Create an account or zone ruleset
Creates a ruleset.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Mass URL Redirects WriteMagic Firewall WriteL4 DDoS Managed Ruleset WriteTransform Rules WriteSelect Configuration WriteAccount WAF WriteAccount Rulesets WriteLogs WritePath ParametersExpand Collapse
Body ParametersJSONExpand Collapse
rules: optional array of BlockRule { last_updated, version, id, 10 more } or object { last_updated, version, id, 10 more } or CompressResponseRule { last_updated, version, id, 10 more } or 17 moreThe list of rules in the ruleset.
The list of rules in the ruleset.
BlockRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
Challenge = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
CompressResponseRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
DDoSDynamicRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ExecuteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { id, matched_data, overrides } The parameters configuring the rule's action.
The parameters configuring the rule's action.
overrides: optional object { action, categories, enabled, 2 more } A set of overrides to apply to the target ruleset.
A set of overrides to apply to the target ruleset.
An action to override all rules with. This option has lower precedence than rule and category overrides.
categories: optional array of object { category, action, enabled, sensitivity_level } A list of category-level overrides. This option has the second-highest precedence after rule-level overrides.
A list of category-level overrides. This option has the second-highest precedence after rule-level overrides.
Whether to enable execution of all rules. This option has lower precedence than rule and category overrides.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ForceConnectionCloseRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
JSChallenge = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
LogRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
LogCustomFieldRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { cookie_fields, raw_response_fields, request_fields, 2 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
raw_response_fields: optional array of object { name, preserve_duplicates } The raw response fields to log.
The raw response fields to log.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ManagedChallengeRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RedirectRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { from_list, from_value } The parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RewriteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { headers, uri } The parameters configuring the rule's action.
The parameters configuring the rule's action.
headers: optional map[object { operation, value } or object { expression, operation } or object { operation, value } or 2 more]A map of headers to rewrite.
A map of headers to rewrite.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RouteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { host_header, origin, sni } The parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ScoreRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ServeErrorRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { content, content_type, status_code } or object { asset_name, content_type, status_code } The parameters configuring the rule's action.
The parameters configuring the rule's action.
ActionParametersContent = object { content, content_type, status_code }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheControl = object { last_updated, version, id, 10 more }
action_parameters: optional object { immutable, "max-age", "must-revalidate", 10 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
immutable: optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"max-age": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"must-revalidate": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"must-understand": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"no-cache": optional object { operation, cloudflare_only, qualifiers } or object { operation, cloudflare_only } A cache-control directive configuration that accepts optional qualifiers (header names).
A cache-control directive configuration that accepts optional qualifiers (header names).
SetDirective = object { operation, cloudflare_only, qualifiers } Set the directive with optional qualifiers.
Set the directive with optional qualifiers.
"no-store": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"no-transform": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
private: optional object { operation, cloudflare_only, qualifiers } or object { operation, cloudflare_only } A cache-control directive configuration that accepts optional qualifiers (header names).
A cache-control directive configuration that accepts optional qualifiers (header names).
SetDirective = object { operation, cloudflare_only, qualifiers } Set the directive with optional qualifiers.
Set the directive with optional qualifiers.
"proxy-revalidate": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
public: optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"s-maxage": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"stale-if-error": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"stale-while-revalidate": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheSettingsRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { additional_cacheable_ports, browser_ttl, cache, 12 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
A list of additional ports that caching should be enabled on.
browser_ttl: optional object { mode, default } How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content.
How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content.
Whether the request's response from the origin is eligible for caching. Caching itself will still depend on the cache control header and your other caching configurations.
cache_key: optional object { cache_by_device_type, cache_deception_armor, custom_key, ignore_query_strings_order } Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache.
Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache.
Whether to separate cached content based on the visitor's device type.
Whether to protect from web cache deception attacks, while allowing static assets to be cached.
custom_key: optional object { cookie, header, host, 2 more } Which components of the request are included or excluded from the cache key.
Which components of the request are included or excluded from the cache key.
header: optional object { check_presence, contains, exclude_origin, include } Which headers to include in the cache key.
Which headers to include in the cache key.
A list of headers to check for the presence of. The presence of these headers is included in the cache key.
query_string: optional object { exclude, include } Which query string parameters to include in or exclude from the cache key.
Which query string parameters to include in or exclude from the cache key.
cache_reserve: optional object { eligible, minimum_file_size } Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan).
Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan).
edge_ttl: optional object { mode, default, status_code_ttl } How long the Cloudflare edge network should cache the response.
How long the Cloudflare edge network should cache the response.
The edge TTL (in seconds) if you choose the "override_origin" mode.
status_code_ttl: optional array of object { value, status_code, status_code_range } A list of TTLs to apply to specific status codes or status code ranges.
A list of TTLs to apply to specific status codes or status code ranges.
Whether to generate Cloudflare error pages for issues from the origin server.
A timeout value between two successive read operations to use for your origin server. Historically, the timeout value between two read options from Cloudflare to an origin server is 100 seconds. If you are attempting to reduce HTTP 524 errors because of timeouts from an origin server, try increasing this timeout value.
Whether Cloudflare should respect strong ETag (entity tag) headers. If false, Cloudflare converts strong ETag headers to weak ETag headers.
serve_stale: optional object { disable_stale_while_updating } When to serve stale content from cache.
When to serve stale content from cache.
shared_dictionary: optional object { match_pattern } Configuration for shared dictionary compression. When set, Cloudflare injects Use-As-Dictionary headers on matching cacheable responses.
Configuration for shared dictionary compression. When set, Cloudflare injects Use-As-Dictionary headers on matching cacheable responses.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheTags = object { last_updated, version, id, 10 more }
action_parameters: optional object { operation, values } or object { expression, operation } or object { operation, values } or 3 moreThe parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetConfigRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { automatic_https_rewrites, autominify, bic, 19 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
Whether to disable Cloudflare Apps.
Whether to enable Mirage.
Whether to redirect verified AI training crawlers to canonical URLs found in the HTML response.
security_level: optional "off" or "essentially_off" or "low" or 3 moreThe Security Level to configure.
The Security Level to configure.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SkipRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { phase, phases, products, 3 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
A phase to skip the execution of. This option is only compatible with the products option.
A list of phases to skip the execution of. This option is incompatible with the rulesets option.
A list of phases to skip the execution of. This option is incompatible with the rulesets option.
products: optional array of "bic" or "hot" or "rateLimit" or 4 moreA list of legacy security products to skip the execution of.
A list of legacy security products to skip the execution of.
A mapping of ruleset IDs to a list of rule IDs in that ruleset to skip the execution of. This option is incompatible with the ruleset option.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ReturnsExpand Collapse
result: object { id, kind, last_updated, 5 more } A ruleset object.
A ruleset object.
rules: array of BlockRule { last_updated, version, id, 10 more } or object { last_updated, version, id, 10 more } or CompressResponseRule { last_updated, version, id, 10 more } or 17 moreThe list of rules in the ruleset.
The list of rules in the ruleset.
BlockRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
Challenge = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
CompressResponseRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
DDoSDynamicRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ExecuteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { id, matched_data, overrides } The parameters configuring the rule's action.
The parameters configuring the rule's action.
overrides: optional object { action, categories, enabled, 2 more } A set of overrides to apply to the target ruleset.
A set of overrides to apply to the target ruleset.
An action to override all rules with. This option has lower precedence than rule and category overrides.
categories: optional array of object { category, action, enabled, sensitivity_level } A list of category-level overrides. This option has the second-highest precedence after rule-level overrides.
A list of category-level overrides. This option has the second-highest precedence after rule-level overrides.
Whether to enable execution of all rules. This option has lower precedence than rule and category overrides.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ForceConnectionCloseRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
JSChallenge = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
LogRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
LogCustomFieldRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { cookie_fields, raw_response_fields, request_fields, 2 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
raw_response_fields: optional array of object { name, preserve_duplicates } The raw response fields to log.
The raw response fields to log.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ManagedChallengeRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RedirectRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { from_list, from_value } The parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RewriteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { headers, uri } The parameters configuring the rule's action.
The parameters configuring the rule's action.
headers: optional map[object { operation, value } or object { expression, operation } or object { operation, value } or 2 more]A map of headers to rewrite.
A map of headers to rewrite.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
RouteRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { host_header, origin, sni } The parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ScoreRule = object { last_updated, version, id, 10 more }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
ServeErrorRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { content, content_type, status_code } or object { asset_name, content_type, status_code } The parameters configuring the rule's action.
The parameters configuring the rule's action.
ActionParametersContent = object { content, content_type, status_code }
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheControl = object { last_updated, version, id, 10 more }
action_parameters: optional object { immutable, "max-age", "must-revalidate", 10 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
immutable: optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"max-age": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"must-revalidate": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"must-understand": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"no-cache": optional object { operation, cloudflare_only, qualifiers } or object { operation, cloudflare_only } A cache-control directive configuration that accepts optional qualifiers (header names).
A cache-control directive configuration that accepts optional qualifiers (header names).
SetDirective = object { operation, cloudflare_only, qualifiers } Set the directive with optional qualifiers.
Set the directive with optional qualifiers.
"no-store": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"no-transform": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
private: optional object { operation, cloudflare_only, qualifiers } or object { operation, cloudflare_only } A cache-control directive configuration that accepts optional qualifiers (header names).
A cache-control directive configuration that accepts optional qualifiers (header names).
SetDirective = object { operation, cloudflare_only, qualifiers } Set the directive with optional qualifiers.
Set the directive with optional qualifiers.
"proxy-revalidate": optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
public: optional object { operation, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration.
A cache-control directive configuration.
"s-maxage": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"stale-if-error": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
"stale-while-revalidate": optional object { operation, value, cloudflare_only } or object { operation, cloudflare_only } A cache-control directive configuration that accepts a duration value in seconds.
A cache-control directive configuration that accepts a duration value in seconds.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheSettingsRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { additional_cacheable_ports, browser_ttl, cache, 12 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
A list of additional ports that caching should be enabled on.
browser_ttl: optional object { mode, default } How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content.
How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content.
Whether the request's response from the origin is eligible for caching. Caching itself will still depend on the cache control header and your other caching configurations.
cache_key: optional object { cache_by_device_type, cache_deception_armor, custom_key, ignore_query_strings_order } Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache.
Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache.
Whether to separate cached content based on the visitor's device type.
Whether to protect from web cache deception attacks, while allowing static assets to be cached.
custom_key: optional object { cookie, header, host, 2 more } Which components of the request are included or excluded from the cache key.
Which components of the request are included or excluded from the cache key.
header: optional object { check_presence, contains, exclude_origin, include } Which headers to include in the cache key.
Which headers to include in the cache key.
A list of headers to check for the presence of. The presence of these headers is included in the cache key.
query_string: optional object { exclude, include } Which query string parameters to include in or exclude from the cache key.
Which query string parameters to include in or exclude from the cache key.
cache_reserve: optional object { eligible, minimum_file_size } Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan).
Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan).
edge_ttl: optional object { mode, default, status_code_ttl } How long the Cloudflare edge network should cache the response.
How long the Cloudflare edge network should cache the response.
The edge TTL (in seconds) if you choose the "override_origin" mode.
status_code_ttl: optional array of object { value, status_code, status_code_range } A list of TTLs to apply to specific status codes or status code ranges.
A list of TTLs to apply to specific status codes or status code ranges.
Whether to generate Cloudflare error pages for issues from the origin server.
A timeout value between two successive read operations to use for your origin server. Historically, the timeout value between two read options from Cloudflare to an origin server is 100 seconds. If you are attempting to reduce HTTP 524 errors because of timeouts from an origin server, try increasing this timeout value.
Whether Cloudflare should respect strong ETag (entity tag) headers. If false, Cloudflare converts strong ETag headers to weak ETag headers.
serve_stale: optional object { disable_stale_while_updating } When to serve stale content from cache.
When to serve stale content from cache.
shared_dictionary: optional object { match_pattern } Configuration for shared dictionary compression. When set, Cloudflare injects Use-As-Dictionary headers on matching cacheable responses.
Configuration for shared dictionary compression. When set, Cloudflare injects Use-As-Dictionary headers on matching cacheable responses.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetCacheTags = object { last_updated, version, id, 10 more }
action_parameters: optional object { operation, values } or object { expression, operation } or object { operation, values } or 3 moreThe parameters configuring the rule's action.
The parameters configuring the rule's action.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SetConfigRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { automatic_https_rewrites, autominify, bic, 19 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
Whether to disable Cloudflare Apps.
Whether to enable Mirage.
Whether to redirect verified AI training crawlers to canonical URLs found in the HTML response.
security_level: optional "off" or "essentially_off" or "low" or 3 moreThe Security Level to configure.
The Security Level to configure.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
SkipRule = object { last_updated, version, id, 10 more }
action_parameters: optional object { phase, phases, products, 3 more } The parameters configuring the rule's action.
The parameters configuring the rule's action.
A phase to skip the execution of. This option is only compatible with the products option.
A list of phases to skip the execution of. This option is incompatible with the rulesets option.
A list of phases to skip the execution of. This option is incompatible with the rulesets option.
products: optional array of "bic" or "hot" or "rateLimit" or 4 moreA list of legacy security products to skip the execution of.
A list of legacy security products to skip the execution of.
A mapping of ruleset IDs to a list of rule IDs in that ruleset to skip the execution of. This option is incompatible with the ruleset option.
exposed_credential_check: optional object { password_expression, username_expression } Configuration for exposed credential checking.
Configuration for exposed credential checking.
ratelimit: optional object { characteristics, period, counting_expression, 5 more } An object configuring the rule's rate limit behavior.
An object configuring the rule's rate limit behavior.
Characteristics of the request on which the rate limit counter will be incremented.
An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression.
Period of time in seconds after which the action will be disabled following its first execution.
The threshold of requests per period after which the action will be executed for the first time.
Create an account or zone ruleset
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/rulesets \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"kind": "root",
"name": "My ruleset",
"phase": "http_request_firewall_custom",
"description": "A description for my ruleset."
}'{
"errors": [
{
"message": "something bad happened",
"code": 10000,
"source": {
"pointer": "/rules/0/action"
}
}
],
"messages": [
{
"message": "something bad happened",
"code": 10000,
"source": {
"pointer": "/rules/0/action"
}
}
],
"result": {
"id": "2f2feab2026849078ba485f918791bdc",
"kind": "root",
"last_updated": "2000-01-01T00:00:00.000000Z",
"name": "My ruleset",
"phase": "http_request_firewall_custom",
"rules": [
{
"last_updated": "2000-01-01T00:00:00.000000Z",
"version": "1",
"id": "3a03d665bac047339bb530ecb439a90d",
"action": "block",
"action_parameters": {
"response": {
"content": "{\n \"success\": false,\n \"error\": \"you have been blocked\"\n}",
"content_type": "application/json",
"status_code": 400
}
},
"categories": [
"directory-traversal"
],
"description": "Block the request.",
"enabled": true,
"exposed_credential_check": {
"password_expression": "url_decode(http.request.body.form[\\\"password\\\"][0])",
"username_expression": "url_decode(http.request.body.form[\\\"username\\\"][0])"
},
"expression": "ip.src eq 1.1.1.1",
"logging": {
"enabled": true
},
"ratelimit": {
"characteristics": [
"cf.colo.id"
],
"period": 60,
"counting_expression": "http.request.body.raw eq \"abcd\"",
"mitigation_timeout": 600,
"requests_per_period": 1000,
"requests_to_origin": true,
"score_per_period": 400,
"score_response_header_name": "my-score"
},
"ref": "my_ref"
}
],
"version": "1",
"description": "A description for my ruleset."
},
"success": true
}Returns Examples
{
"errors": [
{
"message": "something bad happened",
"code": 10000,
"source": {
"pointer": "/rules/0/action"
}
}
],
"messages": [
{
"message": "something bad happened",
"code": 10000,
"source": {
"pointer": "/rules/0/action"
}
}
],
"result": {
"id": "2f2feab2026849078ba485f918791bdc",
"kind": "root",
"last_updated": "2000-01-01T00:00:00.000000Z",
"name": "My ruleset",
"phase": "http_request_firewall_custom",
"rules": [
{
"last_updated": "2000-01-01T00:00:00.000000Z",
"version": "1",
"id": "3a03d665bac047339bb530ecb439a90d",
"action": "block",
"action_parameters": {
"response": {
"content": "{\n \"success\": false,\n \"error\": \"you have been blocked\"\n}",
"content_type": "application/json",
"status_code": 400
}
},
"categories": [
"directory-traversal"
],
"description": "Block the request.",
"enabled": true,
"exposed_credential_check": {
"password_expression": "url_decode(http.request.body.form[\\\"password\\\"][0])",
"username_expression": "url_decode(http.request.body.form[\\\"username\\\"][0])"
},
"expression": "ip.src eq 1.1.1.1",
"logging": {
"enabled": true
},
"ratelimit": {
"characteristics": [
"cf.colo.id"
],
"period": 60,
"counting_expression": "http.request.body.raw eq \"abcd\"",
"mitigation_timeout": 600,
"requests_per_period": 1000,
"requests_to_origin": true,
"score_per_period": 400,
"score_response_header_name": "my-score"
},
"ref": "my_ref"
}
],
"version": "1",
"description": "A description for my ruleset."
},
"success": true
}