diff --git a/src/assets/images/waf/custom-rules/firewall-custom-rule-create.png b/src/assets/images/waf/custom-rules/firewall-custom-rule-create.png
index 7eae12cf3e9824..2751d4298b4a4c 100644
Binary files a/src/assets/images/waf/custom-rules/firewall-custom-rule-create.png and b/src/assets/images/waf/custom-rules/firewall-custom-rule-create.png differ
diff --git a/src/assets/images/waf/custom-rules/rate-limiting-create.png b/src/assets/images/waf/custom-rules/rate-limiting-create.png
index 986c13fa7093cd..922f939805f80b 100644
Binary files a/src/assets/images/waf/custom-rules/rate-limiting-create.png and b/src/assets/images/waf/custom-rules/rate-limiting-create.png differ
diff --git a/src/assets/images/waf/events-summary.png b/src/assets/images/waf/events-summary.png
index 3b6694d0144131..349b805d01abbe 100644
Binary files a/src/assets/images/waf/events-summary.png and b/src/assets/images/waf/events-summary.png differ
diff --git a/src/assets/images/waf/rate-limit-analytics.png b/src/assets/images/waf/rate-limit-analytics.png
index a939dc8d0ddbd6..7e14e5529a78a6 100644
Binary files a/src/assets/images/waf/rate-limit-analytics.png and b/src/assets/images/waf/rate-limit-analytics.png differ
diff --git a/src/assets/images/waf/waf-browse-rules.png b/src/assets/images/waf/waf-browse-rules.png
index abf9fb1a02d93d..2601ba66666c61 100644
Binary files a/src/assets/images/waf/waf-browse-rules.png and b/src/assets/images/waf/waf-browse-rules.png differ
diff --git a/src/assets/images/waf/waf-configure-ruleset.png b/src/assets/images/waf/waf-configure-ruleset.png
index 4f7847571eed66..6fa259aa4c45d7 100644
Binary files a/src/assets/images/waf/waf-configure-ruleset.png and b/src/assets/images/waf/waf-configure-ruleset.png differ
diff --git a/src/assets/images/waf/waf-exception-create.png b/src/assets/images/waf/waf-exception-create.png
index 251b0de2d67cd8..252928d9bc772e 100644
Binary files a/src/assets/images/waf/waf-exception-create.png and b/src/assets/images/waf/waf-exception-create.png differ
diff --git a/src/assets/images/waf/waf-modify-selected-rules.png b/src/assets/images/waf/waf-modify-selected-rules.png
index 97246a7f904fbb..ab297aaab1e387 100644
Binary files a/src/assets/images/waf/waf-modify-selected-rules.png and b/src/assets/images/waf/waf-modify-selected-rules.png differ
diff --git a/src/content/docs/security-center/infrastructure/security-file.mdx b/src/content/docs/security-center/infrastructure/security-file.mdx
index 9502fbef5f7e6f..820c01cb6cbf75 100644
--- a/src/content/docs/security-center/infrastructure/security-file.mdx
+++ b/src/content/docs/security-center/infrastructure/security-file.mdx
@@ -5,21 +5,35 @@ sidebar:
order: 4
---
+import { Tabs, TabItem } from "~/components";
+
To manage your [security.txt](https://en.wikipedia.org/wiki/Security.txt) file via the Cloudflare dashboard:
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
2. Go to **Security** > **Settings** > **Enable Security.txt**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
+2. Go to **Security** > **Settings** > **All settings** tab.
+3. Next to **Enable Security.txt**, select **Edit**.
+
+
+
From here, you can create and manage your `security.txt` file to provide the security research team with a standardized way to report vulnerabilities.
Fill in the following information:
- **(Required) Contact**: You can enter one of the following to contact you about security issues:
+
- An email address: The email address must start with `mailto:` (for example, `mailto:help@example.com`).
- A phone number: The phone number must start with `tel:` (for example, `tel:+1 1234567890`).
- A URL link: The URL link must start with `https://` (for example, `https://example.com`).
Select **Add more** to add multiple contacts.
+
- **(Required) Expires at**: Enter the expiration date and time of the `security.txt` file.
- **Encryption**: A link to a key which security researchers can use to communicate with you.
- **Acknowledgements**: A link to your acknowledgements page.
@@ -30,8 +44,18 @@ Fill in the following information:
Once you have entered the necessary information, select **Save**.
-To edit your security.txt file, select **Security** > **Settings** > **Edit Security.txt**.
+To edit your security.txt file:
+
+- Old dashboard: Select **Security** > **Settings** > **Edit Security.txt**.
+- New security dashboard: In the **All settings** tab, select **Edit** next to **Enable Security.txt**.
To download your security.txt file, select **Security** > **Settings** > **Download Security.txt**.
-To delete your security.txt file, select **Security** > **Settings** > **Delete Security.txt**.
+To delete your security.txt file:
+
+- Old dashboard:
+ - Select **Security** > **Settings** > **Delete Security.txt**.
+- New security dashboard:
+ 1. Select **Security** > **Settings** > **All settings** tab.
+ 2. Next to **Enable Security.txt**, select **Edit**.
+ 3. Select **Delete**.
diff --git a/src/content/docs/security/analytics.mdx b/src/content/docs/security/analytics.mdx
index ae9c02149f08a7..4d7e61fe7754c9 100644
--- a/src/content/docs/security/analytics.mdx
+++ b/src/content/docs/security/analytics.mdx
@@ -32,20 +32,8 @@ For information on how to use the **Traffic** tab, refer to [Security Analytics]
If you need to modify existing security-related rules you already configured, consider also using the [Events](#events) tab. This tab displays information about requests affected by Cloudflare security products.
-### Suspicious activity
-
-The suspicious activity gives you information about suspicious requests that were identified by the Cloudflare detections you have enabled. The supported detections include:
-
-- [Account takeover](/bots/additional-configurations/detection-ids/#account-takeover-detections)
-- [Leaked credential check](/waf/detections/leaked-credentials/) (only for user and password leaked)
-- [Malicious uploads](/waf/detections/malicious-uploads/)
-- [WAF attack score](/waf/detections/attack-score/)
-- [Firewall for AI](/waf/detections/firewall-for-ai/)
-
-Each suspicious activity is classified with a severity score that can vary from critical to low. You can use the filter option to investigate further.
-
:::note
-The **Traffic** tab includes functionality available in the [Security Analytics](/waf/analytics/security-analytics/) page in the previous dashboard navigation structure. However, some page elements will appear in a different order, or they may be unavailable in the **Traffic** tab, such as Insights or the score-based analyses sidebar.
+The **Traffic** tab includes functionality available in the [Security Analytics](/waf/analytics/security-analytics/) page in the previous dashboard navigation structure.
:::
## Events
diff --git a/src/content/docs/security/rules.mdx b/src/content/docs/security/rules.mdx
index ff8141c685be0b..994b00f21a4e57 100644
--- a/src/content/docs/security/rules.mdx
+++ b/src/content/docs/security/rules.mdx
@@ -8,7 +8,7 @@ description: Security rules perform security actions on incoming requests that m
Security rules perform security-related actions on incoming requests that match specified filters. Rules are evaluated and executed in order, from first to last.
-Security rules are available in **Security** > **Security rules**.
+Security rules are available in the new security dashboard in **Security** > **Security rules**.
## Security rules
diff --git a/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx b/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
index 3b95c9112bf9d4..1bfe5931305f43 100644
--- a/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
+++ b/src/content/docs/terraform/additional-configurations/waf-managed-rulesets.mdx
@@ -33,7 +33,7 @@ For more information on deploying and configuring managed rulesets using the Rul
-The IDs of WAF managed rulesets are also available in the [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) page.
+The IDs of WAF managed rulesets are also available in the [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) page.
### Import or delete existing rulesets
diff --git a/src/content/docs/waf/account/managed-rulesets/deploy-api.mdx b/src/content/docs/waf/account/managed-rulesets/deploy-api.mdx
index f6f2841cbed05f..84cd1fc018ae64 100644
--- a/src/content/docs/waf/account/managed-rulesets/deploy-api.mdx
+++ b/src/content/docs/waf/account/managed-rulesets/deploy-api.mdx
@@ -17,7 +17,7 @@ This feature requires an Enterprise plan with a paid add-on.
Use the [Rulesets API](/ruleset-engine/rulesets-api/) to deploy a WAF managed ruleset to the `http_request_firewall_managed` phase at the account level.
-The [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) page includes the IDs of the different WAF managed rulesets. You will need this information when deploying rulesets via API.
+The [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) page includes the IDs of the different WAF managed rulesets. You will need this information when deploying rulesets via API.
If you are using Terraform, refer to [WAF Managed Rules configuration using Terraform](/terraform/additional-configurations/waf-managed-rulesets/#deploy-managed-rulesets-at-the-account-level).
diff --git a/src/content/docs/waf/account/managed-rulesets/index.mdx b/src/content/docs/waf/account/managed-rulesets/index.mdx
index 5c6337d6d26ca4..b0cb95cf462bd8 100644
--- a/src/content/docs/waf/account/managed-rulesets/index.mdx
+++ b/src/content/docs/waf/account/managed-rulesets/index.mdx
@@ -15,7 +15,7 @@ This feature requires an Enterprise plan with a paid add-on.
## Account-level deployment
-At the account level, you can deploy each [WAF managed ruleset](/waf/managed-rules/#managed-rulesets) more than once. This means that you can apply the same managed ruleset with different configurations to different subsets of incoming traffic for the Enterprise zones in your account.
+At the account level, you can deploy each [WAF managed ruleset](/waf/managed-rules/#available-managed-rulesets) more than once. This means that you can apply the same managed ruleset with different configurations to different subsets of incoming traffic for the Enterprise zones in your account.
For example, you could deploy the [Cloudflare OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/) multiple times with different paranoia levels and a different action (_Managed Challenge_ action for PL3 and _Log_ action for PL4).
diff --git a/src/content/docs/waf/analytics/security-analytics.mdx b/src/content/docs/waf/analytics/security-analytics.mdx
index 34c136a346fcaf..3d39353d6583c2 100644
--- a/src/content/docs/waf/analytics/security-analytics.mdx
+++ b/src/content/docs/waf/analytics/security-analytics.mdx
@@ -18,8 +18,9 @@ Use the Security Analytics dashboard to:
- Analyze suspicious traffic and create tailored WAF custom rules based on applied filters.
- Learn more about Cloudflare's security scores (attack score, [bot score](/bots/concepts/bot-score/), [malicious uploads](/waf/detections/malicious-uploads/), and [leaked credentials](/waf/detections/leaked-credentials/) results) with real data.
- [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic.
+- Analyze suspicious traffic ([new security dashboard](/security/) only).
-If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products.
+If you need to modify existing security-related rules you already configured, consider also checking [Security Events](/waf/analytics/security-events/). This dashboard displays information about requests affected by Cloudflare security products.
## Availability
@@ -44,10 +45,6 @@ To use Security Analytics:
Adjust the scope of analytics by manually entering filter conditions. You can also select **Filter** or **Exclude** to filter by a field value. These buttons appear when you hover the analytics data legend.
-:::note
-Alternatively, apply several filters at once from the [**Insights** section](#insights), which shows statistics for commonly used filters when doing security analyses.
-:::
-
To manually add a filter:
1. Select **Add filter**.
@@ -72,6 +69,42 @@ To create a [custom rule](/waf/custom-rules/) with an expression based on the fi
## Main dashboard areas
+The [new security dashboard](/security/) and the old dashboard have a few differences, including the order of the various sections on the Security Analytics page.
+
+### Suspicious activity
+
+:::note
+Only available in the [new security dashboard](/security/).
+:::
+
+The suspicious activity section gives you information about suspicious requests that were identified by the Cloudflare detections you have enabled. The supported detections include:
+
+- [Account takeover](/bots/additional-configurations/detection-ids/#account-takeover-detections)
+- [Leaked credential check](/waf/detections/leaked-credentials/) (only for user and password leaked)
+- [Malicious uploads](/waf/detections/malicious-uploads/)
+- [WAF attack score](/waf/detections/attack-score/)
+- [Firewall for AI](/waf/detections/firewall-for-ai/)
+
+Each suspicious activity is classified with a severity score that can vary from critical to low. You can use the filter option to investigate further.
+
+### Request activity
+
+The main chart displays the following data for the selected time frame, according to the selected tab:
+
+- **Traffic analysis**: Traffic mitigated by the Cloudflare security platform, served by Cloudflare, and served by the origin server, according to the following classification:
+
+ - **Mitigated by WAF**: Requests blocked or challenged by Cloudflare's application security products such as the WAF and HTTP DDoS protection. It does not include requests that had the following actions applied: _Log_, _Skip_, and _Allow_.
+ - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects.
+ - **Served by origin**: Requests served by your origin server.
+
+- **Attack analysis**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_.
+
+- **Bot analysis**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, _Likely human_, or _Verified bot_.
+
+- **Request rate analysis**: Displays data on the request rate for traffic matching the selected filters and time period. Use this tab to [find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic matching the applied filters.
+
+- **Cloudy analysis** (beta): Get insights about your application security by using plain language to interrogate your data. For more information, refer to [our blog post](https://blog.cloudflare.com/security-analytics-ai-assistant).
+
### Top statistics
This section presents top statistics about incoming requests highlighting relevant properties commonly used when performing a security analysis.
@@ -86,6 +119,10 @@ Cloudflare calculates the top statistics from a sample of requests in the select
### Insights
+:::note
+Only available in the previous dashboard navigation structure.
+:::
+
The provided insights show statistics for commonly used filters when doing security analyses, without immediately applying these filters to the displayed data.
If you find a high value in one or more insights, this can mean that there is a set of suspicious requests that you should investigate. Additionally, these insights are a good starting point for applying a first set of filters to the dashboard.
@@ -94,30 +131,16 @@ To apply the filters for an insight to the data displayed in the Security Analyt
### Score-based analyses
+:::note
+Only available in the previous dashboard navigation structure.
+:::
+
The **Attack analysis**, **Bot analysis**, **Malicious uploads**, and **Account abuse detection** sections display statistics related to WAF attack scores, bot scores, WAF content scanning scores, and leaked credentials scanning of incoming requests for the selected time frame. All plans include access to the **Leaked credential check** under **Account abuse detection**. This feature detects login attempts using credentials that have been exposed online. For more information on what to do if you have credentials that have been leaked, refer to the [example mitigation rules page](/waf/detections/leaked-credentials/examples/).
You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack analysis** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50).
Additionally, you can use the slider tool below the chart to filter incoming requests according to the current metric. This allows you to filter traffic groups outside the predefined segments.
-### Main chart
-
-The main chart displays the following data for the selected time frame, according to the selected tab:
-
-- **Traffic analysis**: Traffic mitigated by the Cloudflare security platform, served by Cloudflare, and served by the origin server, according to the following classification:
-
- - **Mitigated by WAF**: Requests blocked or challenged by Cloudflare's application security products such as the WAF and HTTP DDoS protection. It does not include requests that had the following actions applied: _Log_, _Skip_, and _Allow_.
- - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects.
- - **Served by origin**: Requests served by your origin server.
-
-- **Attack analysis**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_.
-
-- **Bot analysis**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, _Likely human_, or _Verified bot_.
-
-- **Rate limit analysis**: Displays data on the request rate for traffic matching the selected filters and time period. Use this tab to [find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic matching the applied filters.
-
-- **Cloudy analysis** (beta): Get insights about your application security by using plain language to interrogate your data. For more information, refer to [our blog post](https://blog.cloudflare.com/security-analytics-ai-assistant).
-
### Logs
Security Analytics shows request logs for the selected time frame and applied filters, along with detailed information and security analyses of those requests.
diff --git a/src/content/docs/waf/analytics/security-events.mdx b/src/content/docs/waf/analytics/security-events.mdx
index d3d1a3c6f6e7bc..e846315a49d482 100644
--- a/src/content/docs/waf/analytics/security-events.mdx
+++ b/src/content/docs/waf/analytics/security-events.mdx
@@ -26,7 +26,10 @@ Available features vary according to your Cloudflare plan:
## Location in the dashboard
-Security Events is available for your zone in **Security** > **Events**.
+To open Security Events for a given zone:
+
+- Old dashboard: Go to **Security** > **Events**.
+- New security dashboard: Go to **Security** > **Analytics** > **Events** tab.
Additionally, Enterprise customers have access to the account-level dashboard in Account Home > **Security Center** > **Security Events**.
@@ -54,13 +57,16 @@ Take the following into account when entering filter values:
### Adjust report duration
-To adjust report duration, select the desired duration from the dropdown in **Security Events**. The default value is `Previous 24 hours`.
+To adjust report duration, select the desired duration from the dropdown. The default value is `Previous 24 hours`.
The available report duration values depend on your Cloudflare plan. Refer to [Availability](#availability) for details.
-## Create custom rule from current filters
+## Create security rule from current filters
+
+To create a [custom rule](/waf/custom-rules/create-dashboard/) based on your current filters and exclusions:
-To create a [custom rule](/waf/custom-rules/create-dashboard/) based on your current filters and exclusions, select **Create custom rule** in **Security Events**.
+- Old dashboard: Select **Create custom rule**.
+- New security dashboard: Select **Create custom security rule**.
## Events summary
@@ -72,7 +78,7 @@ You can adjust the displayed data according to one of the values by selecting **
## Events by service
-The **Events by service** section lists the activity per Cloudflare security feature (for example, **Managed rules** or **API Shield**).
+The **Events by service** section lists the activity per Cloudflare security feature (for example, **Managed rules** or **Rate limiting rules**).
You can adjust the scope of Security Events to one of the displayed services by selecting **Filter** or **Exclude** when hovering the legend or by selecting the corresponding graph bar.
@@ -83,7 +89,7 @@ In **Top events by source** you can find details of the traffic flagged or actio
You can adjust the scope of Security Events to one of the listed source values by selecting **Filter** or **Exclude** when hovering the value.
:::note
-A deleted custom/firewall rule or rate limiting rule will show as `Rule unavailable` under **Firewall rules** or **Rate limit rules**. To check the changes made within your Cloudflare account, review your [Audit logs](/fundamentals/account/account-security/review-audit-logs/).
+A deleted custom rule or rate limiting rule will show as `Rule unavailable` under **Firewall rules** or **Rate limit rules**. To check the changes made within your Cloudflare account, review your [Audit logs](/fundamentals/account/account-security/review-audit-logs/).
:::
## Sampled logs
@@ -131,7 +137,12 @@ For example, after adding a filter for `Action equals Managed Challenge` and set
## Print or download PDF report
-To print or download a snapshot report from your security events dashboard, select **Print report** in **Security Events**. Your web browser's printing interface will present you with options for printing or downloading the PDF report.
+To print or download a snapshot report:
+
+- Old dashboard: Select **Print report**.
+- New security dashboard: Select the three dots > **Print report**.
+
+Your web browser's printing interface will present you with options for printing or downloading the PDF report.
The generated report will reflect all applied filters.
diff --git a/src/content/docs/waf/concepts.mdx b/src/content/docs/waf/concepts.mdx
index d4d76957ad8df4..255d7bb389686e 100644
--- a/src/content/docs/waf/concepts.mdx
+++ b/src/content/docs/waf/concepts.mdx
@@ -54,7 +54,7 @@ The WAF currently provides the following detections for finding security threats
To enable traffic detections in the Cloudflare dashboard, go to your domain > **Security** > **Settings**.
:::note
-Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details.
+Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from **Security** > **Settings**. Refer to the documentation of each feature for availability details.
:::
---
@@ -68,7 +68,7 @@ Cloudflare evaluates different types of rules when processing incoming requests.
3. [Custom rulesets](/waf/account/custom-rulesets/)
4. [Custom rules](/waf/custom-rules/)
5. [Rate limiting rules](/waf/rate-limiting-rules/)
-6. [WAF Managed Rules](/waf/managed-rules/)
+6. [Managed Rules](/waf/managed-rules/)
7. [Cloudflare Rate Limiting](/waf/reference/legacy/old-rate-limiting/) (previous version, deprecated)
Rules are evaluated in order. If there is a match for a rule with a [terminating action](/ruleset-engine/rules-language/actions/), the rule evaluation will stop and the action will be executed immediately. Rules with a non-terminating action (such as _Log_) will not prevent subsequent rules from being evaluated and executed. For more information on how rules are evaluated, refer to [Rule evaluation](/ruleset-engine/about/rules/#rule-evaluation) in the Ruleset Engine documentation.
diff --git a/src/content/docs/waf/custom-rules/create-dashboard.mdx b/src/content/docs/waf/custom-rules/create-dashboard.mdx
index 969c58e412a726..3f8c653b2c5a12 100644
--- a/src/content/docs/waf/custom-rules/create-dashboard.mdx
+++ b/src/content/docs/waf/custom-rules/create-dashboard.mdx
@@ -10,7 +10,9 @@ head:
content: Create a custom rule in the dashboard
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
@@ -18,6 +20,26 @@ import { Render } from "~/components";
3. To create a new empty rule, select **Create rule**. To duplicate an existing rule, select the three dots next to it > **Duplicate**.
+4. Enter a descriptive name for the rule in **Rule name**.
+
+ 
+
+5. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+
+6. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting _Block_ tells Cloudflare to refuse requests that match the conditions you specified.
+
+7. (Optional) If you selected the _Block_ action, you can [configure a custom response](#configure-a-custom-response-for-blocked-requests).
+
+8. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. To create a new empty rule, select **Create rule** > **Custom rules**. To duplicate an existing rule, select the three dots next to it > **Duplicate**.
+
4.
Enter a descriptive name for the rule in **Rule name**.
@@ -31,6 +53,8 @@ import { Render } from "~/components";
8. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+
+
## Configure a custom response for blocked requests
:::note
diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx
index 5b8ae7245e0c77..f5936e0ff98b47 100644
--- a/src/content/docs/waf/custom-rules/index.mdx
+++ b/src/content/docs/waf/custom-rules/index.mdx
@@ -11,11 +11,6 @@ import { Render, FeatureTable } from "~/components";
Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/).
-:::note[Did you upgrade from Cloudflare Firewall Rules?]
-
-Refer to the [upgrade guide](/waf/reference/legacy/firewall-rules-upgrade/#main-differences) to learn more about the differences between firewall rules and custom rules.
-:::
-
To define sets of custom rules that apply to more than one zone, use [custom rulesets](/waf/account/custom-rulesets/), which require an Enterprise plan with a paid add-on.
## Availability
diff --git a/src/content/docs/waf/custom-rules/skip/index.mdx b/src/content/docs/waf/custom-rules/skip/index.mdx
index 53d13ade78cd44..f4cfc38e09cadf 100644
--- a/src/content/docs/waf/custom-rules/skip/index.mdx
+++ b/src/content/docs/waf/custom-rules/skip/index.mdx
@@ -14,7 +14,7 @@ Use the _Skip_ action in a custom rule to skip one or more security features. A
For more information on the available options, refer to [Available skip options](/waf/custom-rules/skip/options/).
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
@@ -32,6 +32,24 @@ For more information on the available options, refer to [Available skip options]
7. Save your changes.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. [Create a custom rule](/waf/custom-rules/create-dashboard/) by selecting **Create rule** > **Custom rules**, or edit an existing custom rule.
+
+4. Define the rule name and the rule expression.
+
+5. Under **Choose action**, select _Skip_ from the dropdown.
+
+ 
+
+6. Configure the desired [skip options](/waf/custom-rules/skip/options/).
+
+7. Save your changes.
+
Use the [Rulesets API](/ruleset-engine/rulesets-api/) to configure custom rules via API.
diff --git a/src/content/docs/waf/custom-rules/skip/options.mdx b/src/content/docs/waf/custom-rules/skip/options.mdx
index 6eecfd651daed6..c824d88697d250 100644
--- a/src/content/docs/waf/custom-rules/skip/options.mdx
+++ b/src/content/docs/waf/custom-rules/skip/options.mdx
@@ -36,15 +36,15 @@ The available skip options in custom rules are the following:
- Skips specific security products that are not based on the Ruleset Engine. The products you can skip are the following:
- - | Product name in the dashboard | API value |
- | ------------------------------------------------------------------------------------ | --------------- |
- | [Zone Lockdown](/waf/tools/zone-lockdown/) | `zoneLockdown` |
- | [User Agent Blocking](/waf/tools/user-agent-blocking/) | `uaBlock` |
- | [Browser Integrity Check](/waf/tools/browser-integrity-check/) | `bic` |
- | [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) | `hot` |
- | [Security Level](/waf/tools/security-level/) | `securityLevel` |
- | [Rate Limiting (previous version)](/waf/reference/legacy/old-rate-limiting/) | `rateLimit` |
- | [WAF managed rules (previous version)](/waf/reference/legacy/old-waf-managed-rules/) | `waf` |
+ - | Product name in the dashboard | API value |
+ | ---------------------------------------------------------------------------------- | --------------- |
+ | [Zone Lockdown](/waf/tools/zone-lockdown/) | `zoneLockdown` |
+ | [User Agent Blocking](/waf/tools/user-agent-blocking/) | `uaBlock` |
+ | [Browser Integrity Check](/waf/tools/browser-integrity-check/) | `bic` |
+ | [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) | `hot` |
+ | [Security Level](/waf/tools/security-level/) | `securityLevel` |
+ | [Rate limiting rules (Previous version)](/waf/reference/legacy/old-rate-limiting/) | `rateLimit` |
+ | [Managed rules (Previous version)](/waf/reference/legacy/old-waf-managed-rules/) | `waf` |
- The API values are case-sensitive.
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
index 22234d990e412d..24b24663916d91 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
@@ -11,7 +11,7 @@ This example skips WAF rules for requests from IP addresses in an allowlist (def
1. [Create an IP list](/waf/tools/lists/create-dashboard/) with the IP addresses for which you want to allow access.
For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#ip-lists).
-2. Create a custom rule skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example).
+2. [Create a custom rule](/waf/custom-rules/create-dashboard/) skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example).
- **Expression**: `(ip.src in $allowed_ips)`
- **Action**: _Skip:_
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index 3a712a5b7e9186..8deeb82fb25001 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Allow traffic from specific countries only
---
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field, only allowing requests from two countries: United States and Mexico.
+This example custom rule blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field, only allowing requests from two countries: United States and Mexico.
- **Expression**: `(not ip.src.country in {"US" "MX"})`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
index bedb069cc927f2..1037f4ab91ab13 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
@@ -6,7 +6,7 @@ head:
content: Allow traffic from search engine bots and other verified bots
---
-This example challenges requests from a list of countries, but allows traffic from search engine bots — such as Googlebot and Bingbot — and from other [verified bots](/bots/concepts/bot/#verified-bots).
+This example custom rule challenges requests from a list of countries, but allows traffic from search engine bots — such as Googlebot and Bingbot — and from other [verified bots](/bots/concepts/bot/#verified-bots).
The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/) field to determine if the request originated from a known good bot or crawler.
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx b/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx
index 0c13c1e5f962fd..3aec86cd34fbc8 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-attack-score.mdx
@@ -7,7 +7,7 @@ import { GlossaryDefinition } from "~/components";
The [attack score](/waf/detections/attack-score/) helps identify variations of known attacks and their malicious payloads.
-This example blocks requests based on country code ([ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format), from requests with an attack score lower than 20. For more information, refer to [WAF attack score](/waf/detections/attack-score/).
+This example custom rule blocks requests based on country code ([ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format), from requests with an attack score lower than 20. For more information, refer to [WAF attack score](/waf/detections/attack-score/).
- **Expression**: `(ip.src.country in {"CN" "TW" "US" "GB"} and cf.waf.score lt 20)`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-ms-exchange-autodiscover.mdx b/src/content/docs/waf/custom-rules/use-cases/block-ms-exchange-autodiscover.mdx
index b9aff1116cf2b6..5666c8d67e1f59 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-ms-exchange-autodiscover.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-ms-exchange-autodiscover.mdx
@@ -5,7 +5,7 @@ title: Block Microsoft Exchange Autodiscover requests
In some cases, Microsoft Exchange Autodiscover service requests can be "noisy", triggering large numbers of `HTTP 404` (`Not found`) errors.
-This example blocks requests for `autodiscover.xml` and `autodiscover.src`:
+This example custom rule blocks requests for `autodiscover.xml` and `autodiscover.src`:
- **Expression**: `(ends_with(http.request.uri.path, "/autodiscover.xml") or ends_with(http.request.uri.path, "/autodiscover.src"))`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index f0c7fa25d16450..cf10fde23e9125 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Block traffic from specific countries
---
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
+This example custom rule blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
- **Expression**: `(ip.src.country in {"KN" "SY"})`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
index c11b26c9e91203..3b0c6318cb5eef 100644
--- a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Challenge bad bots
---
-Cloudflare’s Bot Management feature scores the likelihood that a request originates from a bot.
+Cloudflare's Bot Management feature scores the likelihood that a request originates from a bot.
:::note
Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare Enterprise plan with Bot Management enabled.
@@ -28,7 +28,7 @@ Your rules may also vary based on the [nature of your site](/bots/get-started/bo
### General protection
-The following three rules provide baseline protection against malicious bots:
+The following three custom rules provide baseline protection against malicious bots:
**Rule 1:**
diff --git a/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx b/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
index 44c76ecabe8e7b..d7af9f5119ae9e 100644
--- a/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
@@ -4,11 +4,11 @@ source: https://support.cloudflare.com/hc/en-us/articles/115001376488-Configurin
title: Configure token authentication
---
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Example } from "~/components";
Token authentication allows you to restrict access to documents, files, and media to select users without requiring them to register. This helps protect paid/restricted content from leeching and unauthorized sharing.
-There are two options to configure token authentication: via Cloudflare Workers or via WAF custom rules.
+There are two options to configure token authentication: via Cloudflare Workers or via custom rules.
## Option 1: Configure using Cloudflare Workers
@@ -21,10 +21,10 @@ To get started with Workers, refer to [Configure a Worker](/workers/get-started/
:::note
-The code provided in the [Sign requests](/workers/examples/signing-requests/) example is compatible with the `is_timed_hmac_valid_v0()` function used in [Option 2](#option-2-configure-using-waf-custom-rules). This means that you can verify requests signed by the example Worker script using a WAF custom rule.
+The code provided in the [Sign requests](/workers/examples/signing-requests/) example is compatible with the `is_timed_hmac_valid_v0()` function used in [Option 2](#option-2-configure-using-custom-rules). This means that you can verify requests signed by the example Worker script using a custom rule.
:::
-## Option 2: Configure using WAF custom rules
+## Option 2: Configure using custom rules
Use the Rules language [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) HMAC validation function to validate hash-based message authentication code (HMAC) tokens in a custom rule expression.
@@ -32,15 +32,7 @@ Use the Rules language [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-langua
Access to the `is_timed_hmac_valid_v0()` HMAC validation function requires a Cloudflare Pro, Business, or Enterprise plan.
:::
-To validate token authentication:
-
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
-2. Go to **Security** > **WAF** > **Custom rules**.
-3. Select **Create rule**.
-4. Select **Edit expression** to switch to the [Expression Editor](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor).
-5. Enter the rule expression, making sure you include a call to the `is_timed_hmac_valid_v0()` function.
-6. Under **Then take action**, select an action such as _Block_.
-7. To save and deploy your rule, select **Deploy**.
+To validate token authentication, [create a custom rule](/waf/custom-rules/create-dashboard/) with a call to the `is_timed_hmac_valid_v0()` function in the rule expression. You can use an action such as _Block_.
### Example rule
@@ -96,9 +88,9 @@ Then the token is valid and the `is_timed_hmac_valid_v0()` function returns `tru
## HMAC token generation
-The following examples show how you could generate tokens at your origin server for the path validated using the WAF custom rule described in the previous section:
+The following examples show how you could generate tokens at your origin server for the path validated using the custom rule described in the previous section:
-
+
```python
import hmac
@@ -116,7 +108,7 @@ token = urllib.parse.quote_plus(base64.b64encode(digest.digest()))
print("{}={}-{}".format(separator, timestamp, token))
```
-
+
```python
import hmac
@@ -134,7 +126,7 @@ param = urllib.urlencode({separator: '%s-%s' % (timestamp, base64.b64encode(dige
print(param)
```
-
+
```php
+
+
+
For a full example in JavaScript (JS) or TypeScript (TS), refer to the [Sign requests](/workers/examples/signing-requests/) example in the Workers documentation.
Since the example JS/TS implementation is compatible with `is_timed_hmac_valid_v0()` function, requests authenticated using the provided source code can be verified with a WAF custom rule and the `is_timed_hmac_valid_v0()` function.
+
+
This will generate a URL parameter such as the following:
@@ -174,8 +170,8 @@ The authentication token parameter (`verify=` in the example) must be the
If you are on an Enterprise plan, you can test if URLs are being generated correctly on the origin server by doing the following:
-1. Set the WAF custom rule action to _Log_.
-2. Check the sampled logs in **Security** > **Events**.
+1. Set the custom rule action to _Log_.
+2. Check the sampled logs in [Security Events](/waf/analytics/security-events/).
---
diff --git a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
index bce35e011ce980..af2f876196e0cd 100644
--- a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
@@ -9,7 +9,7 @@ When enabled, [Cloudflare Hotlink Protection](/waf/tools/scrape-shield/hotlink-p
You can use custom rules to protect against hotlinking while allowing inline links from your partners. In this case, you will need to disable [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) within the **Scrape Shield** app so that partner referrals are not blocked by that feature.
-This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/reference/http.referer/) field to target HTTP referrals from partner sites.
+This example custom rule uses the [`http.referer`](/ruleset-engine/rules-language/fields/reference/http.referer/) field to target HTTP referrals from partner sites.
The `not` operator matches HTTP referrals that are not from partner sites, and the action blocks them:
@@ -18,4 +18,4 @@ The `not` operator matches HTTP referrals that are not from partner sites, and t
## Allow requests from partners using Configuration Rules
-Alternatively, you can create a [configuration rule](/rules/configuration-rules/) to exclude HTTP referrals from partner sites from Hotlink Protection. In this case, you would keep the Hotlink Protection feature enabled.
+Alternatively, you can [create a configuration rule](/rules/configuration-rules/create-dashboard/) to exclude HTTP referrals from partner sites from Hotlink Protection. In this case, you would keep the Hotlink Protection feature enabled.
diff --git a/src/content/docs/waf/custom-rules/use-cases/index.mdx b/src/content/docs/waf/custom-rules/use-cases/index.mdx
index 59fca2ac0e7633..167070b8887624 100644
--- a/src/content/docs/waf/custom-rules/use-cases/index.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/index.mdx
@@ -7,7 +7,7 @@ sidebar:
hideIndex: true
head:
- tag: title
- content: Common use cases for WAF custom rules
+ content: Common use cases for custom rules
---
import { DirectoryListing } from "~/components";
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
index a215f4157b9bb9..9ead8c8a861246 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
@@ -7,7 +7,7 @@ To secure a sensitive area such as a development area, you can share a cookie wi
Use the [`http.cookie`](/ruleset-engine/rules-language/fields/reference/http.cookie/) field to target requests based on the presence of a specific cookie.
-This example comprises two rules:
+This example comprises two custom rules:
- The first rule targets requests to `dev.www.example.com` that have a specific cookie key, `devaccess`. As long as the value of the cookie key contains one of three authorized users — `james`, `matt`, or `michael` — the expression matches and the request is allowed, skipping all other custom rules.
- The second rule blocks all access to `dev.www.example.com`.
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
index bf90dc5775c1c1..8001e17c55f239 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
@@ -7,7 +7,7 @@ Many organizations qualify traffic based on the presence of specific HTTP reques
## Example 1: Require presence of HTTP header
-This example uses the [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/) field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function converts the header name to lowercase so that the expression is case-insensitive.
+This example custom rule uses the [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/) field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function converts the header name to lowercase so that the expression is case-insensitive.
When the `X-CSRF-Token` header is missing, Cloudflare blocks the request.
@@ -16,11 +16,11 @@ When the `X-CSRF-Token` header is missing, Cloudflare blocks the request.
## Example 2: Require HTTP header with a specific value
-This example uses the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field to look for the presence of the `X-Example-Header` header and to get its value (if any). The keys in the `http.request.headers` field, corresponding to HTTP header names, are in lowercase.
-
-When the `X-Example-Header` header is missing or it does not have the value `example-value`, Cloudflare blocks the request.
+This example custom rule uses the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field to look for the presence of the `X-Example-Header` header and to get its value (if any). When the `X-Example-Header` header is missing or it does not have the value `example-value`, Cloudflare blocks the request.
- **Expression**: `not any(http.request.headers["x-example-header"][*] eq "example-value") and (http.request.uri.path eq "/somepath")`
- **Action**: _Block_
+The keys in the `http.request.headers` field, corresponding to HTTP header names, are in lowercase.
+
In this example the header name is case-insensitive, but the header value is case-sensitive.
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
index e8c4c18a0d259c..c434d211b03c12 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
@@ -9,7 +9,7 @@ By default, Cloudflare allows requests on a [number of different HTTP ports](/fu
You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/reference/cf.edge.server_port/) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports.
-This example blocks requests to `www.example.com` that are not on ports `80` or `443`:
+This example custom rule blocks requests to `www.example.com` that are not on ports `80` or `443`:
- **Expression**: `(http.host eq "www.example.com" and not cf.edge.server_port in {80 443})`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
index 52dfd5eb051d1f..48af7d5d098836 100644
--- a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
@@ -5,13 +5,13 @@ title: Require known IP addresses in site admin area
If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site’s admin area by blocking requests for access to admin paths that do not come from a known IP address.
-The example below limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses.
-
-To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, use the [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function to convert the URI path to lowercase:
+This example custom rule limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses:
- **Expression**: `(not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))`
- **Action**: _Block_
+To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, the expression uses the [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function to convert the URI path to lowercase.
+
## Other resources
- [Use case: Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
index a9e9e6fb2c66ce..f0e22e9100e4d2 100644
--- a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
@@ -25,7 +25,7 @@ This example combines three expressions to target HTTP `POST` requests that do n
http.request.method eq "POST"
```
-The three expressions are combined into a compound expression using the `and` operator. When an HTTP `POST` request to any of the specified URIs does not contain a properly formatted `auth_session` cookie, Cloudflare blocks the request:
+To generate the final custom rule expression for this example, the three expressions are combined into a compound expression using the `and` operator. When an HTTP `POST` request to any of the specified URIs does not contain a properly formatted `auth_session` cookie, Cloudflare blocks the request:
- **Expression**: `(http.request.method eq "POST" and http.request.uri.path matches "(comment|conversation|event|poll)/create" and not http.cookie matches "auth_session=[0-9a-zA-Z]{32}-[0-9]{10}-[0-9a-z]{6}")`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
index f0864350e28fe8..7f6d27f44d5883 100644
--- a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
@@ -11,7 +11,7 @@ Potential examples include:
- Sharing brand assets and marketing materials
:::caution
-The example rules in this page can bypass Cloudflare's security features and are generally not recommended. Use with caution.
+The example custom rules in this page can bypass Cloudflare's security features and are generally not recommended. Use with caution.
:::
## Use ASN in custom rules
@@ -25,7 +25,7 @@ This example uses:
- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure partner traffic does not come from bots.
-Example rule:
+Example custom rule:
- **Expression**: `(ip.src.asnum eq 64496 and cf.bot_management.score gt 30)`
- **Action**: _Skip:_
@@ -37,12 +37,12 @@ Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare E
### Adjust rules by ASN
-This example uses:
+This example custom rule uses:
- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to check if the request comes from a human.
-If a request meets these criteria, your custom rule skips [User Agent Blocking](/waf/tools/user-agent-blocking/) rules.
+If a request meets these criteria, the custom rule will skip [User Agent Blocking](/waf/tools/user-agent-blocking/) rules.
- **Expression**: `(ip.src.asnum eq 64496 and cf.bot_management.score gt 50)`
- **Action**: _Skip:_
@@ -59,7 +59,7 @@ This example:
- Specifies the source IP address and the host.
- Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure requests are not high-risk traffic.
-Example rule:
+Example custom rule:
- **Expression**: `(ip.src eq 203.0.113.1 and http.host eq "example.com" and cf.bot_management.score gt 30)`
- **Action**: _Skip:_
@@ -67,9 +67,9 @@ Example rule:
### Adjust rules by IP address
-This example specifies the source IP address and the host.
+This example custom rule specifies the source IP address and the host.
-If a request meets these criteria, it will skip [rate limiting rules](/waf/rate-limiting-rules/).
+If a request meets these criteria, the custom rule will skip [rate limiting rules](/waf/rate-limiting-rules/).
- **Expression**: `(ip.src eq 203.0.113.1 and http.host eq "example.com")`
- **Action**: _Skip:_
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index 493a4c975fa863..a88fc664b5dd3b 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -72,7 +72,7 @@ Cloudflare does not recommend that you block traffic solely based on the WAF Att
### 1. Create a custom rule
-If you are an Enterprise customer, create a [WAF custom rule](/waf/custom-rules/create-dashboard/) that blocks requests with a **WAF Attack Score** less than or equal to 20 (recommended initial threshold). For example:
+If you are an Enterprise customer, [create a custom rule](/waf/custom-rules/create-dashboard/) that blocks requests with a **WAF Attack Score** less than or equal to 20 (recommended initial threshold). For example:
| Field | Operator | Value |
| ---------------- | --------------------- | ----- |
diff --git a/src/content/docs/waf/detections/firewall-for-ai.mdx b/src/content/docs/waf/detections/firewall-for-ai.mdx
index b52304dda8bb5b..67a8e49d7268b7 100644
--- a/src/content/docs/waf/detections/firewall-for-ai.mdx
+++ b/src/content/docs/waf/detections/firewall-for-ai.mdx
@@ -24,16 +24,15 @@ Firewall for AI is available in closed beta to Enterprise customers proxying tra
### 1. Turn on Firewall for AI
-
+
:::note
Firewall for AI is only available in the new [application security dashboard](/security/), currently in beta for users that opt in to the new user interface.
:::
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
-2. Go to **Security** > **Settings**.
-3. Under **Web application exploits**, select **Manage detections**.
-4. In **Firewall for AI**, select **Enable**.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Next to **Firewall for AI**, set the toggle to **On**.
@@ -62,11 +61,11 @@ The PII category for this request would be `EMAIL_ADDRESS`.
Then, use [Security Analytics](/waf/analytics/security-analytics/) in the new application security dashboard to validate that the WAF is correctly detecting prompts leaking PII data in incoming requests. Filter data by the `cf-llm` managed endpoint label and review the detection results on your traffic.
-Alternatively, create a WAF custom rule like the one described in the next step using a _Log_ action. This rule will generate [security events](/waf/analytics/security-events/) that will allow you to validate your configuration.
+Alternatively, create a custom rule like the one described in the next step using a _Log_ action. This rule will generate [security events](/waf/analytics/security-events/) that will allow you to validate your configuration.
### 3. Mitigate requests containing PII
-Create a [custom rule](/waf/custom-rules/) that blocks requests where Cloudflare detected personally identifiable information (PII) in the incoming request (as part of an LLM prompt), returning a custom JSON body:
+[Create a custom rule](/waf/custom-rules/create-dashboard/) that blocks requests where Cloudflare detected personally identifiable information (PII) in the incoming request (as part of an LLM prompt), returning a custom JSON body:
- **If incoming requests match**:
diff --git a/src/content/docs/waf/detections/index.mdx b/src/content/docs/waf/detections/index.mdx
index 4db5e42361e446..fd2b8ff2e44f89 100644
--- a/src/content/docs/waf/detections/index.mdx
+++ b/src/content/docs/waf/detections/index.mdx
@@ -8,11 +8,11 @@ head:
content: Traffic detections
---
-import { DirectoryListing, FeatureTable } from "~/components";
+import { DirectoryListing, FeatureTable, Tabs, TabItem } from "~/components";
-WAF traffic detections check incoming requests for malicious or potentially malicious activity. Each enabled detection provides one or more scores — available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard — that you can use in WAF rule expressions.
+Traffic detections check incoming requests for malicious or potentially malicious activity. Each enabled detection provides one or more scores — available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard — that you can use in rule expressions.
-The WAF currently provides the following detections for finding security threats in incoming requests:
+Cloudflare currently provides the following detections for finding security threats in incoming requests:
@@ -26,17 +26,27 @@ For more information on bot score, refer to the [Bots documentation](/bots/conce
To turn on a traffic detection:
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Under **Incoming traffic detections**, turn on the desired detections.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Turn on the desired detections.
+
+
+
Enabled detections will run for all incoming traffic.
:::note[Notes]
On Free plans, the leaked credentials detection is enabled by default, and no action is required.
-Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details.
+Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Settings** page. Refer to the documentation of each feature for availability details.
:::
diff --git a/src/content/docs/waf/detections/leaked-credentials/examples.mdx b/src/content/docs/waf/detections/leaked-credentials/examples.mdx
index dc62efd59d675f..9592aa394e8e77 100644
--- a/src/content/docs/waf/detections/leaked-credentials/examples.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/examples.mdx
@@ -17,7 +17,7 @@ import { Example } from "~/components";
Access to the `cf.waf.credential_check.username_and_password_leaked` field requires a Pro plan or above.
:::
-Create a [rate limiting rule](/waf/rate-limiting-rules/) using [account takeover (ATO) detection](/bots/additional-configurations/detection-ids/#account-takeover-detections) and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries.
+[Create a rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) using [account takeover (ATO) detection](/bots/additional-configurations/detection-ids/#account-takeover-detections) and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries.
The following example rule applies rate limiting to requests with a specific [ATO detection ID](/bots/additional-configurations/detection-ids/#account-takeover-detections) (corresponding to `Observes all login traffic to the zone`) that contain a previously leaked username and password:
@@ -41,7 +41,7 @@ When rate exceeds:
Access to the _User and Password Leaked_ (`cf.waf.credential_check.username_and_password_leaked`) field requires a Pro plan or above.
:::
-Create a [custom rule](/waf/custom-rules/) that challenges requests containing a previously leaked set of credentials (username and password).
+[Create a custom rule](/waf/custom-rules/create-dashboard/) that challenges requests containing a previously leaked set of credentials (username and password).
- **Expression**: If you use the Expression Builder, configure the following expression:
diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
index 41c254468f1cda..24378dcf6f4c1d 100644
--- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
@@ -20,17 +20,22 @@ To achieve optimal latency performance, Cloudflare recommends that you turn off
## 2. Validate the leaked credentials detection behavior
-Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to validate that the WAF is correctly detecting leaked credentials in incoming requests.
+Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to validate that Cloudflare is correctly detecting leaked credentials in incoming requests.
Refer to [Test your configuration](#test-your-configuration) for more information on the test credentials you can use to validate your configuration.
-Alternatively, create a WAF custom rule like the one described in the next step using a _Log_ action (only available to Enterprise customers). This rule will generate firewall events (available in **Security** > **Events**) that will allow you to validate your configuration.
+Alternatively, create a custom rule like the one described in the next step using a _Log_ action (only available to Enterprise customers). This rule will generate [security events](/waf/analytics/security-events/) that will allow you to validate your configuration.
## 3. Mitigate requests with leaked credentials
-If you are on a Free plan, deploy the suggested [rate limiting rule](/waf/rate-limiting-rules/) template available in **WAF** > **Rate limiting rules**. When you deploy a rule using this template, you get instant protection against IPs attempting to access your application with a leaked password more than five times per 10 seconds. This rule can delay attacks by blocking them for a period of time. Alternatively, you can create a custom rule.
+If you are on a Free plan, deploy the suggested [rate limiting rule](/waf/rate-limiting-rules/) template available in:
-Paid plans have access to more granular controls when creating a WAF rule. If you are on a paid plan, create a [custom rule](/waf/custom-rules/) that challenges requests containing leaked credentials:
+- Old dashboard: **WAF** > **Rate limiting rules**
+- New security dashboard: **Security** > **Security rules**
+
+When you deploy a rule using this template, you get instant protection against IPs attempting to access your application with a leaked password more than five times per 10 seconds. This rule can delay attacks by blocking them for a period of time. Alternatively, you can create a custom rule.
+
+Paid plans have access to more granular controls when creating a rule. If you are on a paid plan, [create a custom rule](/waf/custom-rules/create-dashboard/) that challenges requests containing leaked credentials:
| Field | Operator | Value |
| ------------------------ | -------- | ----- |
@@ -44,7 +49,7 @@ If you use the Expression Editor, enter the following expression:
Rule action: _Managed Challenge_
-This rule will match requests where the WAF detects a previously leaked set of credentials (username and password). For a list of fields provided by leaked credentials detection, refer to [Leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields).
+This rule will match requests where Cloudflare detects a previously leaked set of credentials (username and password). For a list of fields provided by leaked credentials detection, refer to [Leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields).
@@ -78,7 +83,7 @@ For additional examples, refer to [Example mitigation rules](/waf/detections/lea
Additionally, you may want to handle leaked credentials detected by Cloudflare at your [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
-1. Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header).
+1. [Turn on](/rules/transform/managed-transforms/configure/) the **Add Leaked Credentials Checks Header** managed transform.
2. For requests received at your origin server containing the `Exposed-Credential-Check` header, you could redirect your end users to your reset password page when detecting previously leaked credentials.
@@ -86,7 +91,7 @@ Additionally, you may want to handle leaked credentials detected by Cloudflare a
To check for leaked credentials in a way that is not covered by the default configuration, add a [custom detection location](/waf/detections/leaked-credentials/#custom-detection-locations).
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings**.
@@ -108,6 +113,29 @@ To check for leaked credentials in a way that is not covered by the default conf
5. Select **Save**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Under **Leaked Credential Detection** > **Configurations**, select the edit icon.
+4. Select **Add custom username and password location**.
+5. In **Username location** and **Password location** (optional), enter expressions for obtaining the username and the password from the HTTP request. For example, you could use the following expressions:
+
+ - Username location:
+ `lookup_json_string(http.request.body.raw, "user")`
+ - Password location:
+ `lookup_json_string(http.request.body.raw, "secret")`
+
+ This configuration will scan incoming HTTP requests containing a JSON body with a structure similar to the following:
+
+ ```js
+ {"user": "", "secret": ""}
+ ```
+
+ Refer to the [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) documentation for more information on this function.
+
+6. Select **Save**.
+
Use a `POST` request similar to the following:
@@ -159,4 +187,4 @@ Test credentials for users on paid plans (will not work on Free plans):
- Username: `CF_EXPOSED_USERNAME` or `CF_EXPOSED_USERNAME@example.com`
- Password: `CF_EXPOSED_PASSWORD`
-The Cloudflare WAF considers these specific credentials as having been previously leaked. Use them in your tests to check the behavior of your current configuration.
+Cloudflare considers these specific credentials as having been previously leaked. Use them in your tests to check the behavior of your current configuration.
diff --git a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
index 3ff967920c4c84..3a29accd0d000c 100644
--- a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
@@ -16,12 +16,18 @@ WAF content scanning is available to customers on an Enterprise plan with a paid
## 1. Turn on the detection
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Under **Incoming traffic detections**, turn on **Malicious uploads**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Next to **Malicious uploads detection**, set the toggle to **On**.
+
Use a `POST` request similar to the following:
@@ -40,11 +46,11 @@ Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to va
You can use the [EICAR anti-malware test file](https://www.eicar.org/download-anti-malware-testfile/) to test content scanning (select the ZIP format).
-Alternatively, create a WAF custom rule like described in the next step using a _Log_ action instead of a mitigation action like _Block_. This rule will generate security events (available in **Security** > **Events**) that will allow you to validate your configuration.
+Alternatively, create a custom rule like described in the next step using a _Log_ action instead of a mitigation action like _Block_. This rule will generate [security events](/waf/analytics/security-events/) that will allow you to validate your configuration.
-## 3. Create a WAF custom rule
+## 3. Create a custom rule
-Create a WAF [custom rule](/waf/custom-rules/) that blocks detected malicious content objects uploaded to your application.
+[Create a custom rule](/waf/custom-rules/create-dashboard/) that blocks detected malicious content objects uploaded to your application.
For example, create a custom rule with the _Block_ action and the following expression:
@@ -58,7 +64,9 @@ If you use the Expression Editor, enter the following expression:
(cf.waf.content_scan.has_malicious_obj)
```
-This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields).
+Rule action: _Block_
+
+This rule will match requests where Cloudflare detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields).
@@ -98,7 +106,7 @@ For additional examples, refer to [Example rules](/waf/detections/malicious-uplo
To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/detections/malicious-uploads/#custom-scan-expressions).
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
@@ -116,6 +124,20 @@ To check uploaded content in a way that is not covered by the default configurat
6. Select **Save**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Under **Malicious uploads detection** > **Configurations**, select the edit icon.
+4. Select **Add content location**.
+5. In **Content location**, enter your custom scan expression. For example:
+
+ ```txt
+ lookup_json_string(http.request.body.raw, "file")
+ ```
+
+6. Select **Save**.
+
Use a `POST` request similar to the following:
diff --git a/src/content/docs/waf/detections/malicious-uploads/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx
index 64b182999984d8..1490d9c3830467 100644
--- a/src/content/docs/waf/detections/malicious-uploads/index.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx
@@ -25,7 +25,7 @@ For every request with one or more detected content objects, the content scanner
Cloudflare uses the same [anti-virus (AV) scanner used in Cloudflare Zero Trust](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) for WAF content scanning.
-:::caution
+:::note
Content scanning will not apply any mitigation actions to requests with content objects considered malicious. It only provides a signal that you can use to define your attack mitigation strategy. You must create rules — [custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/) — to perform actions based on detected signals.
diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx
index 57c4bb8582da94..a64979f443cf94 100644
--- a/src/content/docs/waf/get-started.mdx
+++ b/src/content/docs/waf/get-started.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
---
-import { Details, GlossaryTooltip } from "~/components";
+import { Details, GlossaryTooltip, Tabs, TabItem } from "~/components";
The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and API requests and filters undesired traffic based on sets of rules called rulesets.
@@ -27,10 +27,20 @@ This guide focuses on configuring WAF for individual domains, known as
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **WAF** and select the **Managed rules** tab.
3. Under **Managed Rulesets**, select **Deploy** next to the Cloudflare Managed Ruleset.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Web application exploits**.
+3. Next to **Cloudflare managed ruleset**, set the toggle to **On**.
+
+
+
By default, the Cloudflare Managed Ruleset enables only a subset of rules and it is designed to strike a balance between protection and false positives. You can review and enable additional rules based on your application technology stack.
@@ -60,16 +70,13 @@ If you are an Enterprise customer, do the following:
2. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the Attack Score field:
- 1. Go to your domain > **Security** > **WAF** and select the **Custom rules** tab.
- 2. Create a rule with the following configuration:
-
- - **If incoming requests match**:
+ - **If incoming requests match**:
- | Field | Operator | Value |
- | ------------ | --------- | ----- |
- | Attack Score | less than | `20` |
+ | Field | Operator | Value |
+ | ---------------- | --------- | ----- |
+ | WAF Attack Score | less than | `20` |
- - **Choose action**: Block
+ - **Choose action**: Block
If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/detections/attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`.
@@ -81,9 +88,7 @@ Bot score is only available to Enterprise customers with [Bot Management](/bots/
Customers with access to [Bot Management](/bots/get-started/bot-management/) can block automated traffic (for example, from [bots scraping online content](https://www.cloudflare.com/learning/bots/what-is-content-scraping/)) using a custom rule with bot score, preventing this traffic from hitting your application.
-1. Go to your domain > **Security** > **WAF** and select the **Custom rules** tab.
-
-2. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the Bot Score and Verified Bot fields:
+1. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the Bot Score and Verified Bot fields:
- **If incoming requests match**:
@@ -108,10 +113,20 @@ After configuring the Cloudflare Managed Ruleset and attack score, you can also
The Cloudflare OWASP Core Ruleset is prone to false positives and offers only marginal benefits when added on top of Cloudflare Managed Ruleset and WAF attack score. If you decide to deploy this managed ruleset, you will need to monitor and adjust its settings based on your traffic to prevent false positives.
:::
+
+
1. Go to your domain > **Security** > **WAF** and select the **Managed rules** tab.
2. Under **Managed Rulesets**, select **Deploy** next to the Cloudflare OWASP Core Ruleset.
This will deploy the ruleset with the default configuration: paranoia level = _PL1_ and score threshold = _Medium - 40 and higher_.
+
+
+1. Go to your domain > **Security** > **Settings** and filter by **Web application exploits**.
+2. Next to **OWASP Core**, set the toggle to **On**.
+ This will deploy the Cloudflare OWASP Core Ruleset with the default configuration: paranoia level = _PL1_ and score threshold = _Medium - 40 and higher_.
+
+
+
Unlike the signature-based Cloudflare Managed Ruleset, the Cloudflare OWASP Core Ruleset is score-based. You select a certain paranoia level (levels vary from _PL1_ to _PL4_, where _PL1_ is the lowest level), which enables an increasing larger group of rules. You also select a score threshold, which decides when to perform the configured action. Low paranoia with a high score threshold usually leads to fewer false positives. For an example of how the OWASP Core Ruleset is evaluated, refer to [OWASP evaluation example](/waf/managed-rules/reference/owasp-core-ruleset/example/).
@@ -158,7 +173,7 @@ Create a rate limiting rule to [apply rate limiting on a login endpoint](/waf/ra
### Prevent credential stuffing attacks
-Use [leaked credential checks](/waf/managed-rules/check-for-exposed-credentials/) to prevent credential stuffing attacks on your applications.
+Use [leaked credentials detection](/waf/detections/leaked-credentials/) to prevent credential stuffing attacks on your applications.
### Prevent users from uploading malware into your applications
@@ -174,6 +189,6 @@ Available to Enterprise customers with a paid add-on.
Available to Enterprise customers.
:::
-The Cloudflare WAF protects your APIs from new and known application attacks and exploits such as SQL injection attacks. API-specific security products extend those protections to the unique risks in APIs such as API discovery and authentication management.
+Cloudflare protects your APIs from new and known application attacks and exploits such as SQL injection attacks. API-specific security products extend those protections to the unique risks in APIs such as API discovery and authentication management.
For more information on Cloudflare's API security features, refer to [Cloudflare API Shield](/api-shield/).
diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx
index 4f6a13112f2549..42da802da4be53 100644
--- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx
+++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx
@@ -29,8 +29,8 @@ The WAF can perform one of the following actions when it detects exposed credent
- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. The action name is `Rewrite` in [Security Events](/waf/analytics/security-events/).
- :::caution
- While the header name is the same as when using the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header), the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan.
+ :::note
+ While the header name is the same as when using the [Add Leaked Credentials Checks Header](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) managed transform, the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan.
:::
- **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria.
diff --git a/src/content/docs/waf/managed-rules/deploy-api.mdx b/src/content/docs/waf/managed-rules/deploy-api.mdx
index 8e42d7566e8ffb..395491b9909fc7 100644
--- a/src/content/docs/waf/managed-rules/deploy-api.mdx
+++ b/src/content/docs/waf/managed-rules/deploy-api.mdx
@@ -15,7 +15,7 @@ Use the [Rulesets API](/ruleset-engine/rulesets-api/) to deploy a managed rulese
Deploy WAF managed rulesets to the `http_request_firewall_managed` phase. Other managed rulesets, like DDoS Attack Protection managed rulesets, must be deployed to a different phase. Refer to the specific managed ruleset documentation for details.
-The [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) page includes the IDs of the different WAF managed rulesets. You will need this information when deploying the rulesets via API.
+The [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) page includes the IDs of the different WAF managed rulesets. You will need this information when deploying the rulesets via API.
If you are using Terraform, refer to [WAF Managed Rules configuration using Terraform](/terraform/additional-configurations/waf-managed-rulesets/).
diff --git a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
index 9587a865ef4f32..70b2d0eca58f14 100644
--- a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
+++ b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
@@ -9,29 +9,47 @@ head:
content: Deploy a WAF managed ruleset in the dashboard
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
-You can deploy and configure managed rulesets for a zone in **Security** > **WAF** > **Managed rules**.
+The instructions on this page will guide you through deploying and configuring a managed ruleset for a zone.
To deploy a managed ruleset for several Enterprise domains in your account, refer to [Deploy a managed ruleset in the dashboard for an account](/waf/account/managed-rulesets/deploy-dashboard/).
-
-
## Deploy a managed ruleset
To deploy a managed ruleset with the default configuration:
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **WAF** > **Managed rules**.
3. Under **Managed Rulesets**, select **Deploy** next to a managed ruleset.
-This operation will deploy the managed ruleset for the current zone, creating a new rule with the _Execute_ action.
+ 
+
+This operation deploys the managed ruleset for the current zone, creating a new rule with the _Execute_ action.
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Next to the managed ruleset you want to deploy, set the toggle to **On**.
+
+
## Turn on or off a managed ruleset
-Select the **Enabled** toggle next to a managed ruleset to turn it on or off.
+
+
+In the **Managed rules** tab, next to the managed ruleset you want to turn on or off, switch the **Enabled** toggle.
+
+
+
+In the **Settings** page, next to the managed ruleset you want to turn on or off, set the toggle to **On** or **Off**, respectively.
+
+
## Configure a managed ruleset
@@ -40,10 +58,9 @@ Configure a managed ruleset to:
- Specify a custom filter expression to apply the rules in the ruleset to a subset of incoming requests.
- Define specific field values for one or more rules (for example, configure a rule with an action different from the action configured by Cloudflare), or turn off those rules.
-To skip one or more rules — or even entire WAF managed rulesets — for specific incoming requests, [add an exception](/waf/managed-rules/waf-exceptions/).
+To skip one or more rules — or even entire managed rulesets — for specific incoming requests, [add an exception](/waf/managed-rules/waf-exceptions/).
:::note
-
Some managed rulesets may not allow custom configuration, depending on your Cloudflare plan.
:::
@@ -51,6 +68,8 @@ Some managed rulesets may not allow custom configuration, depending on your Clou
To configure rule field values for all the rules in a managed ruleset:
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **WAF** > **Managed rules**.
@@ -67,26 +86,87 @@ To configure rule field values for all the rules in a managed ruleset:
6. If you are editing a deployed managed ruleset, select **Save**. If you have not deployed the managed ruleset yet, select **Deploy** to deploy the ruleset immediately, or **Save as Draft** to save your deployment settings for later.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. In the rules table, search for the managed ruleset you want to configure. Look for a rule with an _Execute_ action. At the top of the page, you can filter the rules to show **Managed rules** only.
+
+4. Select the rule name (containing the name of the managed ruleset).
+
+5. (Optional) To execute the managed ruleset for a subset of incoming requests, select **Edit scope** and [configure the expression](/ruleset-engine/rules-language/expressions/edit-expressions/) that will determine the scope of the current rule deploying the managed ruleset.
+
+6. In the ruleset configuration section, define settings for all the rules in the ruleset by setting one or more fields using the drop-down lists.
+
+ For example, select the action to perform for all the rules in the ruleset from the **Ruleset action** drop-down list.
+
+ 
+
+7. Select **Save**.
+
+
+
### Configure rules in bulk in a managed ruleset
+
+
+
+
+
+
+
+
+
+
### Configure a single rule in a managed ruleset
+
+
+
+
+
+
+
+
+
+
### Browse the rules of a managed ruleset
You can browse the available rules in a managed ruleset and search for individual rules or tags.
+
+
+
+
+
+
+
+
### Delete a managed ruleset deployment rule or an exception
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
2. Go to **Security** > **WAF** > **Managed rules**.
3. Next to the rule or exception (skip rule) you want to delete, select the three dots > **Delete** and confirm the operation.
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Security rules**.
+3. In the rules table, search for the managed ruleset you want to configure/browse. At the top of the page, you can filter the rules to show **Managed rules** only.
+4. Next to the managed ruleset deployment rule (execute rule) or exception (skip rule) you want to delete, select the three dots > **Delete** and confirm the operation.
+
+
diff --git a/src/content/docs/waf/managed-rules/index.mdx b/src/content/docs/waf/managed-rules/index.mdx
index d18199d817269b..fab375e024bb3b 100644
--- a/src/content/docs/waf/managed-rules/index.mdx
+++ b/src/content/docs/waf/managed-rules/index.mdx
@@ -1,34 +1,32 @@
---
pcx_content_type: concept
-title: WAF Managed Rules
+title: Managed Rules
sidebar:
order: 7
group:
label: Managed rules
head:
- tag: title
- content: WAF Managed Rules
+ content: Managed Rules
---
import { FeatureTable, Render, RuleID } from "~/components";
-## Managed rulesets
-
-Cloudflare provides the following managed rulesets in the WAF:
+## Available managed rulesets
- [**Cloudflare Managed Ruleset**](/waf/managed-rules/reference/cloudflare-managed-ruleset/): Created by the Cloudflare security team, this ruleset provides fast and effective protection for all of your applications. The ruleset is updated frequently to cover new vulnerabilities and reduce false positives.
Ruleset ID:
- [**Cloudflare OWASP Core Ruleset**](/waf/managed-rules/reference/owasp-core-ruleset/): Cloudflare's implementation of the Open Web Application Security Project, or OWASP ModSecurity Core Rule Set. Cloudflare routinely monitors for updates from OWASP based on the latest version available from the official code repository.
Ruleset ID:
-- [**Cloudflare Exposed Credentials Check**](/waf/managed-rules/reference/exposed-credentials-check/): Deploy an automated credentials check on your end-user authentication endpoints. For any credential pair, the Cloudflare WAF performs a lookup against a public database of stolen credentials.
Ruleset ID:
+- [**Cloudflare Exposed Credentials Check**](/waf/managed-rules/reference/exposed-credentials-check/): Deploy an automated credentials check on your end-user authentication endpoints. For any credential pair, the Cloudflare WAF performs a lookup against a public database of stolen credentials. Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of this ruleset.
Ruleset ID:
- **Cloudflare Free Managed Ruleset**: Available on all Cloudflare plans. Designed to provide mitigation against high and wide impacting vulnerabilities. The rules are safe to deploy on most applications. If you deployed the Cloudflare Managed Ruleset for your site, you do not need to deploy this managed ruleset.
Ruleset ID:
The following managed rulesets run in a response phase:
-- [**Cloudflare Sensitive Data Detection**](/waf/managed-rules/reference/sensitive-data-detection/): Created by Cloudflare to address common data loss threats. These rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Available in **Security** > **Sensitive Data**.
Ruleset ID:
+- [**Cloudflare Sensitive Data Detection**](/waf/managed-rules/reference/sensitive-data-detection/): Created by Cloudflare to address common data loss threats. These rules monitor the download of specific sensitive data — for example, financial and personally identifiable information.
Ruleset ID:
## Availability
@@ -46,7 +44,7 @@ The managed rulesets you can deploy depend on your Cloudflare plan.
## Zone-level deployment
-At the zone level, you can only deploy each WAF managed ruleset once. At the [account level](/waf/account/managed-rulesets/) you can deploy each managed ruleset multiple times.
+At the zone level, you can only deploy each managed ruleset once. At the [account level](/waf/account/managed-rulesets/) you can deploy each managed ruleset multiple times.
## Important remarks
diff --git a/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx b/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
index 32198b117d69fe..ade37f8e24fcc0 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx
@@ -102,7 +102,7 @@ This example configures payload logging for the [Cloudflare Managed Ruleset](/wa
:::note
- To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
+ To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
:::
3. Invoke the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation (a `PATCH` request) to update the configuration of the rule you identified. The rule will now include the payload logging configuration (`matched_data` object).
diff --git a/src/content/docs/waf/managed-rules/payload-logging/configure.mdx b/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
index f182d9977d1400..9d59e0e4a04060 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/configure.mdx
@@ -9,14 +9,13 @@ head:
content: Configure payload logging for a managed ruleset in the dashboard
---
-Configure payload logging for a ruleset in the ruleset configuration page.
+import { Tabs, TabItem } from "~/components";
:::note
-
Only users with the [Super Administrator role](/fundamentals/manage-members/roles/) can configure payload logging and decrypt payloads in the Cloudflare dashboard. Other users can decrypt payloads if they have access to the logs and to the private key.
:::
-Do the following:
+
1. Open **Security** > **WAF** > **Managed rules**.
@@ -39,3 +38,29 @@ Do the following:
7. Select **Done**.
8. If you are deploying the managed ruleset where you configured payload logging, select **Deploy**. If you configured payload logging for a ruleset you had already deployed, select **Save**.
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. In the rules table, search for the managed ruleset you want to configure. Look for a rule with an _Execute_ action. At the top of the page, you can filter the rules to show **Managed rules** only.
+
+4. Select the rule name (containing the name of the managed ruleset).
+
+5. At the bottom of the page, select **Configure payload logging**.
+
+6. After reading and understanding the implications of enabling payload logging, select one of the available options:
+
+ - **Generate key pair using your web browser**: Generates a key pair (a private and a public key) in your browser and configures payload logging with the generated public key.
+
+ - **Use my own public key**: Enter a public key [generated by the `matched-data-cli` command-line tool](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
+
+7. Select **Next**.
+
+8. If you generated a key pair in the browser, copy the displayed private key and **store it safely**. You will use this private key later to [view the decrypted payload content](/waf/managed-rules/payload-logging/view/).
+
+9. Select **Done**, and then select **Save**.
+
+
diff --git a/src/content/docs/waf/managed-rules/payload-logging/index.mdx b/src/content/docs/waf/managed-rules/payload-logging/index.mdx
index 32b7ab61fb6fdd..a15c19461c8838 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/index.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/index.mdx
@@ -34,7 +34,7 @@ When you generate a key pair in the dashboard, Cloudflare will only save the gen
To view the content of the payload in clear text, do one of the following:
-- In the Security Events page (**Security** > **Events**), enter your private key to decrypt the payload of a log entry directly in the browser. Refer to [View the payload content in the dashboard](/waf/managed-rules/payload-logging/view/) for details.
+- In the [Security Events](/waf/analytics/security-events/) page, enter your private key to decrypt the payload of a log entry directly in the browser. Refer to [View the payload content in the dashboard](/waf/managed-rules/payload-logging/view/) for details.
- Decrypt the payload in the command line using the `matched-data-cli` tool. Refer to [Decrypt the payload content in the command line](/waf/managed-rules/payload-logging/command-line/decrypt-payload/) for details.
@@ -42,7 +42,7 @@ To view the content of the payload in clear text, do one of the following:
:::caution[Important]
-All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a WAF rule.
+All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a rule.
Make sure you store your private key safely. If you lose the private key, configure payload logging with a new public key. The payload of new requests will be encrypted with the new public key.
diff --git a/src/content/docs/waf/managed-rules/payload-logging/view.mdx b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
index 9f897446c708e2..5467c78a5c5ab6 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/view.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
@@ -7,13 +7,16 @@ sidebar:
View the content of the matched rule payload in the dashboard by entering your private key.
-1. Open **Security** > **Events**.
+1. Open [Security Events](/waf/analytics/security-events/):
+
+ - Old dashboard: Go to **Security** > **Events**.
+ - New security dashboard: Go to **Security** > **Analytics** > **Events** tab.
2. Under **Sampled logs**, expand the details of an event triggered by a rule whose managed ruleset has payload logging enabled.
3. Under **Matched service**, select **Decrypt payload match**.
- 
+ 
4. Enter your private key in the pop-up window and select **Decrypt**.
diff --git a/src/content/docs/waf/managed-rules/reference/cloudflare-managed-ruleset.mdx b/src/content/docs/waf/managed-rules/reference/cloudflare-managed-ruleset.mdx
index 2fbe5ce2dea307..7bba106da2f9cd 100644
--- a/src/content/docs/waf/managed-rules/reference/cloudflare-managed-ruleset.mdx
+++ b/src/content/docs/waf/managed-rules/reference/cloudflare-managed-ruleset.mdx
@@ -43,7 +43,10 @@ To enable the Cloudflare Managed Ruleset for a given zone via API, create a rule
diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
index aae5c3bd9dbea2..2eda37907073df 100644
--- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
+++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
@@ -34,6 +34,10 @@ For more information on exposed credential checks, refer to [Check for exposed c
## Configure in the dashboard
+:::note
+The Exposed Credentials Check managed ruleset is only shown in the Cloudflare dashboard if you have previously deployed it. Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead.
+:::
+
You can configure the following settings of the Cloudflare Exposed Credentials Check Managed Ruleset in the dashboard:
- **Set the action to perform.** When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: _Managed Challenge_, _Block_, _JS Challenge_, _Log_, and _Interactive Challenge_. To remove the action override, set the ruleset action to _Default_.
@@ -176,7 +180,10 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to
:::note[Checking for exposed credentials in custom rules]
diff --git a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
index 1cba1239340438..d1552db7190714 100644
--- a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
+++ b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
@@ -32,10 +32,10 @@ This table shows the progress of the OWASP ruleset evaluation:
Final request threat score: `26`
-Since `26` >= `25` — that is, the threat score is greater than the configured score threshold — the WAF will apply the configured action (_Managed Challenge_). If you had configured a score threshold of _Medium - 40 and higher_, the WAF would not apply the action, since the request threat score would be lower than the score threshold (`26` < `40`).
+Since `26` >= `25` — that is, the threat score is greater than the configured score threshold — Cloudflare will apply the configured action (_Managed Challenge_). If you had configured a score threshold of _Medium - 40 and higher_, Cloudflare would not apply the action, since the request threat score would be lower than the score threshold (`26` < `40`).
[**Sampled logs** in Security Events](/waf/analytics/security-events/#sampled-logs) would display the following details for the example incoming request handled by the OWASP Core Ruleset:
-
+
In sampled logs, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: `949110: Inbound Anomaly Score Exceeded`, with rule ID . To get the scores of individual rules contributing to the final request threat score, expand **Additional logs** in the event details.
diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
index 5dd309c29a3095..9b121c0f716d79 100644
--- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
+++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 5
---
-import { Render, RuleID, APIRequest } from "~/components";
+import { Render, RuleID, APIRequest, Tabs, TabItem } from "~/components";
:::note
This feature requires an Enterprise plan with a paid add-on.
@@ -33,6 +33,8 @@ Currently, Cloudflare Sensitive Data Detection does not support [matched payload
## Configure in the dashboard
+
+
To configure Cloudflare Sensitive Data Detection in the Cloudflare dashboard, go to **Security** > **Sensitive Data**.
You can turn the managed ruleset on or off, and configure the following settings:
@@ -40,6 +42,24 @@ You can turn the managed ruleset on or off, and configure the following settings
- Turn on or off specific rules or rules with specific tags.
- Customize the filter expression. With a custom expression, Cloudflare Sensitive Data Detection applies only to a subset of the incoming requests.
+
+
+To enable Cloudflare Sensitive Data Detection:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Next to **Sensitive data detection**, set the toggle to **On**.
+
+To adjust the scope of the managed ruleset or turn off specific rules:
+
+1. In the **Settings** page, under **Sensitive data detection**, select **Configured ruleset**.
+2. To apply the managed ruleset for a subset of incoming requests, select **Custom filter expression** and define the filter expression.
+3. Select **Next**.
+4. To turn specific rules on or off, select **Browse rules** and use the toggle next to each rule to turn it on or off.
+5. Select **Next**, and then select **Save**.
+
+
+
For details on configuring a managed ruleset in the dashboard, refer to [Configure a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset).
## Configure via API
@@ -175,6 +195,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to
file="managed-rulesets/api-next-steps"
params={{
rulesetName: "Cloudflare Sensitive Data Detection managed ruleset",
+ customizableAction: false,
}}
/>
diff --git a/src/content/docs/waf/managed-rules/waf-exceptions/define-api.mdx b/src/content/docs/waf/managed-rules/waf-exceptions/define-api.mdx
index 431f35dbd724d2..b1801ef80894a7 100644
--- a/src/content/docs/waf/managed-rules/waf-exceptions/define-api.mdx
+++ b/src/content/docs/waf/managed-rules/waf-exceptions/define-api.mdx
@@ -136,7 +136,7 @@ The following example adds a rule that skips the [Cloudflare Managed Ruleset](/w
Identify the rule deploying the Cloudflare Managed Ruleset by searching for an `execute` rule with `action_parameters` > `id` equal to (the managed ruleset ID).
:::note
- To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
+ To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
:::
Save the following IDs for the next step:
@@ -173,7 +173,7 @@ The following example adds a rule that skips a particular rule of the [Cloudflar
You can get the managed ruleset details using the account-level endpoint ([Get an account ruleset](/api/resources/rulesets/methods/get/)) or the zone-level endpoint ([Get a zone ruleset](/api/resources/rulesets/methods/get/)).
:::note
- To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
+ To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
:::
`id` equal to (the managed ruleset ID).
:::note
- To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
+ To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
:::
Save the following IDs for the next step:
diff --git a/src/content/docs/waf/managed-rules/waf-exceptions/define-dashboard.mdx b/src/content/docs/waf/managed-rules/waf-exceptions/define-dashboard.mdx
index bd56dc9dcf27de..7cd0ea917e9222 100644
--- a/src/content/docs/waf/managed-rules/waf-exceptions/define-dashboard.mdx
+++ b/src/content/docs/waf/managed-rules/waf-exceptions/define-dashboard.mdx
@@ -8,17 +8,28 @@ head:
content: Add a WAF exception in the dashboard
description: Use the Cloudflare dashboard to create exceptions that skip the
execution of WAF managed rulesets or specific ruleset rules.
-
---
+import { Tabs, TabItem } from "~/components";
+
## 1. Go to the zone or account dashboard page
To add an exception at the zone level:
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **WAF** > **Managed rules**.
3. Select **Add exception**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Security rules**.
+3. Next to **Managed rules**, select **Create rule**.
+
+
+
To add an exception at the account level (Enterprise plans only):
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account.
@@ -37,8 +48,8 @@ To add an exception at the account level (Enterprise plans only):
1. In **Then**, select the [exception type](/waf/managed-rules/waf-exceptions/#types-of-exceptions) that determines which rules to skip:
- * **Skip all remaining rules**: Skips all remaining rules of WAF managed rulesets. If you select this option, proceed to [4. Create the exception](#4-create-the-exception).
- * **Skip specific rules from a Managed Ruleset**: Skips one or more rules of a managed ruleset.
+ - **Skip all remaining rules**: Skips all remaining rules of WAF managed rulesets. If you select this option, proceed to [4. Create the exception](#4-create-the-exception).
+ - **Skip specific rules from a Managed Ruleset**: Skips one or more rules of a managed ruleset.
2. Select **Select ruleset**.
@@ -47,7 +58,7 @@ To add an exception at the account level (Enterprise plans only):
4. **A) To skip one or more rules in the ruleset:**
1. Search for a rule using the available filters. You can search by description, rule ID, or tag. For example, in the Cloudflare OWASP Core Ruleset you can search for `920460` to find the rule `920460: Abnormal character escapes in request`.
- 2. Select the checkbox next to the rule(s) you wish to skip.
+ 2. Select the checkbox next to the rule(s) you want to skip.
3. If required, search for other rules and select them. The dashboard keeps a list of the rules you selected between searches.
**B) To skip all the rules in the ruleset:**
@@ -67,6 +78,5 @@ To add an exception at the account level (Enterprise plans only):
2. To save and deploy your exception, select **Deploy**. If you are not ready to deploy your exception, select **Save as Draft**.
:::note
-
-Exceptions only apply to rules executing a managed ruleset listed after them. For example, if you are skipping a rule belonging to the Cloudflare OWASP Core Ruleset, make sure the exception is listed in **Security** > **WAF** > **Managed rules** *before* the execute rule deploying this managed ruleset.
+Exceptions only apply to rules executing a managed ruleset listed after them. For example, if you are skipping a rule belonging to the Cloudflare OWASP Core Ruleset, make sure the exception is listed in the rules list before the _Execute_ rule deploying this managed ruleset.
:::
diff --git a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
index 91177af683a724..e259f5bb81b14d 100644
--- a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
@@ -10,7 +10,9 @@ head:
content: Create a rate limiting rule in the dashboard
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and zone.
@@ -18,12 +20,44 @@ import { Render } from "~/components";
3. To create a new empty rule, select **Create rule**. To duplicate an existing rule, select the three dots next to it > **Duplicate**.
+4. Enter a descriptive name for the rule in **Rule name**.
+
+ 
+
+5. In the **Field** drop-down, choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+
+6. (Optional) Under **Cache status**, disable **Also apply rate limiting to cached assets** to consider only the requests that reach the origin when determining the rate.
+
+7. Under **With the same characteristics**, add one or more [characteristics](/waf/rate-limiting-rules/parameters/#with-the-same-characteristics) that will define the request counters for rate limiting purposes. Each value combination will have its own counter to determine the rate. For more information, refer to [How Cloudflare determines the request rate](/waf/rate-limiting-rules/request-rate/).
+
+8. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response).
+
+9. Under **When rate exceeds**, define the maximum number of requests and the time period to consider when determining the rate.
+
+10. Under **Then take action**, select the rule action from the **Choose action** drop-down list. For example, selecting _Block_ tells Cloudflare to refuse requests in the conditions you specified when the request limit is reached.
+
+11. (Optional) If you selected the _Block_ action, you can [configure a custom response](#configure-a-custom-response-for-blocked-requests) for requests exceeding the configured rate limit.
+
+12. Select the mitigation timeout in the **Duration** dropdown. This is the time period during which Cloudflare applies the select action once the rate is reached.
+
+ Enterprise customers with a paid add-on can [throttle requests](/waf/rate-limiting-rules/parameters/#with-the-following-behavior) instead of applying the configured action for a selected duration. To throttle requests, under **With the following behavior** select _Throttle requests over the maximum configured rate_.
+
+13. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and zone.
+
+2. Go to **Security** > **Security rules**.
+
+3. To create a new empty rule, select **Create rule** > **Rate limiting rules**. To duplicate an existing rule, select the three dots next to it > **Duplicate**.
+
4.
Enter a descriptive name for the rule in **Rule name**.
-5. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+5. In the **Field** drop-down, choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
6. (Optional) Under **Cache status**, disable **Also apply rate limiting to cached assets** to consider only the requests that reach the origin when determining the rate.
@@ -43,6 +77,8 @@ import { Render } from "~/components";
13. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+
+
## Configure a custom response for blocked requests
:::note
diff --git a/src/content/docs/waf/rate-limiting-rules/find-rate-limit.mdx b/src/content/docs/waf/rate-limiting-rules/find-rate-limit.mdx
index 09999533f479f6..62b1cd21a83350 100644
--- a/src/content/docs/waf/rate-limiting-rules/find-rate-limit.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/find-rate-limit.mdx
@@ -8,18 +8,17 @@ head:
content: Find an appropriate rate limit
---
-The **Rate limit analysis** tab in [Security Analytics](/waf/analytics/security-analytics/) displays data on the request rate for traffic matching the selected filters and time period. Use this tab to determine the most appropriate rate limit for incoming traffic matching the applied filters.
+The **Request rate analysis** tab in [Security Analytics](/waf/analytics/security-analytics/) displays data on the request rate for traffic matching the selected filters and time period. Use this tab to determine the most appropriate rate limit for incoming traffic matching the applied filters.
:::note
-
-The **Rate limit analysis** tab is only available to Enterprise customers.
+The **Request rate analysis** tab is only available to Enterprise customers.
:::
## User interface overview
-The **Rate limit analysis** tab is available at the zone level in **Security** > **Analytics**.
+The **Request rate analysis** tab is available at the zone level in **Security** > **Analytics**.
-
+
The main chart displays the distribution of request rates for the top 50 unique clients observed during the selected time interval (for example, `1 minute`) in descending order. You can group the request rates by the following unique request properties:
@@ -54,13 +53,13 @@ For more information on how Cloudflare calculates the request rate of incoming t
### 2. Find the rate
-1. Switch to the **Rate limit analysis** tab.
+1. Switch to the **Request rate analysis** tab.
2. Choose the request properties (JA3, IP, IP and JA3, or JA4) and the duration (1 min, 5 mins, or 1 hour) for your rate limit rule. The request properties you select will be used as [rate limiting rule characteristics](/waf/rate-limiting-rules/parameters/#with-the-same-characteristics).
3. Use the slider in the chart to move the horizontal line defining the rate limit. While you move the slider up and down, check the impact of defining a rate limiting rule with the selected limit on the displayed traffic.
- 
+ 
:::note
@@ -79,7 +78,7 @@ Answering the following questions during your adjustments can help you with your
### 4. Create a rate limiting rule
-1. Select **Create rate limit rule** to go to the [rate limiting creation page](/waf/rate-limiting-rules/create-zone-dashboard/) with your filters, characteristics, and selected rate limit pre-populated.
+1. In the **Request rate analysis** tab, select **Create rate limit rule** to go to the [rate limiting creation page](/waf/rate-limiting-rules/create-zone-dashboard/) with your filters, characteristics, and selected rate limit pre-populated.
2. Select the rule action. Depending on your needs, you can set the rule to log, challenge, or block requests exceeding the selected threshold.
diff --git a/src/content/docs/waf/rate-limiting-rules/index.mdx b/src/content/docs/waf/rate-limiting-rules/index.mdx
index 9384e7a61e7a10..05a44b6a4ea5c4 100644
--- a/src/content/docs/waf/rate-limiting-rules/index.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/index.mdx
@@ -10,6 +10,8 @@ import { Render } from "~/components";
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
+In the [new security dashboard](/security/), rate limiting rules are one of the available types of [security rules](/security/rules/). Security rules perform security-related actions on incoming requests that match specified filters.
+
## Rule parameters
Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), rate limiting rules have the following basic parameters:
diff --git a/src/content/docs/waf/rate-limiting-rules/request-rate.mdx b/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
index 9d3c653d3e68c8..a6b5dc98f08cb8 100644
--- a/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
@@ -22,7 +22,7 @@ In this case, two incoming requests with the **same** value for the HTTP header
The counting model of this rate limiting rule is based on the number of incoming requests. Enterprise customers with Advanced Rate Limiting can also configure rules whose counting model is based on the complexity of serving incoming requests. Refer to [Complexity-based rate limiting](#complexity-based-rate-limiting) for more information.
-:::caution[Important notes]
+:::note[Important notes]
- Cloudflare currently does not support global rate limiting counters across the entire network — counters are not shared across data centers. This fact is especially relevant for customers that do not add the IP address as one of the rate limiting characteristics. The only exception is when Cloudflare has multiple data centers associated with a given geographical location. In this case, the rate limiting counters are shared between those specific data centers.
diff --git a/src/content/docs/waf/reference/alerts.mdx b/src/content/docs/waf/reference/alerts.mdx
index 02cf4fe74fef1e..ad938bae6e26f5 100644
--- a/src/content/docs/waf/reference/alerts.mdx
+++ b/src/content/docs/waf/reference/alerts.mdx
@@ -3,29 +3,28 @@ title: Alerts
pcx_content_type: reference
sidebar:
order: 1
-
---
-import { AvailableNotifications } from "~/components"
+import { AvailableNotifications } from "~/components";
-The WAF provides two types of alerts that inform you of any spikes in security events:
+Cloudflare provides two types of security alerts that inform you of any spikes in security events:
-* **Security Events Alert**: Alerts about spikes across all services that generate log entries in Security Events.
-* **Advanced Security Events Alert**: Similar to Security Events Alert with support for additional filtering options.
+- **Security Events Alert**: Alerts about spikes across all services that generate log entries in Security Events.
+- **Advanced Security Events Alert**: Similar to Security Events Alert with support for additional filtering options.
For details on alert types and their availability, refer to [Alert types](#alert-types).
-To receive WAF alerts, you must configure a [notification](/notifications/). Notifications help you stay up to date with your Cloudflare account through email, PagerDuty, or webhooks, depending on your Cloudflare plan.
+To receive security alerts, you must configure a [notification](/notifications/). Notifications help you stay up to date with your Cloudflare account through email, PagerDuty, or webhooks, depending on your Cloudflare plan.
-## Set up a notification for WAF alerts
+## Set up a notification for security alerts
-For instructions on how to set up a notification for a WAF alert, refer to [Create a Notification](/notifications/get-started/#create-a-notification).
+For instructions on how to set up a notification for a security alert, refer to [Create a Notification](/notifications/get-started/#create-a-notification).
-***
+---
## Alert logic
-WAF alerts use a static threshold together with a [z-score](https://en.wikipedia.org/wiki/Standard_score) calculation over the last six hours and five-minute buckets of events. An alert is triggered whenever the z-score value is above 3.5 and the spike crosses a threshold of 200 security events. You will not receive duplicate alerts within the same two-hour time frame.
+Security alerts use a static threshold together with a [z-score](https://en.wikipedia.org/wiki/Standard_score) calculation over the last six hours and five-minute buckets of events. An alert is triggered whenever the z-score value is above 3.5 and the spike crosses a threshold of 200 security events. You will not receive duplicate alerts within the same two-hour time frame.
## Alert types
diff --git a/src/content/docs/waf/reference/phases.mdx b/src/content/docs/waf/reference/phases.mdx
index 983b90c6b1a984..405520aecdb637 100644
--- a/src/content/docs/waf/reference/phases.mdx
+++ b/src/content/docs/waf/reference/phases.mdx
@@ -5,6 +5,8 @@ sidebar:
order: 2
---
+import { Tabs, TabItem } from "~/components";
+
The Web Application Firewall provides the following [phases](/ruleset-engine/about/phases/) where you can create rulesets and rules:
- `http_request_firewall_custom`
@@ -13,13 +15,28 @@ The Web Application Firewall provides the following [phases](/ruleset-engine/abo
These phases exist both at the account level and at the zone level. Considering the available phases and the two different levels, rules will be evaluated in the following order:
-| WAF feature | Scope | Phase | Ruleset kind | Location in the dashboard |
+
+
+| Security feature | Scope | Phase | Ruleset kind | Location in the dashboard |
| -------------------------------------------------------------- | ------- | ------------------------------- | ------------------------------------- | ------------------------------------------------------------ |
| [Custom rulesets](/waf/account/custom-rulesets/)
| Account | `http_request_firewall_custom` | `custom` (create)
`root` (deploy) | Account Home > **WAF** > **Custom rulesets** |
| [Custom rules](/waf/custom-rules/) | Zone | `http_request_firewall_custom` | `zone` | Your zone > **Security** > **WAF** > **Custom rules** |
| [Rate limiting rulesets](/waf/account/rate-limiting-rulesets/) | Account | `http_ratelimit` | `root` | Account Home > **WAF** > **Rate limiting rulesets** |
| [Rate limiting rules](/waf/rate-limiting-rules/) | Zone | `http_ratelimit` | `zone` | Your zone > **Security** > **WAF** > **Rate limiting rules** |
-| [WAF managed rulesets](/waf/account/managed-rulesets/) | Account | `http_request_firewall_managed` | `root` | Account Home > **WAF** > **Managed rulesets** |
-| [WAF Managed Rules](/waf/managed-rules/) | Zone | `http_request_firewall_managed` | `zone` | Your zone > **Security** > **WAF** > **Managed rules** |
+| [Managed rulesets](/waf/account/managed-rulesets/) | Account | `http_request_firewall_managed` | `root` | Account Home > **WAF** > **Managed rulesets** |
+| [Managed rules](/waf/managed-rules/) | Zone | `http_request_firewall_managed` | `zone` | Your zone > **Security** > **WAF** > **Managed rules** |
+
+
+
+| Security feature | Scope | Phase | Ruleset kind | Location in the dashboard |
+| -------------------------------------------------------------- | ------- | ------------------------------- | ------------------------------------- | --------------------------------------------------- |
+| [Custom rulesets](/waf/account/custom-rulesets/)
| Account | `http_request_firewall_custom` | `custom` (create)
`root` (deploy) | Account Home > **WAF** > **Custom rulesets** |
+| [Custom rules](/waf/custom-rules/) | Zone | `http_request_firewall_custom` | `zone` | Your zone > **Security** > **Security rules** |
+| [Rate limiting rulesets](/waf/account/rate-limiting-rulesets/) | Account | `http_ratelimit` | `root` | Account Home > **WAF** > **Rate limiting rulesets** |
+| [Rate limiting rules](/waf/rate-limiting-rules/) | Zone | `http_ratelimit` | `zone` | Your zone > **Security** > **Security rules** |
+| [Managed rulesets](/waf/account/managed-rulesets/) | Account | `http_request_firewall_managed` | `root` | Account Home > **WAF** > **Managed rulesets** |
+| [Managed rules](/waf/managed-rules/) | Zone | `http_request_firewall_managed` | `zone` | Your zone > **Security** > **Security rules** |
+
+
To learn more about phases, refer to [Phases](/ruleset-engine/about/phases/) in the Ruleset Engine documentation.
diff --git a/src/content/docs/waf/tools/browser-integrity-check.mdx b/src/content/docs/waf/tools/browser-integrity-check.mdx
index f7cd3a935df949..fe0774d7aa71b4 100644
--- a/src/content/docs/waf/tools/browser-integrity-check.mdx
+++ b/src/content/docs/waf/tools/browser-integrity-check.mdx
@@ -2,28 +2,38 @@
pcx_content_type: reference
source: https://support.cloudflare.com/hc/en-us/articles/200170086-Understanding-the-Cloudflare-Browser-Integrity-Check
title: Browser Integrity Check
-
---
-import { Render } from "~/components"
+import { Render, Tabs, TabItem } from "~/components";
-## Disable Browser Integrity Check
+Browser Integrity Check is enabled by default.
-**BIC** is enabled by default.
+## Disable Browser Integrity Check
### Disable globally
-To disable **BIC** globally for your zone:
+To disable BIC globally for your zone:
+
+
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and zone.
3. Go to **Security** > **Settings**.
4. For **Browser Integrity Check**, switch the toggle to **Off**.
+
+
+1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
+2. Select your account and zone.
+3. Go to **Security** > **Settings**.
+4. Next to **Browser integrity check**, switch the toggle to **Off**.
+
+
+
### Disable selectively
-To disable **BIC** selectively, you can set up a [firewall skip rule](/waf/custom-rules/skip/).
+To disable BIC selectively, you can skip Browser Integrity Check using a [custom rule with a skip action](/waf/custom-rules/skip/).
-Also, use a [Configuration Rule](/rules/configuration-rules/) to selectively enable or disable this feature for certain sections of your website using a filter expression (such as a matching hostname or request URL path).
+Also, use a [configuration rule](/rules/configuration-rules/) to selectively enable or disable this feature for certain sections of your website using a filter expression (such as a matching hostname or request URL path).
diff --git a/src/content/docs/waf/tools/ip-access-rules/create.mdx b/src/content/docs/waf/tools/ip-access-rules/create.mdx
index d3ad246ac80646..2293296e7be5a7 100644
--- a/src/content/docs/waf/tools/ip-access-rules/create.mdx
+++ b/src/content/docs/waf/tools/ip-access-rules/create.mdx
@@ -1,16 +1,14 @@
---
-title: Create a rule
+title: Create an IP access rule
pcx_content_type: how-to
sidebar:
order: 2
-head:
- - tag: title
- content: Create an IP Access rule
+ label: Create a rule
---
import { TabItem, Tabs } from "~/components";
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
@@ -25,8 +23,29 @@ import { TabItem, Tabs } from "~/components";
4. Select **Add**.
+
+
+:::note
+IP Access Rules are only available in the new security dashboard if you have configured at least one IP access rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of IP Access Rules.
+:::
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. Select **Create rule** > **IP access rules**.
+
+4. Enter the following rule details:
+
+ 1. For **IP, IP range, country name, or ASN**, enter an IP address, IP range, country code/name, or Autonomous System Number (ASN). For details, refer to [Parameters](/waf/tools/ip-access-rules/parameters/).
+ 2. For **Action**, select an [action](/waf/tools/ip-access-rules/actions/).
+ 3. For **Zone**, select whether the rule applies to the current website only or to all websites in the account.
+ 4. (Optional) Enter a note for the rule (for example, `Payment Gateway`).
+
+5. Select **Create**.
+
-Use the Cloudflare API to programmatically create IP Access rules. For more information, refer to [Create An IP Access Rule](/api/resources/firewall/subresources/access_rules/methods/create/).
+Use the Cloudflare API to programmatically create IP access rules. For more information, refer to [Create an IP Access Rule](/api/resources/firewall/subresources/access_rules/methods/create/).
diff --git a/src/content/docs/waf/tools/ip-access-rules/index.mdx b/src/content/docs/waf/tools/ip-access-rules/index.mdx
index cc63a445890155..f026df602d87a1 100644
--- a/src/content/docs/waf/tools/ip-access-rules/index.mdx
+++ b/src/content/docs/waf/tools/ip-access-rules/index.mdx
@@ -18,9 +18,9 @@ IP Access rules are commonly used to block or challenge suspected malicious traf
:::
-## Recommendation: Use WAF custom rules instead
+## Recommendation: Use custom rules instead
-Cloudflare recommends that you create [WAF custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):
+Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):
- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#ip-lists) in the custom rule expression.
- For geoblocking, use fields such as _AS Num_, _Country_, and _Continent_ in the custom rule expression.
diff --git a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
index 5a07ecc6d7b307..b6945849b33bd0 100644
--- a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
+++ b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
@@ -6,7 +6,7 @@ head:
content: Replace insecure JavaScript libraries
---
-import { GlossaryTooltip, TabItem, Tabs } from "~/components";
+import { GlossaryTooltip, Tabs, TabItem } from "~/components";
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
@@ -40,7 +40,7 @@ The feature is available in all Cloudflare plans, and is turned on by default on
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
2. Go to **Security** > **Settings**.
-3. For **Replace insecure JavaScript libraries**, switch the toggle to **On** or **Off**.
+3. For **Replace insecure JavaScript libraries**, set the toggle to **On** or **Off**.
diff --git a/src/content/docs/waf/tools/scrape-shield/email-address-obfuscation.mdx b/src/content/docs/waf/tools/scrape-shield/email-address-obfuscation.mdx
index 94224680c1cb22..d005880890ef6f 100644
--- a/src/content/docs/waf/tools/scrape-shield/email-address-obfuscation.mdx
+++ b/src/content/docs/waf/tools/scrape-shield/email-address-obfuscation.mdx
@@ -53,7 +53,7 @@ To prevent Cloudflare from obfuscating specific email addresses, you can:
- Return email addresses in JSON format for AJAX calls, making sure your web server returns a content type of `application/json`.
-- Disable the Email Obfuscation feature by creating a [Configuration Rule](/rules/configuration-rules/) to be applied on a specific endpoint.
+- Disable the Email Obfuscation feature by creating a [configuration rule](/rules/configuration-rules/) to be applied on a specific endpoint.
---
@@ -70,7 +70,7 @@ To prevent unexpected website behavior, email addresses are not obfuscated when
- _head_ tags: ``
- Any page that does not have a MIME type of `text/html` or `application/xhtml+xml`.
-:::caution
+:::note
Email Obfuscation will not apply in the following cases:
diff --git a/src/content/docs/waf/tools/scrape-shield/hotlink-protection.mdx b/src/content/docs/waf/tools/scrape-shield/hotlink-protection.mdx
index f9bba3000347d3..c4b380de9b04e5 100644
--- a/src/content/docs/waf/tools/scrape-shield/hotlink-protection.mdx
+++ b/src/content/docs/waf/tools/scrape-shield/hotlink-protection.mdx
@@ -46,7 +46,7 @@ To enable **Hotlink Protection** with the API, send a [`PATCH`](/api/resources/z
### SaaS providers using Cloudflare
-If you are a SaaS provider using [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/), note that, by default, Hotlink Protection will only allow requests with your zone as referer. To avoid blocking requests from your customers (custom hostnames), consider using [Configuration Rules](/rules/configuration-rules/settings/#hotlink-protection) or [WAF custom rules](/waf/custom-rules/use-cases/exempt-partners-hotlink-protection/).
+If you are a SaaS provider using [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/), note that, by default, Hotlink Protection will only allow requests with your zone as referer. To avoid blocking requests from your customers (custom hostnames), consider using [Configuration Rules](/rules/configuration-rules/settings/#hotlink-protection) or [custom rules](/waf/custom-rules/use-cases/exempt-partners-hotlink-protection/).
---
@@ -56,7 +56,7 @@ You may want certain images to be hotlinked to, whether by external websites (li
### Configuration rules
-To disable Hotlink Protection selectively, create a [Configuration Rule](/rules/configuration-rules/) covering the path of an image folder.
+To disable Hotlink Protection selectively, create a [configuration rule](/rules/configuration-rules/) covering the path of an image folder.
### hotlink-ok directory
diff --git a/src/content/docs/waf/tools/user-agent-blocking.mdx b/src/content/docs/waf/tools/user-agent-blocking.mdx
index d14ca7f90d9baf..68fb7aad88b249 100644
--- a/src/content/docs/waf/tools/user-agent-blocking.mdx
+++ b/src/content/docs/waf/tools/user-agent-blocking.mdx
@@ -8,15 +8,15 @@ sidebar:
import { FeatureTable, TabItem, Tabs, APIRequest } from "~/components";
-User Agent Blocking rules block specific browser or web application [`User-Agent` request headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent). These rules apply to the entire domain instead of individual subdomains.
+User Agent Blocking allows you to block specific browser or web application [`User-Agent` request headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent). User agent rules apply to the entire domain instead of individual subdomains.
-User Agent Blocking rules are applied after [Zone Lockdown rules](/waf/tools/zone-lockdown/). If you allow an IP address via Zone Lockdown, it will skip any User Agent Blocking rules.
+User agent rules are applied after [zone lockdown rules](/waf/tools/zone-lockdown/). If you allow an IP address via Zone Lockdown, it will skip any user agent rules.
-:::caution
+:::note
-Cloudflare recommends that you create [WAF custom rules](/waf/custom-rules/) instead of User Agent Blocking rules to block specific user agents.
+Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of user agent rules to block specific user agents.
-For example, a custom rule equivalent to the User Agent Blocking [example rule](#create-a-user-agent-blocking-rule) provided in this page could have the following configuration:
+For example, a custom rule equivalent to the user agent [example rule](#create-a-user-agent-blocking-rule) provided in this page could have the following configuration:
- **Expression**: `http.user_agent eq "BadBot/1.0.2 (+http://bad.bot)"`
- **Action**: (a block or challenge action)
@@ -25,13 +25,15 @@ For example, a custom rule equivalent to the User Agent Blocking [example rule](
## Availability
-Cloudflare User Agent Blocking is available on all plans. The number of available User Agent Blocking rules depends on your Cloudflare plan.
+Cloudflare User Agent Blocking is available on all plans. However, this feature is only available in the [new security dashboard](/security/) if you have configured at least one user agent rule.
+
+The number of available user agent rules depends on your Cloudflare plan.
## Create a User Agent Blocking rule
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
@@ -47,6 +49,24 @@ Cloudflare User Agent Blocking is available on all plans. The number of availabl
7. Select **Save and Deploy blocking rule**.
+
+
+:::note
+User Agent Blocking is only available in the new security dashboard if you have configured at least one user agent rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of user agent rules.
+:::
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
+
+2. Go to **Security** > **Security rules**, and select **Create rule** > **User agent rules**.
+
+3. Enter a descriptive name for the rule in **Name/Description**.
+
+4. In **Action**, select the action to perform: _Managed Challenge_, _Block_, _JS Challenge_, or _Interactive Challenge_.
+
+5. Enter a user agent value in **User Agent** (wildcards such as `*` are not supported). For example, to block the Bad Bot web spider, enter `BadBot/1.0.2 (+http://bad.bot)`.
+
+6. Select **Save and Deploy blocking rule**.
+
Issue a `POST` request for the [Create a User Agent Blocking rule](/api/resources/firewall/subresources/ua_rules/methods/create/) operation similar to the following:
diff --git a/src/content/docs/waf/tools/validation-checks.mdx b/src/content/docs/waf/tools/validation-checks.mdx
index cd23ad31c9ce23..187585548cb250 100644
--- a/src/content/docs/waf/tools/validation-checks.mdx
+++ b/src/content/docs/waf/tools/validation-checks.mdx
@@ -5,7 +5,7 @@ title: Validation checks
import { GlossaryTooltip } from "~/components";
-Cloudflare performs a validation check for every request. The Validation component executes prior to all other WAF features like custom rules or WAF Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs.
+Cloudflare performs a validation check for every request. The Validation component executes prior to all other security features like custom rules or Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs.
:::note
Currently, you cannot disable validation checks. They run early in Cloudflare's infrastructure before the configuration for domains has been loaded.
diff --git a/src/content/docs/waf/tools/zone-lockdown.mdx b/src/content/docs/waf/tools/zone-lockdown.mdx
index b9f034d8fe0152..73d167fe7c320e 100644
--- a/src/content/docs/waf/tools/zone-lockdown.mdx
+++ b/src/content/docs/waf/tools/zone-lockdown.mdx
@@ -8,15 +8,15 @@ sidebar:
import { FeatureTable, TabItem, Tabs, APIRequest } from "~/components";
-Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL. You can configure multiple destinations, including IPv4/IPv6 addresses, in a single Zone Lockdown rule.
+Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL. You can configure multiple destinations, including IPv4/IPv6 addresses, in a single zone lockdown rule.
-All IP addresses not specified in the Zone Lockdown rule will not have access to the specified resources. Requests from those IP addresses will receive an `Access Denied` response.
+All IP addresses not specified in the zone lockdown rule will not have access to the specified resources. Requests from those IP addresses will receive an `Access Denied` response.
-:::caution
+:::note
-Cloudflare recommends that you create [WAF custom rules](/waf/custom-rules/) instead of Zone Lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
+Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of zone lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
-For example, a custom rule equivalent to the Zone Lockdown [example rule](#example-rule) provided in this page could have the following configuration:
+For example, a custom rule equivalent to the zone lockdown [example rule](#example-rule) provided in this page could have the following configuration:
- **Description**: `Block all traffic to staging and wiki unless it comes from HQ or branch offices`
- **Expression**: `((http.host eq "staging.example.com") or (http.host eq "example.com" and starts_with(http.request.uri.path, "/wiki/")) and not ip.src in {192.0.2.0/24 2001:DB8::/64 203.0.133.1}`
@@ -26,13 +26,15 @@ For example, a custom rule equivalent to the Zone Lockdown [example rule](#examp
## Availability
-Cloudflare Zone Lockdown is available on paid plans. The number of available Zone Lockdown rules depends on your Cloudflare plan.
+Cloudflare Zone Lockdown is available on paid plans. However, this feature is only available in the [new security dashboard](/security/) if you have configured at least one zone lockdown rule.
+
+The number of available zone lockdown rules depends on your Cloudflare plan.
-## Create a Zone Lockdown rule
+## Create a zone lockdown rule
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
@@ -46,10 +48,30 @@ Cloudflare Zone Lockdown is available on paid plans. The number of available Zon
6. For **IP Range**, enter one or more allowed IPv4/IPv6 addresses or CIDR ranges, one per line. Only these IP addresses and ranges will be able to access the resources you entered in **URLs**.
-7. (Optional) If you are creating a Zone Lockdown rule that overlaps with an existing rule, expand **Advanced Options** and enter a priority for the rule in **Priority**. The lower the number, the higher the priority. Higher priority rules take precedence.
+7. (Optional) If you are creating a zone lockdown rule that overlaps with an existing rule, expand **Advanced Options** and enter a priority for the rule in **Priority**. The lower the number, the higher the priority. Higher priority rules take precedence.
8. Select **Save and Deploy lockdown rule**.
+
+
+:::note
+Zone Lockdown is only available in the new security dashboard if you have configured at least one zone lockdown rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of zone lockdown rules.
+:::
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
+
+2. Go to **Security** > **Security rules**, and select **Create rule** > **Zone lockdown rules**.
+
+3. Enter a descriptive name for the rule in **Name**.
+
+4. For **URLs**, enter the domains, subdomains, or URLs you wish to protect from unauthorized IPs. You can use wildcards such as `*`. Enter one item per line.
+
+5. For **IP Range**, enter one or more allowed IPv4/IPv6 addresses or CIDR ranges, one per line. Only these IP addresses and ranges will be able to access the resources you entered in **URLs**.
+
+6. (Optional) If you are creating a zone lockdown rule that overlaps with an existing rule, expand **Advanced Options** and enter a priority for the rule in **Priority**. The lower the number, the higher the priority. Higher priority rules take precedence.
+
+7. Select **Save and Deploy lockdown rule**.
+
Issue a `POST` request for the [Create a Zone Lockdown rule](/api/resources/firewall/subresources/lockdowns/methods/create/) operation similar to the following:
@@ -109,7 +131,7 @@ This example would not protect an internal wiki located on a different directory
## Access denied example
-A visitor from an unauthorized IP will get the following error when there is a match for a Zone Lockdown rule:
+A visitor from an unauthorized IP will get the following error when there is a match for a zone lockdown rule:
diff --git a/src/content/docs/waf/troubleshooting/blocked-bing-site-scans.mdx b/src/content/docs/waf/troubleshooting/blocked-bing-site-scans.mdx
index 14570cb15a4cd2..57a45b3e9c2361 100644
--- a/src/content/docs/waf/troubleshooting/blocked-bing-site-scans.mdx
+++ b/src/content/docs/waf/troubleshooting/blocked-bing-site-scans.mdx
@@ -26,7 +26,8 @@ The exception, shown as a rule with a **Skip** action, must appear in the rules
To check the rule order, use one of the following methods:
-- When using the Cloudflare dashboard, the rules listed in **Security** > **WAF** > **Managed rules** run in order.
+- When using the old Cloudflare dashboard, the rules listed in **Security** > **WAF** > **Managed rules** run in order.
+- When using the new security dashboard, the rules listed in **Security** > **Security rules** run in order.
- When using the Cloudflare API, the rules in the `rules` object obtained using the [Get a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/get/) operation (for your zone and for the `http_request_firewall_managed` phase) run in order.
For more information on creating exceptions, refer to [Create exceptions](/waf/managed-rules/waf-exceptions/).
diff --git a/src/content/docs/waf/troubleshooting/facebook-sharing.mdx b/src/content/docs/waf/troubleshooting/facebook-sharing.mdx
index 0c41937111d053..c2f2169f5a4d1a 100644
--- a/src/content/docs/waf/troubleshooting/facebook-sharing.mdx
+++ b/src/content/docs/waf/troubleshooting/facebook-sharing.mdx
@@ -10,7 +10,7 @@ import { GlossaryTooltip } from "~/components";
Cloudflare does not block or challenge requests from Facebook by default. However, a post of a website to Facebook returns an _Attention Required_ error in the following situations:
-- You have globally set the [security level](/waf/tools/security-level/) to _I'm Under Attack_.
+- You have globally [enabled Under Attack mode](/fundamentals/reference/under-attack-mode/).
- There is a [configuration rule](/rules/configuration-rules/) or [page rule](/rules/page-rules/) setting turning on Under Attack mode.
- There is a [custom rule](/waf/custom-rules/) with a challenge or block action that includes a Facebook IP address.
diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx
index 7f2e078bf712ef..bd84731a593585 100644
--- a/src/content/docs/waf/troubleshooting/faq.mdx
+++ b/src/content/docs/waf/troubleshooting/faq.mdx
@@ -28,13 +28,13 @@ If you are using a regular expression, it is recommended that you test it with a
### Why are some rules bypassed when I did not create an exception?
-If you have [SSL/TLS certificates](/ssl/) managed by Cloudflare, every time a certificate is issued or renewed, a [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/dcv-flow/) must happen. When a certificate is in `pending_validation` state and there are valid DCV tokens in place, some Cloudflare security features such as [custom rules](/waf/custom-rules/) and [WAF Managed Rules](/waf/managed-rules/) will be automatically disabled on specific DCV paths (for example, `/.well-known/pki-validation/` and `/.well-known/acme-challenge/`).
+If you have [SSL/TLS certificates](/ssl/) managed by Cloudflare, every time a certificate is issued or renewed, a [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/dcv-flow/) must happen. When a certificate is in `pending_validation` state and there are valid DCV tokens in place, some Cloudflare security features such as [custom rules](/waf/custom-rules/) and [Managed Rules](/waf/managed-rules/) will be automatically disabled on specific DCV paths (for example, `/.well-known/pki-validation/` and `/.well-known/acme-challenge/`).
### Why is Cloudflare blocking a specific IP address?
Cloudflare may block an IP address due to various reasons:
-- **Web Application Firewall (WAF) mitigation actions**: The Cloudflare WAF protects websites from various online threats, including malicious traffic, DDoS attacks, and common vulnerabilities. If your IP address is associated with suspicious or malicious activity, it might trigger the WAF and block requests.
+- **Security mitigation actions**: Cloudflare protects websites from various online threats, including malicious traffic, DDoS attacks, and common vulnerabilities. If your IP address is associated with suspicious or malicious activity, it might trigger a security check and block requests.
- **High security settings**: The website owner might have set their Cloudflare security settings to a high level, making the filtering of incoming traffic stricter. In this situation, even legitimate users may get blocked or have to solve challenges.
@@ -62,9 +62,9 @@ If your IP address is blocked, try the following:
#### Caution about potentially blocking bots
-When you create a WAF custom rule with a _Block_, _Interactive Challenge_, _JS Challenge_, or _Managed Challenge (Recommended)_ action, you might unintentionally block traffic from known bots. Specifically, this might affect search engine optimization (SEO) and website monitoring when trying to enforce a mitigation action based on URI, path, host, ASN, or country.
+When you create a custom rule with a _Block_, _Interactive Challenge_, _JS Challenge_, or _Managed Challenge (Recommended)_ action, you might unintentionally block traffic from known bots. Specifically, this might affect search engine optimization (SEO) and website monitoring when trying to enforce a mitigation action based on URI, path, host, ASN, or country.
-Refer to [How do I exclude certain requests from being blocked or challenged?](#how-do-i-exclude-certain-requests-from-being-blocked-or-challenged).
+Refer to [How do I exclude certain requests from being blocked or challenged?](/cloudflare-challenges/frequently-asked-questions/#how-do-i-exclude-certain-requests-from-being-blocked-or-challenged).
#### Bots currently detected
@@ -77,4 +77,4 @@ For more information on verified bots, refer to [Bots](/bots/concepts/bot/).
:::note
There is no functional difference between known and verified bots. However, the known bots field (`cf.client.bot`) is available for all customers, while the verified bots field (`cf.bot_management.verified_bot`) is available for Enterprise customers.
-:::
\ No newline at end of file
+:::
diff --git a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
index 8fa34db024341a..80986b899bd9d5 100644
--- a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
+++ b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
@@ -4,18 +4,17 @@ source: https://support.cloudflare.com/hc/en-us/articles/360038470312-Understand
title: SameSite cookie interaction with Cloudflare
sidebar:
order: 3
-
---
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
-[Google Chrome enforces SameSite cookie behavior](https://www.chromium.org/updates/same-site) to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.
+[Google Chrome enforces SameSite cookie behavior](https://www.chromium.org/updates/same-site) to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.
The `SameSite` cookie attribute has three different modes:
-* **Strict**: Cookies are created by the first party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting `cloudflare.com`.
-* **Lax**: Cookies are only sent to the apex domain (such as `example.com`). For example, if someone (`blog.example.net`) hotlinked an image (`img.example.com/bar.png`), the client does not send a cookie to `img.example.com` since it is neither the first-party nor apex context.
-* **None**: Cookies are sent with all requests.
+- **Strict**: Cookies are created by the first party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting `cloudflare.com`.
+- **Lax**: Cookies are only sent to the apex domain (such as `example.com`). For example, if someone (`blog.example.net`) hotlinked an image (`img.example.com/bar.png`), the client does not send a cookie to `img.example.com` since it is neither the first-party nor apex context.
+- **None**: Cookies are sent with all requests.
`SameSite` settings for [Cloudflare cookies](/fundamentals/reference/policies-compliances/cloudflare-cookies/) include:
@@ -35,31 +34,31 @@ The available values for these two attributes are the following:
**`samesite` attribute:**
-* Valid values: `Auto` (default), `Lax`, `None`, `Strict`.
+- Valid values: `Auto` (default), `Lax`, `None`, `Strict`.
**`secure` attribute:**
-* Valid values: `Auto` (default), `Always`, `Never`.
+- Valid values: `Auto` (default), `Always`, `Never`.
The `Auto` value for the `samesite` attribute will have the following behavior:
-* If [**Always Use HTTPS**](/ssl/edge-certificates/additional-options/always-use-https/) is enabled, session affinity cookies will use the `Lax` SameSite mode.
-* If **Always Use HTTPS** is disabled, session affinity cookies will use the `None` SameSite mode.
+- If [**Always Use HTTPS**](/ssl/edge-certificates/additional-options/always-use-https/) is enabled, session affinity cookies will use the `Lax` SameSite mode.
+- If **Always Use HTTPS** is disabled, session affinity cookies will use the `None` SameSite mode.
The `Auto` value for the `secure` attribute will have the following behavior:
-* If **Always Use HTTPS** is enabled, session affinity cookies will include `Secure` in the SameSite attribute.
-* If **Always Use HTTPS** is disabled, session affinity cookies will not include `Secure` in the SameSite attribute.
+- If **Always Use HTTPS** is enabled, session affinity cookies will include `Secure` in the SameSite attribute.
+- If **Always Use HTTPS** is disabled, session affinity cookies will not include `Secure` in the SameSite attribute.
If you set `samesite` to `None` in your API request, you cannot set `secure` to `Never`.
If you require a specific `SameSite` configuration in your session affinity cookies, Cloudflare recommends that you provide values for `samesite` and `secure` different from `Auto`, instead of relying on the default behavior. This way, the value of the `SameSite` cookie attribute will not change due to configuration changes (namely [**Always Use HTTPS**](/ssl/edge-certificates/additional-options/always-use-https/)).
-***
+---
## Known issues with SameSite and `cf_clearance` cookies
-When a visitor solves a [challenge](/cloudflare-challenges/) presented due to a [WAF custom rule](/waf/custom-rules/) or an [IP Access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage).
+When a visitor solves a [challenge](/cloudflare-challenges/) presented due to a [custom rule](/waf/custom-rules/) or an [IP access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage).
Cloudflare uses `SameSite=None` in the `cf_clearance` cookie so that visitor requests from different hostnames are not met with later challenges or errors. When `SameSite=None` is used, it must be set in conjunction with the `Secure` flag.
@@ -67,15 +66,15 @@ Using the `Secure` flag requires sending the cookie via an HTTPS connection. If
To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose:
-* [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
-* [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
+- [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
+- [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
-***
+---
## Related resources
-* [SameSite cookies explained](https://web.dev/samesite-cookies-explained/)
-* [Cloudflare Cookies](/fundamentals/reference/policies-compliances/cloudflare-cookies/)
-* [Cloudflare SSL FAQ](/ssl/troubleshooting/faq/)
-* [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
-* [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
+- [SameSite cookies explained](https://web.dev/samesite-cookies-explained/)
+- [Cloudflare Cookies](/fundamentals/reference/policies-compliances/cloudflare-cookies/)
+- [Cloudflare SSL FAQ](/ssl/troubleshooting/faq/)
+- [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
+- [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
diff --git a/src/content/docs/workers/examples/signing-requests.mdx b/src/content/docs/workers/examples/signing-requests.mdx
index 021eaee48596cd..0436bae5960aaf 100644
--- a/src/content/docs/workers/examples/signing-requests.mdx
+++ b/src/content/docs/workers/examples/signing-requests.mdx
@@ -461,4 +461,4 @@ async def on_fetch(request, env):
## Validate signed requests using the WAF
-The provided example code for signing requests is compatible with the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) Rules language function. This means that you can verify requests signed by the Worker script using a [WAF custom rule](/waf/custom-rules/use-cases/configure-token-authentication/#option-2-configure-using-waf-custom-rules).
+The provided example code for signing requests is compatible with the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) Rules language function. This means that you can verify requests signed by the Worker script using a [custom rule](/waf/custom-rules/use-cases/configure-token-authentication/#option-2-configure-using-custom-rules).
diff --git a/src/content/partials/waf/bic-description.mdx b/src/content/partials/waf/bic-description.mdx
index ced26dbfa912bc..7388ada18c69f7 100644
--- a/src/content/partials/waf/bic-description.mdx
+++ b/src/content/partials/waf/bic-description.mdx
@@ -2,6 +2,6 @@
{}
---
-Cloudflare's **Browser Integrity Check (BIC)** looks for common HTTP headers abused most commonly by spammers and denies access to your page.
+Cloudflare's Browser Integrity Check (BIC) looks for common HTTP headers abused most commonly by spammers and denies access to your page.
It also challenges visitors without a user agent or with a non-standard user agent such as commonly used by abusive bots, crawlers, or visitors.
diff --git a/src/content/partials/waf/custom-rules-intro.mdx b/src/content/partials/waf/custom-rules-intro.mdx
index 8b989f5bca6366..a15a1c07ef2779 100644
--- a/src/content/partials/waf/custom-rules-intro.mdx
+++ b/src/content/partials/waf/custom-rules-intro.mdx
@@ -2,7 +2,9 @@
{}
---
-Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define.
+Custom rules allow you to control incoming traffic by filtering requests to a zone. They work as customized web application firewall (WAF) rules that you can use to perform actions like _Block_ or _Managed Challenge_ on incoming requests.
+
+In the [new security dashboard](/security/), custom rules are one of the available types of [security rules](/security/rules/). Security rules perform security-related actions on incoming requests that match specified filters.
Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters:
diff --git a/src/content/partials/waf/leaked-credentials-detection-enable.mdx b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
index e7ec453836e2bf..9c8e7ac04ea73c 100644
--- a/src/content/partials/waf/leaked-credentials-detection-enable.mdx
+++ b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
@@ -6,12 +6,18 @@ import { TabItem, Tabs, Render, APIRequest } from "~/components";
On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard, via API, or using Terraform.
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Under **Incoming traffic detections**, turn on **Leaked credentials**.
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Security** > **Settings** and filter by **Detections**.
+3. Next to **Leaked Credential Detection**, set the toggle to **On**.
+
Use a `POST` request similar to the following:
diff --git a/src/content/partials/waf/managed-rules-browse-zone-new-nav.mdx b/src/content/partials/waf/managed-rules-browse-zone-new-nav.mdx
new file mode 100644
index 00000000000000..1e828187fce244
--- /dev/null
+++ b/src/content/partials/waf/managed-rules-browse-zone-new-nav.mdx
@@ -0,0 +1,15 @@
+---
+{}
+---
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
+
+2. Go to **Security** > **Security rules**.
+
+3. In the rules table, search for the managed ruleset you want to configure/browse. Look for a rule with an _Execute_ action. At the top of the page, you can filter the rules to show **Managed rules** only.
+
+4. Select the rule name (containing the name of the managed ruleset).
+
+5. Select **Browse rules**.
+
+ 
diff --git a/src/content/partials/waf/managed-ruleset-config-options.mdx b/src/content/partials/waf/managed-ruleset-config-options.mdx
index b69fab68e3f9e7..c0879c18241558 100644
--- a/src/content/partials/waf/managed-ruleset-config-options.mdx
+++ b/src/content/partials/waf/managed-ruleset-config-options.mdx
@@ -9,7 +9,7 @@ import { Render } from "~/components";
To customize the behavior of managed rulesets, do one of the following:
-- [Create exceptions](/waf/managed-rules/waf-exceptions/) to skip the execution of WAF managed rulesets or some of their rules under certain conditions.
+- [Create exceptions](/waf/managed-rules/waf-exceptions/) to skip the execution of managed rulesets or some of their rules under certain conditions.
- Configure overrides to change the rule action
or disable one or more rules of managed rulesets. Overrides can affect an
entire managed ruleset, specific tags, or specific rules in the managed
diff --git a/src/content/partials/waf/managed-rulesets/api-next-steps.mdx b/src/content/partials/waf/managed-rulesets/api-next-steps.mdx
index 6790e9c5b6523c..04691609489cd7 100644
--- a/src/content/partials/waf/managed-rulesets/api-next-steps.mdx
+++ b/src/content/partials/waf/managed-rulesets/api-next-steps.mdx
@@ -1,13 +1,24 @@
---
params:
- rulesetName
+ - customizableAction?
---
### Next steps
To configure the {props.rulesetName} via API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations:
-- Specify the action to perform for all the rules in the ruleset by creating a ruleset override.
-- Disable or customize the action of individual rules by creating rule overrides for those rules.
+
+ {props.customizableAction && (
+ -
+ Specify the action to perform for all the rules in the ruleset by creating
+ a ruleset override.
+
+ )}
+ -
+ Disable {props.customizableAction && "or customize the action of"}
+ individual rules by creating rule overrides.
+
+
For examples of creating overrides using the API, refer to [Override a managed ruleset](/ruleset-engine/managed-rulesets/override-managed-ruleset/).
diff --git a/src/content/partials/waf/security-level-scores.mdx b/src/content/partials/waf/security-level-scores.mdx
index e6a19d096294e3..7dbda559a005c3 100644
--- a/src/content/partials/waf/security-level-scores.mdx
+++ b/src/content/partials/waf/security-level-scores.mdx
@@ -2,13 +2,11 @@
{}
---
-In the Cloudflare dashboard, security level has the value _Always protected_ and you cannot change this setting. To turn Under Attack mode on or off, use the separate toggle.
+In the old Cloudflare dashboard, security level has the value _Always protected_ and you cannot change this setting. To turn [Under Attack mode](/fundamentals/reference/under-attack-mode/) on or off, use the separate toggle.
-In the API and in Terraform, use security level to turn Under Attack mode on or off.
+In the new security dashboard, the Cloudflare API, and in Terraform, use security level to turn Under Attack mode on or off.
-Cloudflare's Under Attack mode performs additional security checks to help mitigate layer 7 DDoS attacks.
-
-When you select _I'm Under Attack!_, which enables [Under Attack mode](/fundamentals/reference/under-attack-mode/), Cloudflare will present a JS challenge page.
+Cloudflare's [Under Attack mode](/fundamentals/reference/under-attack-mode/) performs additional security checks to help mitigate layer 7 DDoS attacks. When you enable Under Attack mode, Cloudflare will present a JS challenge page.
:::caution
diff --git a/src/content/partials/waf/waf-managed-rules-intro.mdx b/src/content/partials/waf/waf-managed-rules-intro.mdx
index 6c472920abba73..b7df59d663c49f 100644
--- a/src/content/partials/waf/waf-managed-rules-intro.mdx
+++ b/src/content/partials/waf/waf-managed-rules-intro.mdx
@@ -2,13 +2,13 @@
{}
---
-The Cloudflare WAF includes pre-configured managed rulesets that you can deploy. These managed rulesets provide immediate protection against:
+Cloudflare provides pre-configured managed rulesets that protect against web application exploits such as the following:
- Zero-day vulnerabilities
- Top-10 attack techniques
- Use of stolen/leaked credentials
- Extraction of sensitive data
-The WAF's managed rulesets are [regularly updated](/waf/change-log/). Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions.
+Managed rulesets are [regularly updated](/waf/change-log/). Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions.
Rules of managed rulesets have associated tags (such as `wordpress`) that allow you to search for a specific group of rules and configure them in bulk.