Cloudflare Docs
Rules
Rules
Visit Rules on GitHub
Set theme to dark (⇧+D)

Create a configuration rule via API

Use the Rulesets API to create configuration rules via API.

​​ Basic rule settings

When creating a configuration rule via API, make sure you:

  • Set the rule action to set_config.
  • Define the parameters in the action_parameters field according to the settings you wish to override for matching requests.
  • Deploy the rule to the http_config_settings phase at the zone level.

​​ Procedure

Follow this workflow to create a configuration rule for a given zone via API:

  1. Use the List zone rulesets operation to check if there is already a ruleset for the http_config_settings phase at the zone level.

  2. If the phase ruleset does not exist, create it using the Create a zone ruleset operation. In the new ruleset properties, set the following values:

    • kind: zone
    • phase: http_config_settings
  3. Use the Update a zone ruleset operation to add a configuration rule to the list of ruleset rules. Alternatively, include the rule in the Create a zone ruleset request mentioned in the previous step.

Make sure your API token has the required permissions to perform the API operations.

​​ Example requests

Example: Add a rule that enables Auto Minify for CSS files and enables Hotlink Protection

The following example sets the rules of an existing phase ruleset ({ruleset_id}) to a single configuration rule — enabling Auto Minify for CSS files and Hotlink Protection for the assets.example.com hostname — using the Update a zone ruleset operation:

Request
curl --request PUT \
https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"expression": "http.host eq \"assets.example.com\"",
"description": "Minifies CSS files and enables Hotlink Protection for assets.example.com",
"action": "set_config",
"action_parameters": {
"autominify": {
"html": false,
"css": true,
"js": false
},
"hotlink_protection": true
}
}
]
}'
Example: Add a rule that enables Email Obfuscation and Browser Integrity Check

The following example sets the rules of an existing phase ruleset ({ruleset_id}) to a single configuration rule — enabling Email Obfuscation and Browser Integrity Check for the contacts page — using the Update a zone ruleset operation:

Request
curl --request PUT \
https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"expression": "starts_with(http.request.uri.path, \"/contact-us/\")",
"description": "Obfuscates email addresses and enables BIC in contacts page",
"action": "set_config",
"action_parameters": {
"email_obfuscation": true,
"bic": true
}
}
]
}'
Example: Add a rule that sets the Security Level to High

The following example sets the rules of an existing phase ruleset ({ruleset_id}) to a single configuration rule — changing the Security Level to High for the administration area — using the Update a zone ruleset operation:

Request
curl --request PUT \
https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"rules": [
{
"expression": "http.host eq \"admin.example.com\"",
"description": "Change Security Level for admin area",
"action": "set_config",
"action_parameters": {
"security_level": "high"
}
}
]
}'

​​ Required API token permissions

The API token used in API requests to manage configuration rules must have at least the following permission:

  • Zone > Config Rules > Edit