Just got this email:
This email is to inform you of how the recently launched URL Normalization functionality impacts your zone(s) specifically. Please ensure you read and fully understand what this change means for your zone(s): example.com
As your zone(s) contain firewall rules using fields with values that would be changed with normalization applied we have not enabled URL Normalization automatically . This is to prevent any change in behavior of your existing firewall rules.
We strongly recommend enabling ‘Normalize Incoming URLs’ to strengthen your zone(s) security posture. Not doing so will leave your zone at greater risk of a successful attack. The risk of not having URL Normalization enabled is that malicious actors could craft the URL in a way that the rules aren’t accounting for (e.g. using percent-encoding).
Before enabling URL Normalization, we recommend you review the affected firewall rules on the zone(s) and take one of the following approaches:
- Edit these Firewall Rules to remove the parts which will no longer trigger once normalized, e.g. any rules that are looking for ‘//’ or ‘…/’ in URL paths.
- If you wish to retain these firewall rules looking for such patterns, perhaps because you are trying to identify visitors using non-normalized URI paths, then they should be updated to use the original, non-normalized fields.
Once the affected firewall rules have been updated URL Normalization should be enabled.
URL Normalization is a new security improvement we have rolled out to the vast majority of Cloudflare zones automatically. We have not enabled URL Normalization on your zone(s) as we detected firewall rules that could be impacted. We strongly recommend that these firewall rules are updated and URL Normalization is enabled to ensure a stronger security posture on the zone(s).
Detailed instructions on what to do prior to enabling URL Normalization can be found on the KB article.
If you have further questions, please review our documentation or create a post on Cloudflare Community.
I think I have found the rule in question (a //login.php path, however is their a way to double check I have removed all offending rules before enabling Normalization, so as not to break anything?
The KB article being linked to (which I hoped might have such info) returns a 404