Required firewall rule changes to enable URL normalization
Malicious users can craft specific URIs that could be interpreted differently by firewall systems and origin systems. When you enable Normalize incoming URLs, all rules filtering on the URI path will receive the URL in a canonical form, which provides an extra layer of protection against these malicious users.
Cloudflare gradually enabled URL normalization for all Cloudflare zones except for those that could be impacted by this change. We determined the impacted zones by analyzing all firewall rules, looking for patterns in HTTP fields that would no longer match when using URL normalization techniques.
These fields are the following:
Cloudflare did not enable URL normalization automatically for zones that would be impacted by these changes to prevent any change in behavior of your existing firewall rules.
Why URL normalization is important
Cloudflare strongly recommends that you enable Normalize incoming URLs in Rules > Settings to strengthen your zone’s security posture. Not doing so leaves your zone at greater risk of a successful attack. Malicious parties could craft the URL in a way that the rules are not accounting for.
For example, a firewall rule with an expression such as
http.request.uri.path contains "/login" could be bypassed if the malicious actor has encoded the
l character as
%6C. In this scenario, and with URL normalization disabled, traffic would not be matched by the firewall rule.
It is recommended that you:
- Update any firewall rules impacted by the URL normalization changes.
- Enable URL normalization.
These steps will ensure a stronger security posture on your zone(s).
1. Review and update firewall rules
Before enabling URL normalization, you should review the affected firewall rules on your zone(s) and take one of the following approaches:
Edit these firewall rules to remove the parts which will no longer trigger once normalized — for example, any rules that look for
../in URL paths. Administrators previously created these rules to perform a limited URL normalization, and these rules can now be safely disabled and then deleted.
If you wish to identify visitors with non-normalized URI paths with these firewall rules, you should update them to use the original (or raw) non-normalized fields. These fields are the following:
2. Enable URL normalization
Once you have updated the affected firewall rules, enable URL normalization in Rules > Settings.