 milliseconds just for the network round-trip, before any work happens. A CDN with a Tokyo point-of-presence cuts that to under 10 ms.
2. Origin load. Cached responses never touch your server. A viral blog post that would have melted a single VPS is served by 100+ CDN edge nodes instead.
3. Traffic absorption. A 20 Gbps DDoS flood is nothing to a CDN with terabits of capacity. To your origin, it would be instant death. Cloudflare's own DDoS threat report regularly logs attacks above 5 Tbps absorbed at the edge.

A CDN speeds up delivery. It does not inspect requests for threats. A malicious request missed by the CDN reaches your origin just fine.

What a WAF does

A WAF (Web Application Firewall) runs a ruleset against every incoming request. Typical protections:

• OWASP Top 10: SQL injection, XSS, path traversal, command injection, SSRF. The current list lives at the OWASP Top 10 project.
• Known-bad bot signatures: scrapers, vulnerability scanners, spam networks.
• Rate limits, like 10 requests per second to /login per IP.
• Credential stuffing defence: block IPs that try 20 known-leaked passwords in a minute.
• Custom rules: block any request to /wp-admin from outside three office IPs.
• Managed rules that auto-update when a new CVE drops.

A WAF does not cache anything. It does not make pages faster. It inspects, decides, and either forwards or blocks. Different job, different value.

Why you want both

Think about what each one misses on its own:

Attack type	CDN alone	WAF alone	Both
DDoS at network layer	Absorbs it	Overwhelmed	Absorbed
Slow SQL injection	Cached-page miss, hits origin	Blocked	Blocked
Credential stuffing	Invisible	Rate-limited	Rate-limited
Global latency	Solved	Still slow	Solved
Zero-day exploit in plugin	Irrelevant	Often blocked by heuristic	Blocked
Bot scraping product catalog	Cached, but gets data	Blocked by bot score	Blocked

Short answer: every attack that is not pure volume leaks past a CDN. Every latency problem is ignored by a WAF. One is not a substitute for the other.

Pricing, compared

The market for 2026 is simpler than it used to be. Cloudflare dominates because its free tier is genuinely useful and its paid tiers are reasonable.

Product	CDN	WAF	Monthly cost	Good fit
Cloudflare Free	Yes	Basic managed rules	$0	Most small business sites
Cloudflare Pro	Yes	OWASP + managed rules + image optimisation	$20	Serious business sites
Cloudflare Business	Yes	Above + 100% uptime SLA	$250	Revenue-critical sites
Cloudflare Enterprise	Yes	Above + bot management + custom rules	From $5K	Mid-market and up
AWS CloudFront + AWS WAF	Yes	Pay per rule + per request	~$5 + $1/rule/mo + $0.60/M req	AWS-heavy stacks
Akamai	Yes	Kona Site Defender	From $4K	Enterprise, regulated
Fastly + Signal Sciences	Yes	Yes	$50 + usage	Engineering teams who want per-rule control
Vercel	Yes (built-in)	Vercel Firewall (basic + managed)	Free + add-ons	Next.js-native stacks
Sucuri	Limited CDN	Yes	$20–$500/mo	WordPress sites without a CDN

For most of the business sites I set up, the answer is Cloudflare Free to start, Cloudflare Pro the moment you take payments or store customer data, and Business if downtime costs more than $250 per hour.

AWS WAF looks cheap on the sticker but gets expensive fast. $1 per rule per month plus $0.60 per million inspected requests. A site with 20 rules and 50M requests per month is $62. That is fine. Enable bot control and the number triples. The current rate card lives in AWS WAF pricing — read it before you commit.

The Cloudflare Free tier in detail

People underestimate how much free Cloudflare gives you in 2026:

• Unlimited bandwidth through the CDN
• Universal SSL (free cert, auto-renew)
• DDoS protection at network layer, unmetered
• Managed WAF rules (subset of Pro)
• Basic bot fight mode
• Three page rules
• Analytics

The limits that push you to Pro:

• No image optimisation (Polish)
• No WAF custom rules
• No advanced rate limiting (only 1 rule)
• No lossless compression tuning
• Slower support

Start free. Move to Pro the week a real user sends a real form over it.

Setup in under an hour

This is the order I run on every client site.

Step 1: Change name servers. Add your domain to Cloudflare, accept the name servers it gives you, update them at your registrar. DNS propagation takes 5 minutes to 24 hours. Nothing else changes during this window because Cloudflare copies your existing records.

Step 2: Set SSL mode. In SSL/TLS, pick "Full (strict)" if your origin has a valid cert (Let's Encrypt counts). If your origin has no cert, get one first. See the SSL setup guide. Never use "Flexible" on a site that accepts logins or forms.

Step 3: Turn on basic security. In Security > Settings, set Security Level to Medium. In Security > Bots, enable Bot Fight Mode.

Step 4: Force HTTPS. Under SSL/TLS > Edge Certificates, turn on "Always Use HTTPS" and "Automatic HTTPS Rewrites".

Step 5: Add a rate-limit rule for login. On the Free tier you get one. Use it here:

• If URI Path contains /login OR /wp-login
• More than 10 requests per 1 minute per IP
• Action: Block for 10 minutes

Step 6: Add a firewall rule to block obvious abuse. Examples that cost nothing:

• Block countries you do not do business with (only if you are sure)
• Challenge requests with missing or spoofed user-agents
• Block known-bad ASNs pulled from Cloudflare's managed lists

Step 7: Verify caching. Open your homepage, check response headers for cf-cache-status: HIT on a second request. If everything says MISS or DYNAMIC, your page rules need work.

Done. Most sites I set up this way see a 30–60% reduction in origin traffic and a 50% reduction in time-to-first-byte within an hour.

When Cloudflare is not enough

Three signals I watch for:

1. Smart bots getting through. If you are being scraped despite Bot Fight Mode, you need Cloudflare Enterprise Bot Management or a specialist like DataDome or HUMAN.
2. Regulatory constraints. Some contracts require a dedicated WAF appliance or an on-prem solution. Cloudflare Enterprise covers most. Akamai covers the rest. The NIST SP 800-53 control catalog is what most of those contracts reference.
3. Engineering team that wants git-managed rules. Fastly + Signal Sciences gives you rules in code and serious observability. Worth it for teams of 10+ engineers.

For the deeper business-owner view of when to add security tooling and how to budget for it, see the website security guide.

Pairing with a CDN you already have

What if your platform already includes a CDN? Common cases:

• Vercel. The built-in CDN handles caching and DDoS. Add Vercel Firewall for managed WAF rules. For deeper inspection, put Cloudflare in front of Vercel in "DNS only" mode on the origin record. It is supported.
• Netlify. Similar story. Netlify Edge + Cloudflare in front works. Or use Netlify's built-in firewall features.
• Shopify. You cannot add a WAF directly. Shopify handles this internally. Your levers are limited to app-level controls and custom login rules.
• WP Engine. Includes a basic WAF. Most clients add Cloudflare in front anyway for global cache performance.

A CDN on top of a CDN sometimes helps (Cloudflare in front of Vercel for extra rules) and sometimes hurts (two caches fighting). Test cache behaviour after you stack them. If it makes you smile, that is normal. If it makes you cry, swap one out.

How I set this up for clients

For a new business website build, the default is Cloudflare Free for the first month, Cloudflare Pro on launch day, and a set of five custom rules I reuse:

1. Rate-limit /login, /register, /checkout per IP
2. Challenge known scraping ASNs
3. Block empty or obvious bot user-agents
4. Geo-fence admin paths to specific countries
5. Cache bypass for session cookies so logged-in users see fresh pages

This setup stops most of the real traffic noise I see hit client origins. The rest goes into a monthly review.

The same stack is what I used on the Cuez API optimisation project, where the origin had to spend all its CPU on actual API work, not on serving static assets or fighting bots. That is part of how the API went from 3 seconds to 300ms — a 10x improvement. On the bolttech payment integration work I led for the $1B+ unicorn, the same edge discipline kept 99.9% uptime across 40+ payment provider integrations with zero post-launch critical bugs.

Reflecting on what actually matters here

After 16 years and 250+ projects, the lesson I keep coming back to is unglamorous: most security and performance gains come from turning on the basics, not from buying the expensive product. A free Cloudflare account, configured properly, beats an enterprise WAF that nobody knows how to tune.

The teams that struggle are the ones picking between WAF and CDN as if it is a budget choice. It is not. It is two tools doing two different jobs that happen to be sold together. Once that clicks, the spend gets smaller and the protection gets better.

If you remember one thing from this article, remember that a CDN does not inspect, and a WAF does not cache. Stack them, configure them, and walk away.

FAQ

Do I need a WAF if I am on WordPress with a security plugin?

A plugin like Wordfence runs inside WordPress and catches a lot. A network-layer WAF (Cloudflare) stops attacks before they hit WordPress at all, saving CPU and blocking exploits in plugins you did not think to patch. Run both.

Does Cloudflare slow down my site?

In a well-configured setup, no. Cloudflare's edge adds 1–5 ms while saving 100–500 ms on origin fetch time. If you see slowdowns, check your SSL mode and cache rules.

Will a CDN break my analytics?

Server-side analytics might miss requests that are cached at the edge. Fix it with either client-side analytics (Plausible, GA4) or enable Cloudflare's Log Push to your analytics backend.

Can I use AWS WAF without CloudFront?

Yes. AWS WAF attaches to Application Load Balancer, API Gateway, App Runner, or Cognito directly. You lose the CDN benefit but keep the security inspection.

Is the free Cloudflare plan safe to use in production?

Yes, tens of thousands of production sites do. Pro adds features, not baseline safety. Start free, upgrade when you notice a limitation.

What about WAF for an internal API?

If the API is on a public domain, the same rules apply. If it is on a private VPC, a CDN is overkill but a WAF (often a self-hosted ModSecurity, or AWS WAF on an internal ALB) still earns its keep against insider misuse and credential stuffing.

Closing

CDN and WAF are not "nice to haves" versus "pick one". They are two different jobs. Shipping a business site without both in 2026 is like running a store with the doors unlocked and no checkout line.

If you want a 20-minute setup walk-through on your own domain, book a free strategy call. I usually finish a Cloudflare setup before the call ends.

Related reading:

• Websites — fixed-price builds from $2,000
• Applications — monthly subscription from $3,499/mo
• Cuez API optimisation case study
• bolttech payment integration case study
• LAK Embalagens corporate website
• SSL setup guide for business sites
• Website security for business owners