Create a Configuration Rule via API
Use the Rulesets API to create Configuration Rules via API.
When creating a Configuration Rule via API, make sure you:
- Set the rule action to
set_config
. - Define the parameters in the
action_parameters
field according to the settings you wish to override for matching requests. - Deploy the rule to the
http_config_settings
phase at the zone level.
Follow this workflow to create a Configuration Rule for a given zone via API:
Use the List existing rulesets method to check if there is already a ruleset for the
http_config_settings
phase at the zone level.If the phase ruleset does not exist, create it using the Create ruleset method with the zone-level endpoint. In the new ruleset properties, set the following values:
- kind:
zone
- phase:
http_config_settings
- kind:
Use the Update ruleset method to add a Configuration Rule to the list of ruleset rules (check the examples below). Alternatively, include the rule in the Create ruleset request mentioned in the previous step.
Required API token permissions
The API token used in API requests to manage Configuration Rules must have at least the following permission:
- Zone > Config Rules > Edit
Examples
Example: Add a rule that enables Auto Minify for CSS files and enables Hotlink Protection
The following example sets the rules of an existing phase ruleset (<RULESET_ID>
) to a single Configuration Rule — enabling Auto Minify for CSS files and Hotlink Protection for the assets.example.com
hostname — using the Update ruleset method:
cURL example request$ curl -X PUT \"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \-H "Authorization: Bearer <API_TOKEN>" \-H "Content-Type: application/json" \-d '{ "rules": [ { "expression": "http.host eq \"assets.example.com\"", "description": "Minifies CSS files and enables Hotlink Protection for assets.example.com", "action": "set_config", "action_parameters": { "autominify": { "html": false, "css": true, "js": false }, "hotlink_protection": true } } ]
}'
Example: Add a rule that enables Email Obfuscation and Browser Integrity Check
The following example sets the rules of an existing phase ruleset (<RULESET_ID>
) to a single Configuration Rule — enabling Email Obfuscation and Browser Integrity Check for the contacts page — using the Update ruleset method:
cURL example request$ curl -X PUT \"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \-H "Authorization: Bearer <API_TOKEN>" \-H "Content-Type: application/json" \-d '{ "rules": [ { "expression": "starts_with(http.request.uri.path, \"/contact-us/\")", "description": "Obfuscates email addresses and enables BIC in contacts page", "action": "set_config", "action_parameters": { "email_obfuscation": true, "bic": true } } ]
}'
Example: Add a rule that sets the Security Level to High
The following example sets the rules of an existing phase ruleset (<RULESET_ID>
) to a single Configuration Rule — changing the Security Level to High for the administration area — using the Update ruleset method:
cURL example request$ curl -X PUT \"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \-H "Authorization: Bearer <API_TOKEN>" \-H "Content-Type: application/json" \-d '{ "rules": [ { "expression": "http.host eq \"admin.example.com\"", "description": "Change Security Level for admin area", "action": "set_config", "action_parameters": { "security_level": "high" } } ]
}'