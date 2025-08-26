By default, WAF's managed rulesets are compatible with most websites and web applications. However, false positives and false negatives may occur:

False positives : Legitimate requests detected and mitigated as malicious.

: Legitimate requests detected and mitigated as malicious. False negatives: Malicious requests that were not mitigated and reached your origin server.

Troubleshoot false positives

You can use Security Events to help you identify what caused legitimate requests to get blocked. Add filters and adjust the report duration as needed.

If you encounter a false positive caused by a managed rule, do one of the following:

Add an exception : Exceptions allow you to skip the execution of WAF managed rulesets or some of their rules for certain requests.

Adjust the OWASP managed ruleset : A request blocked by the rule with ID ...843b323c and description 949110: Inbound Anomaly Score Exceeded refers to the Cloudflare OWASP Core Ruleset. To resolve the issue, configure the OWASP managed ruleset.

Disable the corresponding managed rule(s): Create an override to disable specific rules. This may avoid false positives, but you will also reduce the overall site security. Refer to the dashboard instructions on configuring a managed ruleset, or to the API instructions on creating an override.

Note If you contact Cloudflare Support to verify whether a WAF managed rule triggers as expected, provide a HAR file captured while sending the specific request of concern.

Additional recommendations

If one specific rule causes false positives, disable that specific rule and not the entire ruleset.

For false positives with the administrator area of your website, add an exception disabling a managed rule for the admin section of your site resources. You can use an expression similar to the following: http.host eq "example.com" and starts_with(http.request.uri.path, "/admin")

Troubleshoot false negatives

To identify false negatives, review the HTTP logs on your origin server.

To reduce false negatives, use the following checklist: