Cloudflare Docs
Waf
Visit WAF on GitHub
Set theme to dark (⇧+D)

File scanning

WAF file scanning scans files being uploaded to your application.

WAF file scanning will automatically attempt to detect uploaded files and scan them for malicious content and malware. The scan results, along with additional metadata, will be exposed as fields available in WAF custom rules, allowing you to implement fine-grained mitigation rules.

Available fields

WAF file scanning provides the following fields:

FieldDescription
cf.waf.file_scanner.has_file
Boolean
When true, the request contains at least one file.
cf.waf.file_scanner.has_malicious_file
Boolean
When true, the request contains at least one malicious file.
cf.waf.file_scanner.scan_failed
Boolean
When true, the file scanner was unable to scan all the files in the request.
cf.waf.file_scanner.num_files
Integer
The number of files detected for this request (zero or greater).
cf.waf.file_scanner.max_file_size
Integer
The file size in bytes of the largest file in the request.
cf.waf.file_scanner.file_sizes
Array<Integer>
An array of file sizes in the order the files were detected in the request.
cf.waf.file_scanner.file_types
Array<String>
An array of file types in the order the files were detected in the request.
cf.waf.file_scanner.scan_results
Array<String>
An array of scan results in the order the files were detected in the request.

You can use the fields in expressions of custom rules.


Start using file scanning

Step 1 — Create a WAF custom rule

Create a custom rule that logs detected malicious files uploaded to your application.

For example, create a custom rule with the Log action and the following expression:

(cf.waf.file_scanner.has_malicious_file)

This rule will match requests where the WAF detects at least one malicious file.

You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine this feature with other security features. For example:

  • The following expression will match requests uploading malicious files if they target the specified endpoint:

    (cf.waf.file_scanner.has_malicious_file and http.request.uri.path contains "upload.php")
  • The following expression will match requests from bots uploading files:

    (cf.waf.file_scanner.has_file and cf.bot_management.score lt 10)

Step 2 — Monitor traffic

After deploying your custom rule, go to Firewall Events, available at Security > Overview, and check for logged requests matching the rule you created.

If you find legitimate traffic being logged due to the custom rule, adjust your rule expression so that the rule does not match these incoming requests.

Step 3 — Update your rule to block traffic

After making sure that you are only blocking the right requests, change the custom rule action from Log to Block so that the WAF starts blocking requests uploading malicious files.