Skip to content
/ Cloudflare-WAF-Expressions Public

Cloudflare WAF (Web Application Firewall) rules + a script for their automatic updates. Block unwanted and malicious requests to enhance the security of your origin server!

License

GPL-3.0 license
73 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sefinek/Cloudflare-WAF-Expressions

BranchesTags

Repository files navigation

☁️ Cloudflare Web Application Firewall Rules

By using these WAF expressions, you can effectively block all unnecessary and potentially malicious requests targeting your origin server, thereby enhancing its security. If you find this repository useful, I would greatly appreciate it if you could give it a star ⭐. Thank you!

Tip

Cloudflare Web Application Firewall [WAF] Rules

🛡️ What Can This List Block?

Part Description Action
$ Part 1
Main firewall (I)		 Blocks data leaks, suspicious referrers, malicious and unusual URL paths, as well as empty or anomalous User-Agents. Block
$ Part 2
Main firewall (II)		 Blocks suspicious requests, exploits, path traversal, configuration file access attempts, and the use of CLI tools in URLs. Block
$ Part 3
Deprecated browsers, etc.		 Enforces additional verification for outdated browsers, operating systems, and suspicious User-Agents. Managed Challenge
$ Part 4
Block unnecessary bots		 Blocks unnecessary, harmful bots, scanners, and web scrapers. Block
$ Part 5
Block bots, ASNs and IPs		 Blocks traffic from the Tor network, malicious IP addresses, and autonomous systems (ASNs) often associated with botnets and attacks. Block

Important

It is also recommended to disable the Bot Fight Mode feature in the Security tab.
Although this feature helps detect and block automated bot traffic, it can inadvertently block safe, legitimate bots as well, which is not our intention.

✅ Usage

Automatic (Recommended)

You can use the JavaScript code from this repository to automatically update the rules throughout the day.
There's no need to add them manually, as the script takes care of everything for you (:

Requirements

  1. Node.js LTS + npm
  2. PM2 (npm i pm2 -g)
  3. Git
  4. Linux (also works on Windows Server)

Tutorial (for Linux)

  1. Clone this repository: 
    git clone https://github.com/sefinek/Cloudflare-WAF-Expressions.git
  2. Install the necessary dependencies: 
    cd Cloudflare-WAF-Expressions && npm install
  3. Copy the .env.default file and rename it to .env: 
    cp .env.default .env
  4. Open the .env file and ensure NODE_ENV is set to production. Paste your Cloudflare token in place of CF_API_TOKEN. 
    nano .env
    brave_JDyTDLnUFonD.png
  5. Run the script 24/7 using PM2: 
    pm2 start && pm2 save
  6. Configure PM2 to start on system boot: 
    pm2 startup
    Then, execute the generated command from the output.

Manually

  1. Log in to your Cloudflare account.
  2. Select the domain where you want to add the expressions.
  3. Click on the Security tab, then choose WAF from the dropdown menu.
  4. In the Custom rules tab, click the Create rule button.
  5. Copy the expressions from the markdown/expressions.md file.
  6. Click Edit expression and paste the copied expressions.
  7. Click Deploy to save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file.
  8. Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure your website functions correctly, and visit this repository periodically for the latest updates.

🔥 DDoS Protection (Additional Security Measures)

Cloudflare offers many settings that need to be configured manually according to your preferences. In this tutorial, we will enable only those that will safeguard your server from DDoS attacks. Keep in mind that there are many more measures available to mitigate DDoS attacks.

1: Creating DDoS L7 Ruleset

Security > DDoS > Deploy a DDoS override

  1. Override name: DDoS L7 ruleset
  2. Ruleset action: Block
  3. Ruleset sensitivity: Default

2: Rate Limits

Security > Rate limiting rules > Create rule

  1. Rule name: Default rate limit
  2. Expression: (starts_with(http.request.uri.path, "/"))
    • Field: URI Path
    • Operator: starts with
    • Value: /
  3. When rate exceeds…
    • Requests: 200 (you should adjust this value yourself based on your website's traffic)
    • Period: 10 seconds
  4. Then take action…
    • Choose action: Block
  5. For duration…
    • Duration: 10 seconds

3: Good to Know

  1. Make sure that your server's IP address has not been leaked.
  2. Your server should accept only requests coming from Cloudflare. Accessing your website directly, bypassing Cloudflare, should not be possible.
  3. Configure rate limits on your server to reduce its load during a DDoS attack.

🤝 Pull requests

If you have any suggestions or improvements, feel free to open a Pull request. Your contribution will be appreciated and will help keep this list up-to-date and effective in combating the latest threats. Thank you!

🔖 MIT License

Copyright 2023-2025 © by Sefinek. All Rights Reserved.

About

Cloudflare WAF (Web Application Firewall) rules + a script for their automatic updates. Block unwanted and malicious requests to enhance the security of your origin server!

Topics

nodejs express server expressjs waf expression cloudflare expressions antibot antibots server-security cloudflare-firewall-rules cloudflare-waf-rules cloudflare-firewall cloudflare-waf cloudflare-expressions cloudflare-expression cloudflare-waf-expressions cloudflare-waf-expression server-safety

Resources

Readme

License

GPL-3.0 license
Activity

Stars

73 stars

Watchers

3 watching

Forks

9 forks
Report repository

Sponsor this project

  •  
Learn more about GitHub Sponsors

Contributors 2

  •  
  •  

Languages