Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Cloudflare Exposed Credentials Check

The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials.

The managed ruleset includes rules for the following CMS applications:

  • WordPress
  • Joomla
  • Drupal
  • Ghost
  • Plone
  • Magento

Additionally, this managed ruleset also includes generic rules for other common patterns:

  • Check forms submitted using a POST request containing username and password arguments
  • Check credentials sent as JSON with email and password keys
  • Check credentials sent as JSON with username and password keys

The default action for the rules in managed ruleset is Exposed-Credential-Check Header (named rewrite in the API).

For more information on exposed credentials checks, refer to Automated exposed credentials check.

​​ Configure in the dashboard

You can configure the following settings of the Cloudflare Exposed Credentials Check Managed Ruleset in the dashboard:

  • Set the action to perform. When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. To remove the action override, set the ruleset action to Default.
  • Override the action performed by individual rules. The available actions are: Exposed-Credential-Check Header, Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. For more information, refer to Available actions.
  • Disable specific rules.
  • Customize the filter expression. With a custom expression, the Cloudflare Managed Ruleset applies only to a subset of the incoming requests.
  • Configure payload logging.

For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.

​​ Configure via API

To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with execute action in the entry point ruleset for the http_request_firewall_managed phase. For more information on deploying a managed ruleset, refer to Deploy a managed ruleset.

To configure the Exposed Credentials Check Managed Ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:

  • Specify the action to perform for all the rules in the ruleset by creating a ruleset override.
  • Disable or customize the action of individual rules by creating rule overrides for those rules.

For examples of creating overrides using the API, refer to Override a managed ruleset.