Cloudflare Docs
WAF
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Get started

​​ 1. Enable WAF content scanning

  1. Log in to the Cloudflare dashboard, and select your account and domain.
  2. Go to Security > Settings.
  3. Under Incoming traffic detections, turn on Malicious uploads.

Enable the feature using a POST request similar to the following:

curl --request POST \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/enable" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"

​​ 2. Validate the content scanning behavior

Use Security Analytics and HTTP logs to validate that malicious content objects are being detected correctly.

You can use the EICAR anti-malware test file to test content scanning (select the ZIP format).

Alternatively, create a WAF custom rule like described in the next step using a Log action instead of a mitigation action like Block. This rule will generate security events (available in Security > Events) that will allow you to validate your configuration.

​​ 3. Create a WAF custom rule

Create a WAF custom rule that blocks detected malicious content objects uploaded to your application.

For example, create a custom rule with the Block action and the following expression:

FieldOperatorValue
Has malicious content objectequalsTrue

If you use the Expression Editor, enter the following expression:

(cf.waf.content_scan.has_malicious_obj)

This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to Content scanning fields.

Optional: Combine with other Rules language fields

You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine content scanning with other security features. For example:

  • The following expression will match requests with malicious content objects uploaded to a specific endpoint:

    FieldOperatorValueLogic
    Has malicious content objectequalsTrueAnd
    URI Pathcontainsupload.php

    Expression when using the editor:

    (cf.waf.content_scan.has_malicious_obj and http.request.uri.path contains "upload.php")
  • The following expression will match requests from bots uploading content objects:

    FieldOperatorValueLogic
    Has content objectequalsTrueAnd
    Bot Scoreless than10

    Expression when using the editor:

    (cf.waf.content_scan.has_obj and cf.bot_management.score lt 10)

For additional examples, refer to Example rules.

​​ 4. (Optional) Configure a custom scan expression

To check uploaded content in a way that is not covered by the default configuration, add a custom scan expression.

  1. Log in to the Cloudflare dashboard, and select your account and domain.

  2. Go to Security > Settings.

  3. Under Incoming traffic detections, select Malicious uploads.

  4. Select Add content object location.

  5. In Content location, enter your custom scan expression. For example:

    lookup_json_string(http.request.body.raw, "file")
  6. Select Save.

Use a POST request similar to the following:

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/payloads" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '[
{
"payload": "lookup_json_string(http.request.body.raw, \"file\")"
}
]'

The above request will add the following expression to the current list of custom scan expressions:

lookup_json_string(http.request.body.raw, "file")

The custom scan expression will scan any string found in an HTTP body with the following JSON string:

{"file": "<BASE64_ENCODED_STRING>"}