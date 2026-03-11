Example mitigation rules
A customer support chatbot should not engage with prompts about violent crimes or hate speech. This custom rule blocks the request and returns a JSON response that your application can parse and display to the user.
-
When incoming requests match:
Field Operator Value LLM Unsafe topic categories is in
S1: Violent Crimes
S10: Hate
Expression when using the editor:
(any(cf.llm.prompt.unsafe_topic_categories[*] in {"S1" "S10"}))
-
Action: Block
-
With response type: Custom JSON
-
Response body:
Your application can check for a non-200 response and display the
message field to the user, keeping the experience conversational instead of showing a raw block page.
This rule combines AI Security for Apps's injection score with Bot Management and the request's country to focus on high-confidence attacks from automated sources. This layered approach significantly reduces false positives compared to using any single signal alone.
-
When incoming requests match:
Enter the following expression in the editor:
(cf.llm.prompt.injection_score lt 25 and cf.bot_management.score lt 10 and ip.geoip.country ne "US")
-
Action: Block
The rule targets requests that are simultaneously:
- Likely prompt injection attempts (score below 25).
- Coming from automated tooling, not a real browser (bot score below 10).
- Originating from outside the US — adjust the country code to match where your users are.
Any single signal might produce false positives on its own. Together, they identify a pattern strongly associated with automated prompt injection attacks.
A financial services application legitimately handles credit card and bank account numbers from internal agents, but should block those PII types from external users. This rule uses the request's autonomous system number (ASN) to distinguish internal traffic from public traffic.
-
When incoming requests match:
Enter the following expression in the editor:
(any(cf.llm.prompt.pii_categories[*] in {"CREDIT_CARD" "US_BANK_NUMBER" "IBAN_CODE"}) and ip.src.asnum ne 13335)
Replace
13335with your organization's ASN.
-
Action: Block
-
With response type: Custom JSON
-
Response body:
Internal agents on your corporate network (identified by ASN) can submit financial PII to the AI assistant as part of their workflow, while external users are blocked. You could further refine this by combining with Access service tokens or mTLS for stronger identity verification.
When a WAF rule blocks a request, Cloudflare sends the block response back to your application — not to the end user. Your application needs to handle that response and decide what to show. Without error handling, your users may see a raw HTML error page or a broken UI.
Here are two things you can do to keep the experience smooth.
Define a friendly default message that your application displays whenever it receives a non-successful response. This works regardless of how the block rule is configured — including the default Cloudflare block page, which returns HTML that would otherwise break a JSON-based chat UI.
For more control, configure your block rules with a custom JSON response — for example,
{ "message": "That question is outside this assistant's scope." }. Your application can then parse the response and show the custom message when available, falling back to the default when it is not.