Example rules
This custom rule example logs all requests with at least one uploaded content object:
-
When incoming requests match:
Field Operator Value Has content object equals True If you are using the Expression Editor:
(cf.waf.content_scan.has_obj) -
Action: Log
This custom rule example blocks requests addressed at /upload.php that contain at least one uploaded content object considered malicious:
-
When incoming requests match:
Field Operator Value Has malicious content object equals True And URI Path equals /upload.phpIf you are using the Expression Editor:
(cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php") -
Action: Block
This custom rule example blocks requests addressed at /upload with uploaded content objects that are not PDF files:
- When incoming requests match:
any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload" - Action: Block
This custom rule example blocks requests addressed at /upload with uploaded content objects over 500 KB (512,000 bytes) in size:
- When incoming requests match:
any(cf.waf.content_scan.obj_sizes[*] > 512000) and http.request.uri.path eq "/upload" - Action: Block
This custom rule example blocks requests with uploaded content objects over 50 MB in size (the current content scanning limit):
- When incoming requests match:
any(cf.waf.content_scan.obj_sizes[*] >= 52428800) - Action: Block
In this example, you must also test for equality because currently any file over 50 MB will be handled internally as if it had a size of 50 MB (52,428,800 bytes). This means that using the > (greater than) comparison operator would not work for this particular rule — you should use >= (greater than or equal) instead.