diff --git a/src/content/changelogs/rules.yaml b/src/content/changelogs/rules.yaml index 071998a85f2367e..d0a5b44a5f2f407 100644 --- a/src/content/changelogs/rules.yaml +++ b/src/content/changelogs/rules.yaml @@ -16,7 +16,7 @@ entries: description: |- Wildcards are now supported across our Ruleset Engine-based products, including Single Redirects, Cache Rules, Transform Rules, WAF, Waiting Room, and more: * You can now use the `wildcard` and `strict wildcard` operators with any string field in the Ruleset Engine, such as full URI, host, headers, cookies, user-agent, and country. For more details, refer to [Operators](/ruleset-engine/rules-language/operators/) and [Wildcard matching](/ruleset-engine/rules-language/operators/#wildcard-matching). - * In [Single Redirects](/rules/url-forwarding/single-redirects/), the `wildcard_replace()` function allows you to use segments matched by the `wildcard` and `strict wildcard` operators in redirect URL targets. For more information, refer to [Functions](/ruleset-engine/rules-language/functions/#function-wildcard_replace). + * In [Single Redirects](/rules/url-forwarding/single-redirects/), the `wildcard_replace()` function allows you to use segments matched by the `wildcard` and `strict wildcard` operators in redirect URL targets. For more information, refer to [Functions](/ruleset-engine/rules-language/functions/#wildcard_replace). - publish_date: '2024-07-01' title: Cloudflare Snippets now available to all paid customers diff --git a/src/content/docs/bots/troubleshooting.mdx b/src/content/docs/bots/troubleshooting.mdx index 7b26cc9252430fb..dec0bd9aefb4886 100644 --- a/src/content/docs/bots/troubleshooting.mdx +++ b/src/content/docs/bots/troubleshooting.mdx @@ -90,7 +90,7 @@ Cloudflare has built an allowlist of good, automated bots, e.g. Google Search En This allowlist is large based on reverse DNS verification, meaning that the IPs we allow really match the requesting service. In addition to this, Cloudflare uses multiple validation methods including ASN blocks and public lists. If none of these validation types are available for a customer, we use internal Cloudflare data and machine learning to identify legitimate IP addresses from good bots. -To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/#field-cf-bot_management-verified_bot) field in your WAF custom rule. +To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/#cf-bot_management-verified_bot) field in your WAF custom rule. *** diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx index 3e1c2be3ef73f88..513254cc6f78149 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx @@ -84,7 +84,7 @@ addEventListener('fetch', event => { ## Accessing custom metadata in a rule expression -Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/#field-cf-hostname-metadata) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#function-lookup_json_string) function. +Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/#cf-hostname-metadata) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#lookup_json_string) function. The following rule expression defines that there will be a rule match if the `security_tag` value in custom metadata contains the value `low`: diff --git a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx index bbfeb9b3a92e4c4..591d5f6d666b015 100644 --- a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx +++ b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx @@ -35,9 +35,9 @@ import { GlossaryTooltip } from "~/components" * **Protocol** (HTTP protocol version) * **Request headers** * **Cookies** - * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/#field-ip-src-country), [region](/ruleset-engine/rules-language/fields/#field-ip-src-region_code), and [city](/ruleset-engine/rules-language/fields/#field-ip-src-city)) + * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/#ip-src-country), [region](/ruleset-engine/rules-language/fields/#ip-src-region_code), and [city](/ruleset-engine/rules-language/fields/#ip-src-city)) * [**Bot score**](/bots/concepts/bot-score/) - * **Threat score** + * **Threat score** * **Request body** (for `POST`, `PUT`, and `PATCH` requests) * **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue) diff --git a/src/content/docs/fundamentals/reference/http-request-headers.mdx b/src/content/docs/fundamentals/reference/http-request-headers.mdx index d4a0f7499b2c82c..803925c29d62fc4 100644 --- a/src/content/docs/fundamentals/reference/http-request-headers.mdx +++ b/src/content/docs/fundamentals/reference/http-request-headers.mdx @@ -142,7 +142,7 @@ The intended purpose of this header is to provide a means for recipients (for ex :::note -When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/#field-cf-worker-upstream_zone) dynamic field, which contains the same value and exists for the same purpose. +When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/#cf-worker-upstream_zone) dynamic field, which contains the same value and exists for the same purpose. ::: diff --git a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx index 8652e49b2856217..f6163aa90c4c194 100644 --- a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx +++ b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx @@ -91,7 +91,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.cookie
`String` + http.cookie
`String` (Manual entry only)

Represents the entire cookie as a string.

@@ -102,7 +102,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.host
`String` + http.host
`String` (Manual entry only)

Represents the hostname used in the full request URI.

@@ -113,7 +113,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.referer
`String` + http.referer
`String` (Manual entry only)

Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

@@ -124,7 +124,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.headers
`Map>` + http.request.headers
`Map>` Header

Represents HTTP request headers as a Map (or associative array).

@@ -146,7 +146,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.method
`String` + http.request.method
`String` Request Method

Represents the HTTP method, returned as a string of uppercase characters.

@@ -157,7 +157,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.timestamp.sec
`Integer` + http.request.timestamp.sec
`Integer` Timestamp

Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.

@@ -168,7 +168,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri
`String` + http.request.uri
`String` URI

Represents the URI path and query string of the request.

@@ -179,7 +179,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri.args
`Map>` + http.request.uri.args
`Map>` (Manual entry only)

Represents the HTTP URI arguments associated with a request as a Map (associative array).

@@ -202,7 +202,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri.args.names
`Array` + http.request.uri.args.names
`Array` (Manual entry only)

Represents the names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.

@@ -222,7 +222,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri.args.values
`Array` + http.request.uri.args.values
`Array` (Manual entry only)

Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.

@@ -242,7 +242,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri.path
`String` + http.request.uri.path
`String` URI Path

Represents the URI path of the request.

@@ -253,7 +253,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.uri.query
`String` + http.request.uri.query
`String` URI Query

Represents the entire query string, without the ? delimiter.

@@ -264,7 +264,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul - http.request.version
`String` + http.request.version
`String` HTTP Version

Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.

diff --git a/src/content/docs/rules/compression-rules/index.mdx b/src/content/docs/rules/compression-rules/index.mdx index d26eb2de67a0c5a..4c72c0b5f5af592 100644 --- a/src/content/docs/rules/compression-rules/index.mdx +++ b/src/content/docs/rules/compression-rules/index.mdx @@ -39,9 +39,9 @@ The following fields are commonly used in expressions of compression rules: | Field in [Expression Builder](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) | Field name | | -------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -| *Media Type* | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/#field-http-response-content_type-media_type) | -| *File extension* | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/#field-http-request-uri-path-extension) | -| N/A | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/#field-raw-http-request-uri-path-extension) | +| *Media Type* | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/#http-response-content_type-media_type) | +| *File extension* | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/#http-request-uri-path-extension) | +| N/A | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/#raw-http-request-uri-path-extension) | diff --git a/src/content/docs/rules/custom-error-responses/create-api.mdx b/src/content/docs/rules/custom-error-responses/create-api.mdx index ab764d03b2745ce..36714f3e7b079dc 100644 --- a/src/content/docs/rules/custom-error-responses/create-api.mdx +++ b/src/content/docs/rules/custom-error-responses/create-api.mdx @@ -34,9 +34,9 @@ Follow this workflow to create a custom error response rule for a given zone via The examples in this section use the following fields in their rule expressions: -* [`http.response.code`](/ruleset-engine/rules-language/fields/#field-http-response-code): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker. +* [`http.response.code`](/ruleset-engine/rules-language/fields/#http-response-code): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker. -* [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/#field-cf-response-1xxx_code): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/). +* [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/#cf-response-1xxx_code): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/). ### Custom JSON response for all 5xx errors diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx index 40c4c7e9b3ee63a..2f1c109dc2d9f90 100644 --- a/src/content/docs/rules/reference/troubleshooting.mdx +++ b/src/content/docs/rules/reference/troubleshooting.mdx @@ -16,7 +16,7 @@ import { Example } from "~/components" If you are issuing a [challenge](/waf/reference/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops. -For example, define a compound expression for your rule using the `and` operator and the [`starts_with()`](/ruleset-engine/rules-language/functions/#function-starts_with) function: +For example, define a compound expression for your rule using the `and` operator and the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function: ```txt and not starts_with(http.request.uri, "/cdn-cgi/challenge-platform/") diff --git a/src/content/docs/rules/transform/examples/rewrite-moved-section.mdx b/src/content/docs/rules/transform/examples/rewrite-moved-section.mdx index a2a13ca8287298c..75692902b141c62 100644 --- a/src/content/docs/rules/transform/examples/rewrite-moved-section.mdx +++ b/src/content/docs/rules/transform/examples/rewrite-moved-section.mdx @@ -14,7 +14,7 @@ description: Create a rewrite URL rule (part of Transform Rules) to rewrite import { Example } from "~/components" -To rewrite everything under `/blog/` to `/marketing/` you must modify the first component of the path (`/blog/`). Create a rewrite URL rule and use the [`regex_replace()`](/ruleset-engine/rules-language/functions/#function-regex_replace) function for this purpose: +To rewrite everything under `/blog/` to `/marketing/` you must modify the first component of the path (`/blog/`). Create a rewrite URL rule and use the [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace) function for this purpose: diff --git a/src/content/docs/rules/transform/examples/rewrite-path-archived-posts.mdx b/src/content/docs/rules/transform/examples/rewrite-path-archived-posts.mdx index 962fe3bf06060db..9f7287c5992b005 100644 --- a/src/content/docs/rules/transform/examples/rewrite-path-archived-posts.mdx +++ b/src/content/docs/rules/transform/examples/rewrite-path-archived-posts.mdx @@ -32,4 +32,4 @@ concat("/archive", http.request.uri.path) -The filter uses the [`starts_with()`](/ruleset-engine/rules-language/functions/#function-starts_with) function all paths starting with `/news/2012/`. The dynamic path rewrite uses the [`concat()`](/ruleset-engine/rules-language/functions/#function-concat) function to concatenate a prefix to the original URL path of the HTTP request. +The filter uses the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function all paths starting with `/news/2012/`. The dynamic path rewrite uses the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function to concatenate a prefix to the original URL path of the HTTP request. diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx index 95fd38e64229eff..044240caea34007 100644 --- a/src/content/docs/rules/transform/managed-transforms/reference.mdx +++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx @@ -38,38 +38,38 @@ Adds HTTP headers with bot-related values to the request sent to the origin serv Adds HTTP headers with [Mutual TLS](/api-shield/security/mtls/) (mTLS) client authentication values to the request sent to the origin server: -* `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_revoked) field. -* `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_verified) field. -* `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_presented) field. -* `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_issuer_dn) field. -* `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_subject_dn) field. -* `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_issuer_dn_rfc2253) field. -* `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_subject_dn_rfc2253) field. -* `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_issuer_dn_legacy) field. -* `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_subject_dn_legacy) field. -* `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_serial) field. -* `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_issuer_serial) field. -* `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_fingerprint_sha256) field. -* `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_fingerprint_sha1) field. -* `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_not_before) field. -* `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_not_after) field. -* `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_ski) field. -* `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/#field-cf-tls_client_auth-cert_issuer_ski) field. +* `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_revoked) field. +* `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_verified) field. +* `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_presented) field. +* `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_issuer_dn) field. +* `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_subject_dn) field. +* `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_issuer_dn_rfc2253) field. +* `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_subject_dn_rfc2253) field. +* `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_issuer_dn_legacy) field. +* `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_subject_dn_legacy) field. +* `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_serial) field. +* `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_issuer_serial) field. +* `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_fingerprint_sha256) field. +* `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_fingerprint_sha1) field. +* `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_not_before) field. +* `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_not_after) field. +* `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_ski) field. +* `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/#cf-tls_client_auth-cert_issuer_ski) field. ### Add visitor location headers Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server: -* `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/#field-ip-src-city) field). -* `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/#field-ip-src-country) field). -* `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/#field-ip-src-continent) field). -* `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/#field-ip-src-lon) field). -* `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/#field-ip-src-lat) field). -* `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/#field-ip-src-region) field). -* `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/#field-ip-src-region_code) field). -* `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/#field-ip-src-metro_code) field). -* `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/#field-ip-src-postal_code) field). -* `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/#field-ip-src-timezone-name) field). +* `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/#ip-src-city) field). +* `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/#ip-src-country) field). +* `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/#ip-src-continent) field). +* `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/#ip-src-lon) field). +* `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/#ip-src-lat) field). +* `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/#ip-src-region) field). +* `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/#ip-src-region_code) field). +* `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/#ip-src-metro_code) field). +* `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/#ip-src-postal_code) field). +* `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/#ip-src-timezone-name) field). :::caution[Warning] diff --git a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx index 1d5e057b2540618..aebd26b8fe50194 100644 --- a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx +++ b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx @@ -29,4 +29,4 @@ A rewrite expression (that is, the expression that defines the dynamic URL rewri Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields. -The [`concat()`](/ruleset-engine/rules-language/functions/#function-concat) and [`regex_replace()`](/ruleset-engine/rules-language/functions/#function-regex_replace) functions can appear only **once** in a rewrite expression. +The [`concat()`](/ruleset-engine/rules-language/functions/#concat) and [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace) functions can appear only **once** in a rewrite expression. diff --git a/src/content/docs/rules/url-forwarding/examples/remove-locale-url.mdx b/src/content/docs/rules/url-forwarding/examples/remove-locale-url.mdx index 7c75d288712d75d..99a6300270ccfbc 100644 --- a/src/content/docs/rules/url-forwarding/examples/remove-locale-url.mdx +++ b/src/content/docs/rules/url-forwarding/examples/remove-locale-url.mdx @@ -34,7 +34,7 @@ If you are using the Expression Editor, enter the following expression:
-The function [`regex_replace()`](/ruleset-engine/rules-language/functions/#function-regex_replace) allows you to extract parts of the URL using regular expressions' capture groups. Create capture groups by putting part of the regular expression in parentheses. Then, reference a capture group using `${}` in the replacement string, where `` is the number of the capture group. +The function [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace) allows you to extract parts of the URL using regular expressions' capture groups. Create capture groups by putting part of the regular expression in parentheses. Then, reference a capture group using `${}` in the replacement string, where `` is the number of the capture group. For example, the redirect rule would perform the following redirects: diff --git a/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx b/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx index fa10e4cff311f79..b466d43a9b7a1f4 100644 --- a/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx +++ b/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx @@ -71,7 +71,7 @@ Only the Expression Editor supports nested expressions such as the one above. If :::note[Note] -String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the [`lower()`](/ruleset-engine/rules-language/functions/#function-lower) function and compare the result with a lowercased string, like in the following example: +String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the [`lower()`](/ruleset-engine/rules-language/functions/#lower) function and compare the result with a lowercased string, like in the following example: ```txt lower(http.request.uri.path) contains "/wp-login.php" diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index 7f50dff37bf8e37..98f782f704299ee 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -106,7 +106,7 @@ Returns the string representation of the per-hostname [custom metadata](/cloudfl `cf.random_seed` `Bytes` -Returns per-request random bytes that you can use in the [`uuidv4()`](https://example.com/ruleset-engine/rules-language/functions/#function-uuidv4) function. +Returns per-request random bytes that you can use in the [`uuidv4()`](https://example.com/ruleset-engine/rules-language/functions/#uuidv4) function. ## `cf.ray_id` diff --git a/src/content/docs/ruleset-engine/rules-language/functions.mdx b/src/content/docs/ruleset-engine/rules-language/functions.mdx index 92910186126679c..9a59e95bad93004 100644 --- a/src/content/docs/ruleset-engine/rules-language/functions.mdx +++ b/src/content/docs/ruleset-engine/rules-language/functions.mdx @@ -338,7 +338,7 @@ any(url_decode(http.request.body.form.values[*])[*] contains "an xss attack") `uuidv4(Bytes)` `String` -Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/#field-cf-random_seed) field. +Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/#cf-random_seed) field. For example, `uuidv4(cf.random_seed)` will return a UUIDv4 similar to `49887398-6bcf-485f-8899-f15dbef4d1d5`. diff --git a/src/content/docs/ruleset-engine/rules-language/operators.mdx b/src/content/docs/ruleset-engine/rules-language/operators.mdx index ef93be2af65baac..167b852ed469f2e 100644 --- a/src/content/docs/ruleset-engine/rules-language/operators.mdx +++ b/src/content/docs/ruleset-engine/rules-language/operators.mdx @@ -44,8 +44,8 @@ Comparison operators entered using English notation (such as `eq`, `lt`, and `gt The Cloudflare dashboard shows the following functions as operators: -* *starts with* (corresponding to the [`starts_with()`](/ruleset-engine/rules-language/functions/#function-starts_with) function): Returns `true` when a string starts with a given substring, and `false` otherwise. -* *ends with* (corresponding to the [`ends_with()`](/ruleset-engine/rules-language/functions/#function-ends_with) function): Returns `true` when a string ends with a given substring, and `false` otherwise. +* *starts with* (corresponding to the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function): Returns `true` when a string starts with a given substring, and `false` otherwise. +* *ends with* (corresponding to the [`ends_with()`](/ruleset-engine/rules-language/functions/#ends_with) function): Returns `true` when a string ends with a given substring, and `false` otherwise. However, when writing your own custom expressions, you must use these functions in function calls, not as operators. For example: @@ -59,7 +59,7 @@ http.request.uri.path ends_with ".html" ### Comparing string values -String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the [`lower()`](/ruleset-engine/rules-language/functions/#function-lower) function and compare the result with a lowercased string, like in the following example: +String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the [`lower()`](/ruleset-engine/rules-language/functions/#lower) function and compare the result with a lowercased string, like in the following example: ```txt lower(http.request.uri.path) contains "/wp-login.php" diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx index fd86f0f281bd403..c3de0c295a7581f 100644 --- a/src/content/docs/ruleset-engine/rules-language/values.mdx +++ b/src/content/docs/ruleset-engine/rules-language/values.mdx @@ -52,7 +52,7 @@ regex_replace(http.host, "a", "\\") :::caution[Warning] -In some situations you will need to double-escape a string — for example, when using the [`regex_replace()`](/ruleset-engine/rules-language/functions/#function-regex_replace) function with a regular expression matching a backslash (`\`). +In some situations you will need to double-escape a string — for example, when using the [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace) function with a regular expression matching a backslash (`\`). In this case, you must do the basic escaping required by strings as function parameters (using `\\` for each `\` character) and also the regex escaping (using `\\` for each `\` character), since the backslash has a special meaning in regular expressions. @@ -169,7 +169,7 @@ For maps where the values have an `Array` type, you cannot directly use [operato ### Examples -The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/#field-http-request-headers) field with a data type of `Map>`, where array elements are of `String` data type. +The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/#http-request-headers) field with a data type of `Map>`, where array elements are of `String` data type. If an incoming HTTP request included a single `Accept: application/json` HTTP header, the following expressions would evaluate to the indicated values: @@ -181,7 +181,7 @@ any(http.request.headers["accept"][*] == "application/json") # ==> true any(http.request.headers["accept"][*] == "text/plain") # ==> false ``` -The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/#field-http-request-uri-args) field with a data type of `Map>`, where array elements are of `String` data type. +The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/#http-request-uri-args) field with a data type of `Map>`, where array elements are of `String` data type. If an HTTP request included three `filter` URI arguments `waf`, `botm`, and `cdn`, the following expressions would evaluate to the indicated values: diff --git a/src/content/docs/waf/about/content-scanning/index.mdx b/src/content/docs/waf/about/content-scanning/index.mdx index 10ae071c717bdae..2a057f33a2dae5d 100644 --- a/src/content/docs/waf/about/content-scanning/index.mdx +++ b/src/content/docs/waf/about/content-scanning/index.mdx @@ -79,14 +79,14 @@ When content scanning is enabled, you can use the following fields in WAF rules: | Field name in the dashboard | Field name in expressions | | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------- | -| Has content object | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-has_obj) | -| Has malicious content object | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-has_malicious_obj) | -| Number of malicious content objects | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-num_malicious_obj) | -| Content scan has failed | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-has_failed) | -| Number of content objects | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-num_obj) | -| Content object size (in bytes) | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-obj_sizes) | -| Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-obj_types) | -| Content object result
Values: `clean`, `suspicious`,
`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/#field-cf-waf-content_scan-obj_results) | +| Has content object | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-has_obj) | +| Has malicious content object | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-has_malicious_obj) | +| Number of malicious content objects | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-num_malicious_obj) | +| Content scan has failed | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-has_failed) | +| Number of content objects | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-num_obj) | +| Content object size (in bytes) | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-obj_sizes) | +| Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-obj_types) | +| Content object result
Values: `clean`, `suspicious`,
`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/#cf-waf-content_scan-obj_results) | diff --git a/src/content/docs/waf/about/waf-attack-score.mdx b/src/content/docs/waf/about/waf-attack-score.mdx index acdfd4fcde1f77a..ae732dccaab836b 100644 --- a/src/content/docs/waf/about/waf-attack-score.mdx +++ b/src/content/docs/waf/about/waf-attack-score.mdx @@ -29,11 +29,11 @@ The Cloudflare WAF provides the following attack scores: | Score | Minimum plan required | Attack vector | Field | | ---------------------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------- | -| WAF Attack Score | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/#field-cf-waf-score) | -| WAF SQLi Attack Score | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/#field-cf-waf-score-sqli) | -| WAF XSS Attack Score | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/#field-cf-waf-score-xss) | -| WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/#field-cf-waf-score-rce) | -| WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/#field-cf-waf-score-class) | +| WAF Attack Score | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/#cf-waf-score) | +| WAF SQLi Attack Score | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/#cf-waf-score-sqli) | +| WAF XSS Attack Score | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/#cf-waf-score-xss) | +| WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/#cf-waf-score-rce) | +| WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/#cf-waf-score-class) | diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx index 9ccf6a400b14a5b..7720f183d695e39 100644 --- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx @@ -4,7 +4,7 @@ title: Allow traffic from specific countries only --- -This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/#field-ip-src-country) field, only allowing requests from two countries: United States and Mexico. +This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/#ip-src-country) field, only allowing requests from two countries: United States and Mexico. - **Expression**: `(not ip.geoip.country in {"US" "MX"})` - **Action**: *Block* diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx index 0949e28cd4e4f64..7b4456a919ace0b 100644 --- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx @@ -9,7 +9,7 @@ head: This example challenges requests from a list of countries, but allows traffic from search engine bots — such as Googlebot and Bingbot — and from other [verified bots](/bots/concepts/bot/#verified-bots). -The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/#field-cf-client-bot) field to determine if the request originated from a known good bot or crawler. +The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/#cf-client-bot) field to determine if the request originated from a known good bot or crawler. - **Expression**: `(ip.geoip.country in {"US" "MX"} and not cf.client.bot)` - **Action**: Managed Challenge diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx index 519e8bf9b77190c..c8260af385014e9 100644 --- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx @@ -4,7 +4,7 @@ title: Block traffic from specific countries --- -This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/#field-ip-src-country) field. +This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/#ip-src-country) field. - **Expression**: `(ip.geoip.country in {"KN" "SY"})` - **Action**: *Block* diff --git a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx index 49dbea67e61b22e..952707fe75a81a1 100644 --- a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx @@ -18,9 +18,9 @@ Bot score ranges from 1 through 99. A low score indicates the request comes from These examples use: -* [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#field-cf-bot_management-score) to target requests from bots -* [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/#field-cf-bot_management-verified_bot) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots) -* [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/#field-cf-bot_management-ja3_hash) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/) +* [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#cf-bot_management-score) to target requests from bots +* [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/#cf-bot_management-verified_bot) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots) +* [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/#cf-bot_management-ja3_hash) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/) ## Suggested rules diff --git a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx index d16925bbdaf122d..19afde1e94a84df 100644 --- a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx @@ -10,7 +10,7 @@ When enabled, [Cloudflare Hotlink Protection](/waf/tools/scrape-shield/hotlink-p You can use custom rules to protect against hotlinking while allowing inline links from your partners. In this case, you will need to disable [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) within the **Scrape Shield** app so that partner referrals are not blocked by that feature. -This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/#field-http-referer) field to target HTTP referrals from partner sites. +This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/#http-referer) field to target HTTP referrals from partner sites. The `not` operator matches HTTP referrals that are not from partner sites, and the action blocks them: diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx index 59f15e0b1b5a9b6..3de23353322c130 100644 --- a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx @@ -6,7 +6,7 @@ title: Require a specific cookie To secure a sensitive area such as a development area, you can share a cookie with trusted individuals and then filter requests so that only users with that cookie can access your site. -Use the [`http.cookie`](/ruleset-engine/rules-language/fields/#field-http-cookie) field to target requests based on the presence of a specific cookie. +Use the [`http.cookie`](/ruleset-engine/rules-language/fields/#http-cookie) field to target requests based on the presence of a specific cookie. This example comprises two rules: diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx index 4593a18e05d54fc..35c677732d029ab 100644 --- a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx @@ -6,7 +6,7 @@ title: Require specific HTTP headers Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language [HTTP request header fields](/ruleset-engine/rules-language/fields/#http-request-header-fields) to target requests with specific headers. -This example uses the `http.headers.names` field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#function-lower) transformation function converts the value to lowercase so that the expression is case insensitive. +This example uses the `http.headers.names` field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function converts the value to lowercase so that the expression is case insensitive. When the `X-CSRF-Token` header is missing, Cloudflare blocks the request: diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx index 4a15e0da5008d53..b7f094a96c7703d 100644 --- a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx @@ -8,7 +8,7 @@ import { Render } from "~/components" By default, Cloudflare allows requests on a [number of different HTTP ports](/fundamentals/reference/network-ports/). -You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/#field-cf-edge-server_port) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports. +You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/#cf-edge-server_port) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports. This example blocks requests to `www.example.com` that are not on ports `80` or `443`: diff --git a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx index d81cd7f8927cf27..b0cfa41d209bf36 100644 --- a/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx @@ -8,7 +8,7 @@ If an attack compromises the administrative area of your website, the consequenc The example below limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses. -To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, use the [`lower()`](/ruleset-engine/rules-language/functions/#function-lower) transformation function to convert the URI path to lowercase: +To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, use the [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function to convert the URI path to lowercase: - **Expression**: `(not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))` diff --git a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx index e828377b846b5f8..de435abf7630c69 100644 --- a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx @@ -8,7 +8,7 @@ R-U-Dead-Yet (R.U.D.Y.) attacks accomplish denial of service (DoS) by submitting This example combines three expressions to target HTTP `POST` requests that do not contain a legitimate authenticated session cookie: -* The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/#field-http-request-uri-path) field to target the paths to secure from R.U.D.Y.: +* The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/#http-request-uri-path) field to target the paths to secure from R.U.D.Y.: ```txt http.request.uri.path matches "(comment|conversation|event|poll)/create" diff --git a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx index ea1d1a5a8544fa0..1172d41dc2875be 100644 --- a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx @@ -24,8 +24,8 @@ If a customer or partner is large enough, you could set up a custom rule based o This example uses: -* The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/#field-ip-src-asnum) field to specify the general region. -* The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#field-cf-bot_management-score) field to ensure partner traffic does not come from bots. +* The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/#ip-src-asnum) field to specify the general region. +* The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#cf-bot_management-score) field to ensure partner traffic does not come from bots. - **Expression**: `(ip.geoip.asnum eq 64496 and cf.bot_management.score gt 30)` - **Action**: Skip: @@ -43,8 +43,8 @@ Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare E This example uses: -* The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/#field-ip-src-asnum) field to specify the general region. -* The [`cf.threat_score`](/ruleset-engine/rules-language/fields/#field-cf-threat_score) dynamic field to ensure requests are not high-risk traffic. +* The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/#ip-src-asnum) field to specify the general region. +* The [`cf.threat_score`](/ruleset-engine/rules-language/fields/#cf-threat_score) dynamic field to ensure requests are not high-risk traffic. If a request meets these criteria, your custom rule skips [User Agent Blocking](/waf/tools/user-agent-blocking/) rules. @@ -62,7 +62,7 @@ For smaller organizations, you could set up custom rules based on IP addresses. This example: * Specifies the source IP address and the host. -* Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#field-cf-bot_management-score) field to ensure requests are not high-risk traffic. +* Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/#cf-bot_management-score) field to ensure requests are not high-risk traffic. - **Expression**: `(ip.src eq 203.0.113.1 and http.host eq "example.com" and cf.bot_management.score gt 30)` - **Action**: Skip: diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx index b26364fda53c61f..97721192da3066c 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx @@ -36,7 +36,7 @@ To check for exposed credentials in a custom rule, include the `exposed_credenti These properties have additional requirements: * Each expression must evaluate to a string. -* You can only use the [`upper()`](/ruleset-engine/rules-language/functions/#function-upper), [`lower()`](/ruleset-engine/rules-language/functions/#function-lower), [`url_decode()`](/ruleset-engine/rules-language/functions/#function-url_decode), and [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#function-lookup_json_string) functions, and you cannot nest these functions. +* You can only use the [`upper()`](/ruleset-engine/rules-language/functions/#upper), [`lower()`](/ruleset-engine/rules-language/functions/#lower), [`url_decode()`](/ruleset-engine/rules-language/functions/#url_decode), and [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) functions, and you cannot nest these functions. ::: diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx index a84cfc28232a9ab..886c57ed2d2c26f 100644 --- a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx +++ b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx @@ -226,7 +226,7 @@ You could also limit the number of lookups of each `product_id` regardless of th :::note -If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/#field-http-request-body-raw) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal. +If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/#http-request-body-raw) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal. ::: ### Limit requests from bots diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx index 80cf3761b46cb75..716eccc94cd7b98 100644 --- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx +++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx @@ -49,8 +49,8 @@ Use one or more of the following characteristics: | **Country** | `ip.geoip.country` | | **JA3 Fingerprint** | `cf.bot_management.ja3_hash` | | **JA4** | `cf.bot_management.ja4` | -| **JSON string value of** (enter key) | `lookup_json_string(http.request.body.raw, "")` | [Missing field versus empty value](#missing-field-versus-empty-value) and [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#function-lookup_json_string) | -| **JSON integer value of** (enter key) | `lookup_json_integer(http.request.body.raw, "")` | [Missing field versus empty value](#missing-field-versus-empty-value) and [`lookup_json_integer()` function reference](/ruleset-engine/rules-language/functions/#function-lookup_json_integer) | +| **JSON string value of** (enter key) | `lookup_json_string(http.request.body.raw, "")` | [Missing field versus empty value](#missing-field-versus-empty-value) and [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_string) | +| **JSON integer value of** (enter key) | `lookup_json_integer(http.request.body.raw, "")` | [Missing field versus empty value](#missing-field-versus-empty-value) and [`lookup_json_integer()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_integer) | | **Form input value of** (enter field name) | `http.request.body.form[""]` | [Missing field versus empty value](#missing-field-versus-empty-value) | | **JWT claim of** (enter token configuration ID, claim name) | `lookup_json_string(http.request.jwt.claims[""][0], "")` | [Missing field versus empty value](#missing-field-versus-empty-value) and [JWT Validation reference](/api-shield/security/jwt-validation/transform-rules/) | | **Body** | `http.request.body.raw` | diff --git a/src/content/partials/rules/transform/header-modification-fields.mdx b/src/content/partials/rules/transform/header-modification-fields.mdx index 427ca9c36d1981f..ff7899b773c1ed8 100644 --- a/src/content/partials/rules/transform/header-modification-fields.mdx +++ b/src/content/partials/rules/transform/header-modification-fields.mdx @@ -41,7 +41,7 @@ Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference informat :::caution[Important] -* To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/#field-http-request-headers) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`. +* To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/#http-request-headers) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`. * Use the `to_string()` function to get the string representation of a non-string value like an Integer value. For example, `to_string(cf.bot_management.score)`. diff --git a/src/content/partials/rules/transform/transform-phase-fields.mdx b/src/content/partials/rules/transform/transform-phase-fields.mdx index ed9f0aa72d5763b..e6692353d374c65 100644 --- a/src/content/partials/rules/transform/transform-phase-fields.mdx +++ b/src/content/partials/rules/transform/transform-phase-fields.mdx @@ -40,7 +40,7 @@ Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference informat :::caution[Important] -* To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/#field-http-request-headers) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`. +* To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/#http-request-headers) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`. * Use the `to_string()` function to get the string representation of a non-string value like an Integer value. diff --git a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx index 18ab1c3191a4af8..c5c65162578379f 100644 --- a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx +++ b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx @@ -7,7 +7,7 @@ | Feature | Free | Pro | Business | Enterprise with app security | Enterprise with Advanced Rate Limiting | | ------------------------------------------- | ------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Available fields
in rule expression | Path, [Verified Bot](/ruleset-engine/rules-language/fields/#field-cf-bot_management-verified_bot) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | [Standard fields](/ruleset-engine/rules-language/fields/#standard-fields), [request header fields](/ruleset-engine/rules-language/fields/#http-request-header-fields), [dynamic fields](/ruleset-engine/rules-language/fields/#dynamic-fields) (including Verified Bot), other Bot Management fields1 | [Standard fields](/ruleset-engine/rules-language/fields/#standard-fields), [request header fields](/ruleset-engine/rules-language/fields/#http-request-header-fields), [dynamic fields](/ruleset-engine/rules-language/fields/#dynamic-fields) (including Verified Bot), other Bot Management fields1, [request body fields](/ruleset-engine/rules-language/fields/#http-request-body-fields)2 | +| Available fields
in rule expression | Path, [Verified Bot](/ruleset-engine/rules-language/fields/#cf-bot_management-verified_bot) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | [Standard fields](/ruleset-engine/rules-language/fields/#standard-fields), [request header fields](/ruleset-engine/rules-language/fields/#http-request-header-fields), [dynamic fields](/ruleset-engine/rules-language/fields/#dynamic-fields) (including Verified Bot), other Bot Management fields1 | [Standard fields](/ruleset-engine/rules-language/fields/#standard-fields), [request header fields](/ruleset-engine/rules-language/fields/#http-request-header-fields), [dynamic fields](/ruleset-engine/rules-language/fields/#dynamic-fields) (including Verified Bot), other Bot Management fields1, [request body fields](/ruleset-engine/rules-language/fields/#http-request-body-fields)2 | | Counting characteristics | IP | IP | IP | IP, IP with NAT support | IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint1, JSON field value2, Body2, Form input value2, Custom | | Available fields
in counting expression | N/A | N/A | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers | | Counting model | Number of requests | Number of requests | Number of requests | Number of requests | Number of requests,
[complexity score](/waf/rate-limiting-rules/request-rate/#complexity-based-rate-limiting) |