Get started
1. Enable WAF content scanning
- Log in to the Cloudflare dashboard, and select your account and domain.
- Go to Security > Settings.
- Under Incoming traffic detections, turn on Malicious uploads.
Enable the feature using a POST request similar to the following:
curl --request POST \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/enable" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"
2. Validate the content scanning behavior
Use Security Analytics and HTTP logs to validate that malicious content objects are being detected correctly.
Alternatively, create a WAF custom rule like described in the next step using a Log action instead of a mitigation action like Block. This rule will generate security events (available in Security > Events) that will allow you to validate your configuration.
3. Create a WAF custom rule
Create a WAF custom rule that blocks detected malicious content objects uploaded to your application.
For example, create a custom rule with the Block action and the following expression:
| Field | Operator | Value |
|---|---|---|
| Has malicious content object | equals | True |
If you use the Expression Editor, enter the following expression:
(cf.waf.content_scan.has_malicious_obj)This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to Content scanning fields. You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine content scanning with other security features. For example: The following expression will match requests with malicious content objects uploaded to a specific endpoint: Expression when using the editor: The following expression will match requests from bots uploading content objects: Expression when using the editor:Optional: Combine with other Rules language fields
Field Operator Value Logic Has malicious content object equals True And URI Path contains upload.phpField Operator Value Logic Has content object equals True And Bot Score less than 10
For additional examples, refer to Example rules.
4. (Optional) Configure a custom scan expression
To check uploaded content in a way that is not covered by the default configuration, add a custom scan expression.
Log in to the Cloudflare dashboard, and select your account and domain.
Go to Security > Settings.
Under Incoming traffic detections, select Malicious uploads.
Select Add content object location.
In Content location, enter your custom scan expression. For example:
lookup_json_string(http.request.body.raw, "file")Select Save.
Use a POST request similar to the following:
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/payloads" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '[ { "payload": "lookup_json_string(http.request.body.raw, \"file\")" }]'
The above request will add the following expression to the current list of custom scan expressions:
lookup_json_string(http.request.body.raw, "file")The custom scan expression will scan any string found in an HTTP body with the following JSON string:
{"file": "<BASE64_ENCODED_STRING>"}