Validation checks
Cloudflare performs a validation check for every request. The Validation component executes prior to all other WAF features like custom rules or WAF Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs.
Actions performed by the Validation component appear in Sampled logs in Security Events, associated with the Validation service and without a rule ID. Event logs downloaded from the API show source as Validation and action as drop when this behavior occurs.
The following example shows a request blocked by the Validation component due to a malformed User-Agent HTTP request header:
In the downloaded JSON file for the event, the ruleId value indicates the detected issue — in this case, it was a Shellshock attack.
{ "action": "drop", "ruleId": "sanity-shellshock", "source": "sanitycheck", "userAgent": "() { :;}; printf \\\\\"detection[%s]string\\\\\" \\\\\"TjcLLwVzBtLzvbN\\\\" //...}Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark