Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Work with custom rulesets in the dashboard

Create custom rulesets in Account Home > WAF > Custom rulesets. After creating a custom ruleset, you must deploy it to your account to apply its rules.

​​ Create a custom ruleset

  1. Log in to the Cloudflare dashboard and select your account.

  2. Navigate to Account Home > WAF > Custom rulesets.

    Custom rulesets page in the Cloudflare dashboard

  3. Next to Your custom rulesets, select Create new ruleset.

  4. In the page that displays, enter a name and (optionally) a description for the custom ruleset.

  5. To create a new rule, select Create rule.

  6. Enter a descriptive name for the rule.

  7. Under When incoming requests match, use the Field drop-down list to choose an HTTP property. For each request, the value of the property you choose for Field is compared to the value you specify for Value using the operator selected in Operator. Alternatively, select Edit expression to define your expression using the Expression Editor.

  8. Select the rule action from the Choose action drop-down list. For example, selecting Block tells Cloudflare to refuse requests that match the conditions you specified.

  9. (Optional) If you selected the Block action, you can configure a custom response.

  10. Select Add rule.

  11. Add other rules to the custom ruleset, if needed.

  12. Select Create.

To enable the custom ruleset you created, you must deploy it to your account.

​​ Deploy a custom ruleset

  1. Log in to the Cloudflare dashboard and select your account.

  2. Navigate to Account Home > WAF > Custom rulesets.

  3. Next to Deployed custom rulesets, select Deploy custom ruleset.

  4. Select the custom ruleset to deploy.

  5. In the ruleset deployment page, give a name to the rule deploying the custom ruleset. This page also shows the rules in the custom ruleset that you will be deploying.

  6. Under Execution scope, review the scope of the deployed custom ruleset. If necessary, select Edit scope and configure the expression that will determine the scope of the current rule.

  7. To deploy your rule immediately, select Deploy. If you are not ready to deploy your rule, select Save as draft.

​​ Configuring a custom response for blocked requests

When you select the Block action in a rule you can optionally define a custom response.

The custom response has three settings:

  • Response type: Choose a content type or the default block response from the list. The available custom response types are the following:

    Dashboard valueAPI value
    Custom HTML"text/html"
    Custom Text"text/plain"
    Custom JSON"application/json"
    Custom XML"text/xml"
  • Response code: Choose an HTTP status code for the response, in the range 400-499. The default response code is 403.

  • Response body: The body of the response. Configure a valid body according to the response type you selected.