☁️ Cloudflare Web Application Firewall Rules

By using these WAF expressions, you can effectively block all unnecessary and potentially malicious requests targeting your origin server, thereby enhancing its security. If you find this repository useful, I would greatly appreciate it if you could give it a star ⭐. Thank you!

Warning

v2.0.0 introduces breaking changes. See CHANGELOG.md for details.

Tip

• Use a dedicated script to automatically update rules for each zone.
• Do you want to report events from Cloudflare WAF to AbuseIPDB? See Cloudflare-WAF-To-AbuseIPDB.
• Join my Discord server if you need help or want to receive notifications about important updates.

🛡️ What Can This List Block?

Part (1-5)	Description	Action
🔥 Part 1 - Suspicious paths & headers	Blocks data leaks, suspicious referrers, malicious and unusual URL paths, as well as empty or anomalous User-Agents.	Block
🧨 Part 2 - Malicious extensions & injections	Blocks suspicious requests, exploits, path traversal, configuration file access attempts, and the use of CLI tools in URLs.	Block
🤖 Part 3 - Unwanted bots	Blocks unnecessary, harmful bots, scanners, and web scrapers.	Block
🦕 Part 4 - Ancient browsers & IP blocklist	Blocks traffic from the Tor network, known malicious IP addresses, ASNs linked to botnets, and very outdated browsers.	Block
🗑️ Part 5 - Deprecated browsers & CMS	Enforces additional verification for outdated browsers (Chrome 73-122, Firefox 62-118), old OS versions, and CMS scanners.	Managed Challenge

Important

It is recommended to disable Bot Fight Mode in the Security tab.
Part 3 already controls which bots are blocked. Bot Fight Mode runs in parallel and may conflict with your rules.

>> View Main Expressions <<

>> View Expressions for Caching <<

✅ Usage

Automatic (highly recommended)

You can use the JavaScript code from this repository to automatically update the rules throughout the day.
There's no need to add them manually, as the script takes care of everything for you. 😉

Requirements

1. Node.js LTS + npm
2. PM2 (npm i pm2 -g)
3. Git
4. Linux (also works on Windows Server)

Tutorial (for Linux)

1. Clone this repository:

   git clone https://github.com/sefinek/Cloudflare-WAF-Expressions.git cf-expressions

2. Install the necessary dependencies:

   cd cf-expressions && npm install

3. Copy the .env.default file and rename it to .env:

   cp .env.default .env

4. Open the .env file and configure the following variables:
   • Set NODE_ENV to production
   • Paste your Cloudflare API token in place of CF_API_TOKEN (required permissions are shown in the screenshot below)
   • Set CF_ACCOUNT_ID to your Cloudflare Account ID (usually 32 characters, found in the URL: dash.cloudflare.com/<account_id>/...) - required for IP list sync
   • Set CF_IP_LIST_NAME to a custom name for the managed IP list, or leave the default (sefinek_cf_waf)
   • Set PHP_SUPPORT to true if your website uses PHP (removes the Managed Challenge rule for .php files)
   • Set SNIFFCAT_API_TOKEN to include dynamic malicious IPs from SniffCat (optional, but highly recommended)

   nano .env

5. Run the script 24/7 using PM2:

   pm2 start && pm2 save

6. Configure PM2 to start on system boot:

   eval "$(pm2 startup | grep sudo)"

Manually

Caution

This method is not recommended. WAF expressions and IP blocklists should be kept up to date at all times to remain effective against new threats. Updating them manually is error-prone and easy to forget. Use the automatic method instead.

1. Log in to your Cloudflare account.
2. Select the domain where you want to add the expressions.
3. Click on the Security tab, then choose WAF from the dropdown menu.
4. In the Custom rules tab, click the Create rule button.
5. Copy the expressions from the rules/expressions.md file.
6. Click Edit expression and paste the copied expressions.
7. Click Deploy to save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file.
8. Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure your website functions correctly, and visit this repository periodically for the latest updates.

IP Blocklist (Part 4)

Part 4 references a Cloudflare Custom IP List (ip.src in $sefinek_cf_waf). To set it up manually:

1. Go to your Cloudflare dashboard and navigate to Manage account > Configurations > Lists.
2. Click Create list, set the Identifier to sefinek_cf_waf (cannot be changed later), and confirm.
3. Open the newly created list, add the IP addresses from rules/ip-blocklist.txt, and save.
4. Part 4 will now block all IPs from that list.

Note

Cloudflare allows only 1 custom IP list per account (up to 10,000 entries). Remember to update it periodically as new entries are added to rules/ip-blocklist.txt. The automatic method handles this for you.

🔥 DDoS Protection (Additional Security Measures)

Cloudflare offers many settings that need to be configured manually according to your preferences. In this tutorial, we will enable only those that will safeguard your server from DDoS attacks. Keep in mind that there are many more measures available to mitigate DDoS attacks.

1: Creating DDoS L7 Ruleset

Security > DDoS > Deploy a DDoS override

1. Override name: DDoS L7 ruleset
2. Ruleset action: Block
3. Ruleset sensitivity: Default

2: Rate Limits

Security > Rate limiting rules > Create rule

1. Rule name: Default rate limit
2. Expression: (starts_with(http.request.uri.path, "/"))
   • Field: URI Path
   • Operator: starts with
   • Value: /
3. When rate exceeds…
   • Requests: 200 (you should adjust this value yourself based on your website's traffic)
   • Period: 10 seconds
4. Then take action…
   • Choose action: Block
5. For duration…
   • Duration: 10 seconds

3: Good to Know

1. Make sure that your server's IP address has not been leaked.
2. Your server should accept only requests coming from Cloudflare. Accessing your website directly, bypassing Cloudflare, should not be possible.
3. Configure rate limits on your server to reduce its load during a DDoS attack.

🗑️ Cleanup Tool

To remove all WAF rules, filters, and the IP blocklist from Cloudflare (e.g. before a fresh install), run:

node data/tools/deleteWAFRules.js

The script will list everything it found and ask for confirmation before deleting anything. It also clears the local rule ID cache (data/rule-ids.json).

Warning

This operation is irreversible! All custom WAF rules and the managed IP list will be permanently deleted from your Cloudflare account.

🤝 Pull requests

If you have any suggestions or improvements, feel free to open a Pull request. Your contribution will be appreciated and will help keep this list up-to-date and effective in combating the latest threats. Thank you!

🔖 GNU GPL v3 License

Copyright © 2023-2026 Sefinek