By using these WAF expressions, you can effectively block all unnecessary and potentially malicious requests targeting your origin server, thereby enhancing its security. If you find this repository useful, I would greatly appreciate it if you could give it a star ⭐. Thank you!
Tip
- Use a dedicated script to automatically update rules for each zone.
- Do you want to report events from Cloudflare WAF to AbuseIPDB? See Cloudflare-WAF-To-AbuseIPDB.
- Join my Discord server if you need help or want to receive notifications about important updates.
![Cloudflare Web Application Firewall [WAF] Rules](/sefinek/Cloudflare-WAF-Rules/blob/main/assets/images/brave_7GZjqAdswro2.png)
| Type | Brief Description |
|---|---|
| Sensitive Files and Folders | Access to critical files and directories, such as .git, .env, and .htaccess, which often contain sensitive information requiring protection. Also prevents access to other configuration files and keys, e.g., SSH. |
| Common Attack Vectors | URLs with patterns commonly used in attacks. |
| Backup Files | Requests for backup files that may contain sensitive data. |
| Outdated Browsers | Versions of browsers, often used by bots for automated attacks (DDoS attacks from botnets, which frequently utilize outdated user agents) or unnecessary website indexing. |
| Useless Bots | Various unwanted and unnecessary web crawlers as well as known malicious bots. Blocking them can reduce server load. |
| Specific IP Addresses & ASN | Traffic from known malicious IP addresses and ASNs. The list also includes IP addresses associated with botnets. |
Important
It is also recommended to disable the Bot Fight Mode feature in the Security tab.
Although this feature helps detect and block automated bot traffic, it can inadvertently block safe, legitimate bots as well, which is not our intention.
>> View Main Expressions <<
You can use the JavaScript code from this repository to automatically update the rules throughout the day.
There's no need to add them manually, as the script takes care of everything for you (:
- Node.js LTS + npm
- PM2 (
npm i pm2 -g) - Git
- Linux (also works on Windows Server)
- Clone this repository:
git clone https://github.com/sefinek/Cloudflare-WAF-Rules.git
- Install the necessary dependencies:
cd Cloudflare-WAF-Expressions && npm install
- Copy the
.env.defaultfile and rename it to.env:cp .env.default .env
- Open the
.envfile and ensureNODE_ENVis set toproduction. Paste your Cloudflare token in place ofCF_API_TOKEN.nano .env
- Run the script 24/7 using PM2:
pm2 start && pm2 save - Configure PM2 to start on system boot:
Then, execute the generated command from the output.
pm2 startup
- Log in to your Cloudflare account.
- Select the domain where you want to add the expressions.
- Click on the
Securitytab, then chooseWAFfrom the dropdown menu. - In the
Custom rulestab, click theCreate rulebutton. - Copy the expressions from the markdown/expressions.md file.
- Click
Edit expressionand paste the copied expressions. - Click
Deployto save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file. - Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure your website functions correctly, and visit this repository periodically for the latest updates.
Cloudflare offers many settings that need to be configured manually according to your preferences. In this tutorial, we will enable only those that will safeguard your server from DDoS attacks. Keep in mind that there are many more measures available to mitigate DDoS attacks.
- Override name: DDoS L7 ruleset
- Ruleset action: Block
- Ruleset sensitivity: Default
- Rule name: Default rate limit
- Expression:
(starts_with(http.request.uri.path, "/"))- Field: URI Path
- Operator: starts with
- Value: /
- When rate exceeds…
- Requests: 200 (you should adjust this value yourself based on your website's traffic)
- Period: 10 seconds
- Then take action…
- Choose action: Block
- For duration…
- Duration: 10 seconds
- Make sure that your server's IP address has not been leaked.
- Your server should accept only requests coming from Cloudflare. Accessing your website directly, bypassing Cloudflare, should not be possible.
- Configure rate limits on your server to reduce its load during a DDoS attack.
If you have any suggestions or improvements, feel free to open a Pull request. Your contribution will be appreciated and will help keep this list up-to-date and effective in combating the latest threats. Thank you!
Copyright 2023-2025 © by Sefinek. All Rights Reserved.
