What is the name of the domain?
What is the error number?
400
What is the issue you’re encountering
400 Bad Request (edge response from Cloudflare, no Firewall Events logged)
What steps have you taken to resolve the issue?
Since 30 May 2025 every request that contains the literal characters < or > in the query string is failing with a 400 at Cloudflare’s edge.
Example of the flagged pattern:
https://example.com/events.php?param=Downloader Started<*>
The same request worked for years and still works the moment the record is set to DNS-only (Cloudflare bypassed).
Turning off all managed WAF rules, custom Firewall rules, Bot Fight Mode, Browser Integrity Check, etc., does not help.
No entry shows up in Security › Events, which suggests the request never reaches the Rules engine.
I suspect this is linked to an edge-parser hardening change that rolled out around 27-29 May 2025, but I can’t find public documentation that confirms it or tells me how to exempt a single hostname.
What are the steps to reproduce the issue?
- Purged cache, disabled caching, set Security Level: Essentially Off.
- Disabled/removed all Firewall, Rate-Limiting, and WAF rules.
- Created a Transform Rule to rewrite the query string (rule never fires).
- Toggled the DNS record to DNS-only → origin responds 200 OK (proves origin is fine).
- Tested percent-encoding the characters (%3C %3E %2A) → request succeeds, but shipping a client patch will take time.