I’ve recently switched on the WAF for the first time and have the CF Managed Ruleset and CF Leaked Credentials Check enabled (I had to disable the OWASP Core Ruleset as it was blocking lots of normal page views but that’s for another day!).
The main problem I have is that the CF Managed Ruleset is preventing the saving of Elementor pages (the Elementor editor gets a 403 error).
Looking at the WAF logs I can see the particular ruleset blocking it, which has the description “XSS, HTML Injection - Script Tag”.
If I disable the ruleset I’m able to save Elementor pages but I don’t want to disable a rule that then leaves a security hole.
My IP address changes so bypassing based on a specific IP isn’t an option.
Does anyone have any experience of this issue and can suggest the best way to fix it?
Thanks for your time reading this.