Cloudflare Exposed Credentials Check
The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials.
The managed ruleset includes rules for the following CMS applications:
- WordPress
- Joomla
- Drupal
- Ghost
- Plone
- Magento
Additionally, this managed ruleset also includes generic rules for other common patterns:
- Check forms submitted using a
POST
request containingusername
andpassword
arguments - Check credentials sent as JSON with
email
andpassword
keys - Check credentials sent as JSON with
username
andpassword
keys
The default action for the rules in managed ruleset is Exposed-Credential-Check Header (named rewrite
in the API).
For more information on exposed credentials checks, refer to Automated exposed credentials check.
Configure in the dashboard
You can configure the following settings of the Cloudflare Exposed Credentials Check Managed Ruleset in the dashboard:
- Set the action to perform. When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. To remove the action override, set the ruleset action to Default.
- Override the action performed by individual rules. The available actions are: Exposed-Credential-Check Header, Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. For more information, refer to Available actions.
- Disable specific rules.
- Customize the filter expression. With a custom expression, the Cloudflare Managed Ruleset applies only to a subset of the incoming requests.
- Configure payload logging.
For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.
Configure via API
To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with execute
action in the entry point ruleset for the http_request_firewall_managed
phase. For more information on deploying a managed ruleset, refer to Deploy a managed ruleset.
To configure the Exposed Credentials Check Managed Ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:
- Specify the action to perform for all the rules in the ruleset by creating a ruleset override.
- Disable or customize the action of individual rules by creating rule overrides for those rules.
For examples of creating overrides using the API, refer to Override a managed ruleset.