Drupal Custom Cloudflare WAF rules that every Drupal site should run This blog post helps to summarise some of the default rules I will deploy to every Drupal (7 or 8) site as a base line.
Drupal SQL injection and Drupal 7 - top 1 of 10 OWASP security risks SQL injection and Drupal and how to avoid it