Since Cloudflare began deploying the “new” firewall interface in what I think is last spring, almost a year ago, we’ve had issues with Bypass rules no longer bypassing built-in WAF rules when the WAF is enabled. For example, a particular administrative interface to our application allows our customers to edit html templates, and this often triggers the built-in XSS rule. For years now we’ve worked around this by adding a URI-specific bypass rule to the template editor. Well here comes the new firewall interface and these bypass rules no longer apply to built-in WAF rules. At least as far back as April '21 we’d again worked around this by disabling WAF and having CF support revert the firewall interface to the old working one. Well now support will no longer do that, so our only recourse is to disable the XSS built-in rules, which is not desirable.
Curious if anyone at CF knows when this issue will be resolved as it’s coming up on a year and the prior solution has been taken away.
The rule that is typically triggered is “100167 XSS HTML Injection - Base Tag” or other similar rules. This occurs on Pro and Business plans we manage; you can use Ray ID 6c8fd10c4b3103c8 as reference if needed.
There is no consistent source IP because the customer and their staff reside at multiple locations but also use IPv6 which changes the source IP even internal to the same location every few hours due to privacy extensions. However, we have tried an IP-based bypass before and that fails for the same reason, which is that the new Cloudflare Firewall does not allow Bypass rules to actually bypass built-in rules, where the old Firewall did.
The particular Ray ID I mentioned earlier is on a site with a Bypass rule assigned for the URI in question, and that is the actual URI in the request that was blocked. So, the bypass rule continues to not work.
We would prefer to not alter the default setting for the XSS rule as that would be the same as turning it off, taking away that protection from the entire site when we only need it bypassed for one specific URI.