Skip to content

Rules

A rule defines a filter and an action to perform on the incoming requests that match the filter. The rule filter expression defines the scope of the rule and the rule action defines what happens when there is a match for the expression. Rule filter expressions are defined using the Rules language.

For example, consider the following ruleset with four rules (R1, R2, R3, and R4). For a given incoming request, the expression of the first two rules matches the request properties. Therefore, the action for these rules runs (Execute and Log, respectively). The action of the first rule executes a managed ruleset, which means that every rule in the managed ruleset is evaluated. The action of the second rule logs an event associated with the current phase. There is no match for the expressions of rules 3 and 4, so their actions do not run. Since no rule blocks the request, it proceeds to the next phase.

Example of a rule execution scenario. Defines a ruleset with four rules, where the first rule executes a managed ruleset.

Rules can have additional features through specific Cloudflare products. You may have more fields available for rule expressions, perform different actions, or configure additional behavior in a given phase.

Rule evaluation

When evaluating a rule, Cloudflare compares the values of request/response properties or derived values (obtained through fields) to those defined in the rule's filter expression.

If the entire expression evaluates to true, there is a rule match and Cloudflare triggers the action configured in the rule. If the expression evaluates to false, the rule does not match and its configured action is not applied.

Generally speaking, for non-terminating actions the last change made by rules in the same phase will win (later rules can overwrite changes done by previous rules). However, for terminating actions (Block, Redirect, or one of the challenge actions), rule evaluation will stop and the action will be executed immediately.

For example, if multiple rules with the Redirect action match, Cloudflare will always use the URL redirect of the first rule that matches. Also, if you configure URL redirects using different Cloudflare products (Single Redirects and Bulk Redirects), the product executed first will apply, if there is a rule match (in this case, Single Redirects). Refer to the Phases list for the product execution order.

When you use true as the rule filter expression, this means "apply the rule to every incoming request" at the current phase level, which can be zone or account.

Field values during rule evaluation

While evaluating rules for a given request/response, the values of all request and response fields are immutable within each phase. However, field values may change between phases.

For example:

  • If a rewrite URL rule #1 updates the URI path or the query string of a request, rewrite URL rule #2 will not take these earlier changes into consideration.
  • If an HTTP request header modification rule #1 sets the value of a request header, HTTP request header modification rule #2 will not be able to read or evaluate this new value.
  • If a rewrite URL rule updates the URI path or query string of a request, the http.request.uri, http.request.uri.*, and http.request.full_uri fields will have a different value in phases after the http_request_transform phase (where rewrite URL rules are executed).