With these expressions for WAF, you can effectively block all unnecessary requests to your server, enhancing its security. If you find this repository helpful, please consider giving it a star ⭐. Thank you!
Important
It is also recommended to disable the Bot Fight Mode feature in the Security tab.
Although this feature helps detect and block automated bot traffic, it can inadvertently block safe, legitimate bots as well, which is not our intention.
Tip
Use a dedicated script to automatically update rules for each zone.
>> View Main Expressions <<
This list has been carefully crafted to enhance the security of your origin server by blocking a wide range of unnecessary and potentially malicious requests. Here is a summary of what it can block:
-
Sensitive Files and Directories:
- Blocks access to critical files and directories like
.git,.env, and.htaccess, which often contain sensitive information that should remain private. It also prevents access to other commonly used configuration files and sensitive keys, such as SSH keys.
- Blocks access to critical files and directories like
-
Common Attack Vectors:
- Blocks URLs with patterns commonly used in attacks, helping to prevent attempts to exploit known application vulnerabilities.
-
Backup Files:
- Blocks requests for backup files that could contain sensitive data.
-
Outdated Browsers:
- Identifies and blocks outdated browser versions often used by bots for automated attacks or unnecessary web crawling. It can also block DDoS attacks from botnets, which frequently use outdated user agents.
-
Unwanted bots:
- Blocks various unwanted, unnecessary web crawlers and known malicious bots. This helps reduce unwanted bot traffic and alleviate server resource strain.
-
Specific IP Addresses and ASNs:
- Blocks traffic from known malicious IP addresses and ASNs to prevent attacks from flagged sources. The list also includes IP addresses associated with botnets.
You can use the JavaScript script from this repository to automatically update the rules throughout the day. There’s no need to add them manually - the script takes care of everything.
- Clone this repository.
git clone https://github.com/sefinek/Cloudflare-WAF-Expressions.git
- Install the necessary dependencies.
npm install
- Copy the
.env.defaultfile and rename it to.env.cp .env.default .env
- Open the
.envfile and ensureNODE_ENVis set toproduction. Paste your Cloudflare token in place ofCF_API_TOKEN.
- Run the script 24/7 using PM2.
pm2 start && pm2 save
- Log in to your Cloudflare account.
- Select the domain where you want to add the expressions.
- Click on the
Securitytab, then chooseWAFfrom the dropdown menu. - In the
Custom rulestab, click theCreate rulebutton. - Copy the expressions from the markdown/expressions.md file.
- Click
Edit expressionand paste the copied expressions. - Click
Deployto save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file. - Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Check that your website functions correctly, and visit this repository periodically for the latest updates.
Enabling DDoS protection in the Security tab is also recommended. Navigate to DDoS and click Deploy a DDoS override.
- Override name: DDoS L7 ruleset
- Ruleset action: Block
- Ruleset sensitivity: Default
If you have any questions or need help with the expressions, feel free to open an Issue. I'll be happy to assist you.
If you have any suggestions or improvements, feel free to open a Pull request. Your contributions are highly appreciated and will help keep this list up-to-date and effective against the latest threats.
This project is licensed under the MIT License.
