Create exceptions

Create an exception to skip the execution of WAF managed rulesets or some of their rules. The exception configuration includes an expression that defines the skip conditions, and the rules or rulesets to skip under those conditions.

Types of exceptions

An exception can have one of the following behaviors (from highest to lowest priority):

• Skip all remaining rules (belonging to WAF managed rulesets)
• Skip one or more WAF managed rulesets
• Skip one or more rules of WAF managed rulesets

For more information on exceptions, refer to Create an exception in the Ruleset Engine documentation.

Scope and execution order

You can define exceptions at the account level and at the zone level. The scope of an exception determines which rules it affects:

• An account-level exception only skips rules configured at the account level. It does not affect zone-level rules.
• A zone-level exception only skips rules configured at the zone level. It does not affect account-level rules.

Within each phase, account-level rulesets run before zone-level rulesets. This means that if you deploy managed rules at both the account level and the zone level, a request is evaluated against account-level rules first. An exception defined at the zone level will not prevent a match at the account level.

For more information on how WAF features run in sequence, refer to Security features interoperability.

Note

Exceptions apply to WAF managed rulesets only. To skip other security features such as Browser Integrity Check or Zone Lockdown, create a custom rule with the skip action and select the specific products you want to skip.

Next steps

Add exceptions in the Cloudflare dashboard or via API.