Example rules

​​ Log requests with an uploaded content object

This custom rule example logs all requests with at least one uploaded content object:

• Expression: cf.waf.content_scan.has_obj
• Action: Log

​​ Block requests to URI path with a malicious content object

This custom rule example blocks requests addressed at /upload.php that contain at least one uploaded content object considered malicious:

• Expression: cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"
• Action: Block

​​ Block requests with non-PDF file uploads

This custom rule example blocks requests addressed at /upload with uploaded content objects that are not PDF files:

• Expression: any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"
• Action: Block

​​ Block requests with uploaded files over 500 KB

This custom rule example blocks requests addressed at /upload with uploaded content objects over 500 KB in size:

• Expression: any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"
• Action: Block

​​ Block requests with uploaded files over the content scanning limit (15 MB)

This custom rule example blocks requests with uploaded content objects over 15 MB in size (the current content scanning limit):

• Expression: any(cf.waf.content_scan.obj_sizes[*] >= 15000000)
• Action: Block

In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the > (greater than) comparison operator would not work for this particular rule — you should use >= (greater than or equal) instead.