Create custom rules that check for exposed credentials.
Create a custom rule checking for exposed credentials
You can create rules that check for exposed credentials using the Rulesets API. Include these rules in a custom ruleset, which you must create at the account level, and then deploy the custom ruleset to a phase.
A rule checking for exposed credentials has a match when both the rule expression and the result from the exposed credentials check are true.
To check for exposed credentials in a custom rule, include the exposed_credential_check object in the rule definition. This object must have the following properties:
username_expression — Expression that selects the user ID used in the credentials check. This property can have up to 1024 characters.
password_expression — Expression that selects the password used in the credentials check. This property can have up to 1024 characters.
You can use the exposed_credential_check object in rules with one of the following actions: rewrite, log, block, challenge, or js_challenge. Cloudflare recommends that you only use exposed credentials checks with the following actions: rewrite and log.
This POST request example creates a new custom ruleset with a rule that checks for exposed credentials. The rule has a match if both the rule expression and the exposed_credential_check result are true. When there is a match, the rule will log the request with exposed credentials in the Cloudflare logs.
The response returns the created ruleset. Note the presence of the exposed_credential_check object on the rule definition.
The example uses the url_decode() function because fields in the request body (available in http.request.body.form) are URL-encoded when the content type is application/x-www-form-urlencoded.
After creating a custom ruleset, deploy it to a phase so that it executes. Refer to Deploy a custom ruleset for more information.
Example B
This POST request example creates a new custom ruleset with a rule that checks for exposed credentials in JSON responses. The rule has a match if both the rule expression and the exposed_credential_check result are true. When there is a match, the rule will add an Exposed-Credential-Check HTTP header to the request with value 1.
The response returns the created ruleset. Note the presence of the following elements in the rule definition:
The rewrite action.
The action_parameters object configuring the HTTP header added to requests with exposed credentials.
The exposed_credential_check object.
Next steps
After creating a custom ruleset, deploy it to the http_request_firewall_custom phase at the account level so that it executes. You will need the ruleset ID to deploy the custom ruleset. For more information, refer to Deploy a custom ruleset.