Cloudflare Docs

Cloudflare Docs

Overview
Concepts
WAF attack score
Uploaded content scanning
Custom rules
Create custom rules in the dashboard
Create custom rules via API
Configure a rule with the Skip action

API examples
Skip options

Common use cases

Allow traffic from search engine bots
Allow traffic from specific countries only
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Challenge bad bots
Exempt partners from Hotlink Protection
Require a specific cookie
Require a valid HMAC token
Require known IP addresses in site admin area
Require specific HTTP headers
Require specific HTTP ports
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update custom rules for customers or partners

Manage custom rules in the dashboard
Custom rulesets
Use the dashboard
Use the API
Firewall rules
Rate limiting rules
Determining the rate
Create in the dashboard for a zone
Create in the dashboard for an account
Create via API
Rate limiting parameters
Rule examples
Best practices
Managed rules
Deploy in the dashboard for a zone
Deploy in the dashboard for an account
Deploy via API
Rulesets reference

Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset
Cloudflare Exposed Credentials Check

Create WAF exceptions

Add an exception in the dashboard
Add an exception via API

Log the payload of matched rules

Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Command-line operations

Generate a key pair
Decrypt the payload content

Handle false positives
Additional tools
IP Access rules

Create a rule
Parameters
Actions

Lists

IP Lists
Bulk Redirect Lists
Create in the dashboard
Use lists in expressions
Lists API

JSON object
Endpoints

User Agent Blocking
Zone Lockdown
Browser Integrity Check
Challenge Passage
Privacy Pass
Security Level
Automated exposed credentials check
How exposed credentials checks work
Configure exposed credentials checks via API
Test your exposed credentials checks configuration
Monitor exposed credentials events
Security Analytics
Security Events
Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Migration guides

Migrating to the new WAF Managed Rules
Firewall rules are becoming custom rules
Deprecation of old rate limiting

Legacy features

WAF managed rules (previous version)

Troubleshooting

Rate Limiting (previous version)

Troubleshooting
Troubleshooting
Bing's Site Scan blocked by a managed rule
Changelog
Scheduled changes
2023-09-04
2023-08-21
2023-08-17 - Emergency
2023-08-07
2023-08-01 - Emergency
2023-07-31
2023-07-10
2023-07-05
2023-06-19
2023-06-14 - Emergency
2023-06-12
2023-06-09 - Emergency
2023-05-22
2023-05-02
2023-04-11
2023-03-20
2023-03-13
2023-03-06
2023-02-27
2023-02-13
2023-02-06
2023-01-30
2023-01-24
2023-01-16
2023-01-09
2022-12-12
2022-11-29
2022-11-14
2022-10-31
2022-10-18 - Emergency
2022-10-17
2022-10-14 - Emergency
2022-10-10
2022-10-03 - Emergency
2022-10-03
2022-09-20 – Emergency
2022-09-12
2022-09-05
2022-08-30
2022-08-22
2022-08-15
2022-08-01
2022-07-25
2022-07-18
2022-07-06
2022-07-05
2022-06-20
2022-06-10 – Emergency
2022-06-07 – Emergency
2022-06-06
2022-06-04 – Emergency
2022-06-03 – Emergency
2022-05-30
2022-05-16
2022-05-10 – Emergency
2022-05-09
2022-04-25
2022-04-20
2022-04-11
2022-04-04 – Emergency
2022-03-31 – Emergency
2022-03-29 – Emergency
2022-03-14
2022-03-07
2022-02-28
2022-02-21
2022-02-14
2022-01-24
2021-12-16 – Emergency
2021-12-14 – Emergency
2021-12-10 – Emergency
2021-11-01
2021-10-25
2021-10-19
2021-10-04
2021-09-06
2021-09-01 – Emergency
2021-08-31
2021-08-23
2021-08-16
2021-07-26
2021-07-19
2021-07-01 – Emergency
2021-06-21
2021-06-14
2021-06-07
2021-06-01
2021-04-21 – Emergency
2021-04-19
2021-03-22
2021-03-08
2021-03-06 – Emergency
2021-03-05 – Emergency
2021-03-01
2020-12-14
2020-12-02
2020-11-16
2020-11-05 – Emergency
2020-11-04 – Emergency
2020-10-19
2020-10-12
2020-10-05
2020-09-28
2020-09-21
2020-09-15
2020-09-07
2020-08-24
2020-09-01
2020-07-27
2020-08-03
2020-07-20
2020-07-07 – Emergency
2020-07-13
2020-06-22
2020-06-15
2020-06-08
2020-05-25
2020-05-11
2020-05-04
2020-04-27
2020-04-20
2020-04-06
2020-03-30
2020-03-23
2020-03-12
2020-03-09
2020-03-02 – Emergency
2020-02-17
2020-02-10
2020-01-27
2020-01-20
2020-01-16 – Emergency
2019-12-16
2019-11-25 – Emergency
2019-11-12
2019-11-07 – Emergency
2019-11-04
2019-10-27 – Emergency
2019-10-23 – Emergency
2019-10-21
2019-10-17 – Emergency
2019-10-14
2019-10-07
2019-09-30
2019-09-26 – Emergency
2019-09-16
Historical

Privacy Pass

Privacy Pass is a Chrome and Firefox browser extension that provides a better visitor experience for Cloudflare-protected websites. Privacy Pass is especially helpful for visitors from shared networks, VPNs, and Tor that tend to have poorer IP reputations.

For instance, a visitor IP address with poor reputation may receive a Cloudflare CAPTCHA page before gaining access to a Cloudflare-protected website. After a single CAPTCHA page is solved, Privacy Pass generates tokens for use with Cloudflare websites to prevent frequent CAPTCHAs. Privacy Pass generates 30 tokens for each solved CAPTCHA.

Set up Privacy Pass

For your zone

To enable Privacy Pass for your zone:

Log into the Cloudflare dashboard.
Select your account and zone.
Go to Security > Settings.
For Privacy Pass, switch the toggle to On.

For your end users

Your end users should download the Privacy Pass extension for either Google Chrome or Firefox:

Report general Privacy Pass issues to privacy-pass-support@cloudflare.com. The Privacy Pass code is available on GitHub which also allows reporting of issues.

Privacy Pass with Under Attack mode

Privacy Pass allows a user to bypass CAPTCHAs. To help mitigate malicious usage of this feature, we automatically disable Privacy Pass anytime a domain is placed into I’m Under Attack! mode. A few key points you need to keep in mind when enabling the I’m Under Attack! mode:

When I’m Under Attack! mode is enabled on a domain, then Privacy Pass is disabled.
When I’m Under Attack! mode is disabled on a domain, then Privacy Pass is re-enabled if it was enabled before I’m Under Attack! mode was turned on.
If Privacy Pass was disabled before I’m Under Attack! mode is turned on, it does not get enabled when I’m Under Attack! mode is turned off.
Privacy Pass cannot be enabled while I’m Under Attack! mode is turned on.