Looking for feedback on a WAF-false-positive workaround with a Worker
Background
- We have a web-mail POST endpoint behind CF Enterprise WAF.
- Fields like
- We do want WAF Managed Rules on the rest of the form (To/From/Subject/etc). Idea 1. Worker strips a KV-config list of “noisy” fields, AES-GCM encrypts & stashes in KV/R2 2. Sends sanitized sub-request with
2. Gotchas with skip rules / header approach?
3. Better pattern to keep WAF on but ignore selected fields?
4. Performance hints: large file parts ⟶ R2 feels okay—any streaming tricks?
Thanks!
- Fields like
html_body, image, compose_cc often trigger false-positives.- We do want WAF Managed Rules on the rest of the form (To/From/Subject/etc). Idea 1. Worker strips a KV-config list of “noisy” fields, AES-GCM encrypts & stashes in KV/R2 2. Sends sanitized sub-request with
X-WAF-Scan:1 ⟶ WAF scans only the clean parts
3. If WAF passes, Worker pulls stored data, rebuilds full body, POSTS direct to origin
3. Auto-cleanup via TTL on KV/R2
Question
1. Anyone already doing something like this?2. Gotchas with skip rules / header approach?
3. Better pattern to keep WAF on but ignore selected fields?
4. Performance hints: large file parts ⟶ R2 feels okay—any streaming tricks?
Thanks!
0 Replies