Is there a recommended way to set up WAF for endpoints that are critical APIs? I'm worried about los

Is there a recommended way to set up WAF for endpoints that are critical APIs? I'm worried about losing important incoming webhooks due to firewall rules. Would I just turn off all protection? And I'm guessing that can be done with the 5 waf rules on the free tier?

savage+•6/24/24, 11:31 AM

Hi, I have a question about the new snippets. Does it run any javascript code? I am looking to rewrite my meta titles with it? Is that doable?

Jjohtso Is there a recommended way to set up WAF for endpoints that are critical APIs? I...

Hard@Work•6/24/24, 11:34 AM

For that kind of thing, I would probably check with the provider to see if they have some way of uniquely identifying their requests. Some of them are verified bots, which makes it a bit easier

HHard@Work For that kind of thing, I would probably check with the provider to see if they ...

johtsoOP•6/24/24, 11:38 AM

I integrate with some shonky companies where I don't have any control over what their requests look like. If I give them a url with some unique identifier in the path I don't want cloudflare being nanny and blocking requests for my own good

johtsoOP•6/24/24, 11:39 AM

I kind of wish the security offerings of cf were more opt-in..

johtsoOP•6/24/24, 11:40 AM

I've never used a host before that might just not deliver a request to your endpoint because it doesn't like the headers

Jjohtso I integrate with some shonky companies where I don't have any control over what ...

Hard@Work•6/24/24, 12:09 PM

You can do that? If you have a given query in the URL, you should be able to filter on it and allow it to bypass other layers(other than BFM)

Hard@Work•6/24/24, 12:10 PM

At least you should be able to

Chosen Joshua•6/24/24, 12:11 PM

Good morning. Don't hesitate to visit my web site www.godwillchosenjoshua.com. Scroll until the end for seeing more (books, audios and blogs). God bless you.

HHard@Work You can do that? If you have a given query in the URL, you should be able to fil...

johtsoOP•6/24/24, 12:23 PM

Yeah I see I should be able to set up a bypass rule. Unfortunately this is only possible if you have a domain fully set up as a zone. If you just connect a subdomain of an externally managed domain to a pages app for example you have no control. And adding a subdomain as a zone requires a 200$ business plan.

Jjohtso Yeah I see I should be able to set up a bypass rule. Unfortunately this is only ...

Hard@Work•6/24/24, 12:26 PM

There might be a way to get around WAF blocks for Custom Domains? Maybe try asking support?

HHard@Work There *might* be a way to get around WAF blocks for Custom Domains? Maybe try as...

johtsoOP•6/24/24, 12:29 PM

I was having a chat with Walshy yesterday and he says he doesn't think it can be disabled unfortunately

johtsoOP•6/24/24, 12:30 PM

I'm not 100% clear on the terminology, but this was browser integrity which I think is distinct from WAF

Hard@Work•6/24/24, 12:30 PM

Oh...

Jjohtso I'm not 100% clear on the terminology, but this was browser integrity which I th...

Hard@Work•6/24/24, 12:31 PM

Hm... I forget, isn't there a (hacky) way to add CF for SaaS ontop of a Custom Domain?

johtsoOP•6/24/24, 12:32 PM

I did get that suggestion from someone.. maybe I should take another look..

johtsoOP•6/24/24, 12:35 PM

I was scared off by the SaaS branding but maybe it's not that bad..

johtsoOP•6/24/24, 12:36 PM

I'm guessing I'd need to add at least one domain name to my account though

Jjohtso I was scared off by the SaaS branding but maybe it's not that bad..

Hard@Work•6/24/24, 12:49 PM

CF for SaaS, as simple as it gets, is just a way to allow CNAMEs to your CF domain. It comes with support for SSL/TLS cert issuance, but it doesn't have to be more complex

Hard@Work•6/24/24, 12:49 PM

If you aren't using CF for SaaS, then it should throw a CNAME Cross-User Forbidden, since Cloudflare doesn't actually know what to serve if it hasn't been set up

johtsoOP•6/24/24, 12:51 PM

Awesome, and if I'm not mistaken it's what pages uses under the hood

johtsoOP•6/24/24, 12:52 PM

But if I set it up myself then I get more control

johtsoOP•6/24/24, 12:53 PM

Time to buy a 1.111B class domain I guess :lul:

SI•6/24/24, 12:59 PM

Hey,
Does anyone have a template for an API command to set up receiving notifications by email or log push to receive notifications about any change in WAF?
For example, receiving an email when a user added a new custom rule

johtsoOP•6/24/24, 1:06 PM

@Hard@Work | R2 I will need to add a domain to my account to be the fallback domain right?

Jjohtso @Hard@Work | R2 I will need to add a domain to my account to be the fallback dom...

Hard@Work•6/24/24, 1:07 PM

Yeah, though it might be good to check if it is actually possible before buying a domain(if you don't have one already)

arch•6/24/24, 1:12 PM

Pride banner :bibicat:

johtsoOP•6/24/24, 1:45 PM

And by possible you mean bypassing browser integrity? Hmm, after a Google I do see a lot of similar unanswered questions in the community forum regarding the free tier

johtsoOP•6/24/24, 1:51 PM

Looks like it should be https://developers.cloudflare.com/waf/tools/browser-integrity-check/

Cloudflare Docs

Browser Integrity Check · Cloudflare Web Application Firewall (WAF)...

Cloudflare’s Browser Integrity Check (BIC) looks for common HTTP headers abused most commonly by spammers and denies access to your page.

Tekatren (Djkáťo)•6/24/24, 3:28 PM

How does cloudflares new crawler hints mix with existing sitemaps? Will one invalidate the other? Afaik they just mentioned using sitemaps, but I don't know if these will be available under a public url?

dannyboah.•6/24/24, 7:17 PM

Hi, I have a technical question regarding Cloudflare operation. Is this the right place?

TTekatren (Djkáťo)How does cloudflares new crawler hints mix with existing sitemaps? Will one inva...

Chaika•6/24/24, 7:21 PM

straight from the source: (indexnow is what its actually called)
https://www.indexnow.org/faq

I have a sitemap, do I need IndexNow?
Yes, when sitemaps are an easy way for webmasters to inform search engines about all pages on their sites that are available for crawling, sitemaps are visited by Search Engines infrequently. With IndexNow, webmasters ''don't'' have to wait for search engines to discover and crawl sitemaps but can directly notify search engines of new content.

Ddannyboah.Hi, I have a technical question regarding Cloudflare operation. Is this the righ...

Chaika•6/24/24, 7:22 PM

This is the Cloudflare Developer Community Discord, where volunteers and even some nice employees who (outside of their job obligations) hang around as well, for mostly dev platform products. You can ask anything, there's no guarantees on someone knowing the answer though, espec if it strays away from public knowledge/what people can disclose/the dev platform

Tekatren (Djkáťo)•6/24/24, 7:22 PM

I read it as "it's an upgrade" but I don't see what happens if I have both

TTekatren (Djkáťo)I read it as "it's an upgrade" but I don't see what happens if I have both

Chaika•6/24/24, 7:23 PM

like it says, indexnow is just faster. It's just submitting urls directly to bing and such to be crawled. search engines otherwise slowly crawl sitemaps and might eventually find new pages to crawl

Chaika•6/24/24, 7:23 PM

just another way to submit urls to be crawled, doesn't invalidate anything else

Tekatren (Djkáťo)•6/24/24, 7:23 PM

Ah, so it only knows of previously visited, not other that aren't

Chaika•6/24/24, 7:24 PM

right, Cf's indexnow is entirely off traffic/pages people hit

Tekatren (Djkáťo)•6/24/24, 7:24 PM

I see, thank you for your input, makes sense :)

Chaika•6/24/24, 7:24 PM

https://blog.cloudflare.com/from-0-to-20-billion-how-we-built-crawler-hints

The Cloudflare Blog

From 0 to 20 billion - How We Built Crawler Hints

Cloudflare Is reducing the environmental impact of web searches with 20+ billions crawler hints delivered so far. This blog describes the technical solution of how we built the Crawler Hints system that makes all this possible.

CChaika This is the Cloudflare Developer Community Discord, where volunteers and even so...

dannyboah.•6/24/24, 7:29 PM

I cannot receive emails from Cloudflare due to a problem with the DNS settings. Google support has informed me that the DNS settings for my email (which is also my website) are not configured correctly, preventing me from receiving emails. As a result, I cannot log into my account to configure the DNS because the verification email was sent to an address I do not receive. What should I do in such a situation?

Ddannyboah.I cannot receive emails from Cloudflare due to a problem with the DNS settings. ...

Chaika•6/24/24, 7:29 PM

You can't login to Cloudflare because your account email is setup to your domain which is misconfigured?

CChaika You can't login to Cloudflare because your account email is setup to your domain...

dannyboah.•6/24/24, 7:30 PM

exactly

Chaika•6/24/24, 7:31 PM

If you know the email and have 2FA or email delivery issues: https://dash.cloudflare.com/login-help (works while logged out)

Chaika•6/24/24, 7:31 PM

you can fill out that form there and say you can't receive emails at your account address

Chaika•6/24/24, 7:31 PM

for the future, doing your account like that is a bad idea for the reasons you've just discovered. I would make an account on a gmail/outlook/other undomain attached email as a backup account and invite it as a superadmin to your acct when you regain access, so you always have a way in

CChaika for the future, doing your account like that is a bad idea for the reasons you'v...

dannyboah.•6/24/24, 7:32 PM

I already sent them an email from another address and am waiting for a reply. I just wanted to know if there is another way to solve this.

Ddannyboah.I already sent them an email from another address and am waiting for a reply. I ...

Chaika•6/24/24, 7:33 PM

you went through that form, or what do you mean?

Chaika•6/24/24, 7:35 PM

you can't email support@cloudflare.com if that's what you did. If you went through that form, they told you to verify or whatever then that's fine, just have to wait for them. For security reasons there's no other way, nothing anyone in here can help with

CChaika you went through that form, or what do you mean?

dannyboah.•6/24/24, 7:35 PM

I thought of a more aggressive solution: re-create an account for my domain and then set up the email correctly. However, I'm waiting for a response from them first.

Chaika•6/24/24, 7:35 PM

yea, you can do that and change the nameservers over if you have control over the registrar

Is there a recommended way to set up WAF for endpoints that are critical APIs? I'm worried about los

Similar Threads

Similar Threads

Similar Threads