CD
Cloudflare Developers2mo ago
Gagan Suie

How do i create a WAF rule to allow file uploads?

i keep getting blocked by "Cloudflare OWASP Core Ruleset configuration" this is not working: (http.request.uri.path contains "cool.com" and http.request.method eq "POST") changing "managed challenge" to "Log" fixes it. but that seems like a bad workaround
No description
2 Replies
SuperHelpflare
SuperHelpflare2mo ago
Support AI
According to the Cloudflare documentation, the issue you're experiencing is likely due to the Cloudflare OWASP Core Ruleset configuration. The Cloudflare OWASP Core Ruleset is a set of rules designed to protect against common web application vulnerabilities. When a request triggers one of these rules, it can result in the request being blocked or challenged. The rule you provided (http.request.uri.path contains "cool.com" and http.request.method eq "POST") is likely triggering one of the OWASP rules, causing the request to be blocked. Changing the action from "Managed Challenge" to "Log" is not a recommended workaround, as it may allow malicious traffic to pass through. Instead, you can try to identify which specific OWASP rule is being triggered and adjust your configuration accordingly. You can do this by checking the Cloudflare logs to see which rule is being triggered. Additionally, you can also try to adjust the paranoia level of the OWASP Core Ruleset to a lower level, such as PL1 or PL2, to reduce the likelihood of false positives. It's also worth noting that you can create overrides for specific rules in the OWASP Core Ruleset to disable them for certain requests or paths. This can be done using the Cloudflare API or the Cloudflare dashboard. For more information on configuring the Cloudflare OWASP Core Ruleset, you can refer to the Cloudflare documentation: https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/configure-api/ It's also recommended to review the Cloudflare documentation on OWASP Core Ruleset concepts: https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/concepts/ Please let me know if you need more help or guidance on this issue.
Sources
* Cloudflare OWASP Core Ruleset - Cloudflare Web Application Firewall (WAF) docs * WAF managed rules (previous version) - Cloudflare Web Application Firewall (WAF) docs * Configure via API - Cloudflare Web Application Firewall (WAF) docs
Feedback
Feedback has been submitted! Thank you :)
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
Gagan Suie
Gagan SuieOP2mo ago
changed http.request.uri.path to hostname. works great!

Did you find this page helpful?