Cloudflare Docs

Cloudflare Docs

Overview
Concepts
WAF attack score
Uploaded content scanning
Custom rules
Create custom rules in the dashboard
Create custom rules via API
Configure a rule with the Skip action
API examples
Skip options
Manage custom rules in the dashboard
Custom rulesets
Use the dashboard
Use the API
Firewall rules
Rate limiting rules
Determining the rate
Create in the dashboard for a zone
Create in the dashboard for an account
Create via API
Rate limiting parameters
Rule examples
Best practices
Managed rules
Deploy in the dashboard for a zone
Deploy in the dashboard for an account
Deploy via API
Rulesets reference
Cloudflare Managed Ruleset
Cloudflare OWASP Core Ruleset
Cloudflare Exposed Credentials Check
Create WAF exceptions
Add an exception in the dashboard
Add an exception via API
Log the payload of matched rules
Configure payload logging in the dashboard
View the payload content in the dashboard
Configure payload logging via API
Command-line operations
Generate a key pair
Decrypt the payload content
Additional tools
IP Access rules
Create a rule
Parameters
Actions
User Agent Blocking
Zone Lockdown
Automated exposed credentials check
How exposed credentials checks work
Configure exposed credentials checks via API
Test your exposed credentials checks configuration
Monitor exposed credentials events
Security Analytics
Security Events
Free plan
Paid plans
Additional information
Reference
Alerts
Phases
Migration guides
Migrating to the new WAF Managed Rules
Firewall rules are becoming custom rules
Deprecation of old rate limiting
Troubleshooting
Bing's Site Scan blocked by a managed rule
Changelog
Scheduled changes
2023-05-02
2023-04-11
2023-03-20
2023-03-13
2023-03-06
2023-02-27
2023-02-13
2023-02-06
2023-01-30
2023-01-24
2023-01-16
2023-01-09
2022-12-12
2022-11-29
2022-11-14
2022-10-31
2022-10-18 - Emergency
2022-10-17
2022-10-14 - Emergency
2022-10-10
2022-10-03 - Emergency
2022-10-03
2022-09-20 – Emergency
2022-09-12
2022-09-05
2022-08-30
2022-08-22
2022-08-15
2022-08-01
2022-07-25
2022-07-18
2022-07-06
2022-07-05
2022-06-20
2022-06-10 – Emergency
2022-06-07 – Emergency
2022-06-06
2022-06-04 – Emergency
2022-06-03 – Emergency
2022-05-30
2022-05-16
2022-05-10 – Emergency
2022-05-09
2022-04-25
2022-04-20
2022-04-11
2022-04-04 – Emergency
2022-03-31 – Emergency
2022-03-29 – Emergency
2022-03-14
2022-03-07
2022-02-28
2022-02-21
2022-02-14
2022-01-24
2021-12-16 – Emergency
2021-12-14 – Emergency
2021-12-10 – Emergency
2021-11-01
2021-10-25
2021-10-19
2021-10-04
2021-09-06
2021-09-01 – Emergency
2021-08-31
2021-08-23
2021-08-16
2021-07-26
2021-07-19
2021-07-01 – Emergency
2021-06-21
2021-06-14
2021-06-07
2021-06-01
2021-04-21 – Emergency
2021-04-19
2021-03-22
2021-03-08
2021-03-06 – Emergency
2021-03-05 – Emergency
2021-03-01
2020-12-14
2020-12-02
2020-11-16
2020-11-05 – Emergency
2020-11-04 – Emergency
2020-10-19
2020-10-12
2020-10-05
2020-09-28
2020-09-21
2020-09-15
2020-09-07
2020-08-24
2020-09-01
2020-07-27
2020-08-03
2020-07-20
2020-07-07 – Emergency
2020-07-13
2020-06-22
2020-06-15
2020-06-08
2020-05-25
2020-05-11
2020-05-04
2020-04-27
2020-04-20
2020-04-06
2020-03-30
2020-03-23
2020-03-12
2020-03-09
2020-03-02 – Emergency
2020-02-17
2020-02-10
2020-01-27
2020-01-20
2020-01-16 – Emergency
2019-12-16
2019-11-25 – Emergency
2019-11-12
2019-11-07 – Emergency
2019-11-04
2019-10-27 – Emergency
2019-10-23 – Emergency
2019-10-21
2019-10-17 – Emergency
2019-10-14
2019-10-07
2019-09-30
2019-09-26 – Emergency
2019-09-16
Historical

Create custom rules in the dashboard

Create custom rules in Security > WAF > Custom rules.

Create a custom rule

To create a new custom rule:

Log in to the Cloudflare dashboard.
Select the Websites tab and choose the site for which you want to create a rule.
Go to Security > WAF > Custom rules.
Select Create rule.
Enter a descriptive name for the rule in Rule name.
Under If incoming requests match…, use the Field drop-down list to choose an HTTP property. For each request, the value of the property you choose for Field is compared to the value you specify for Value using the operator selected in Operator.
Select the rule action from the Choose action drop-down list. For example, selecting Block tells Cloudflare to refuse requests that match the conditions you specified.
(Optional) If you selected the Block action, you can configure a custom response.
To save and deploy your rule, select Save and Deploy. If you are not ready to deploy your rule, select Save as Draft.

Configuring a custom response for blocked requests

When you select the Block action in a custom rule you can optionally define a custom response.

The custom response has three settings:

Response type: Choose a content type or the default WAF block response from the list. The available custom response types are the following:
Dashboard value API value
Custom HTML "text/html"
Custom Text "text/plain"
Custom JSON "application/json"
Custom XML "text/xml"
Response code: Choose an HTTP status code for the response, in the range 400-499. The default response code is 403.
Response body: The body of the response. Configure a valid body according to the response type you selected.