Since Cloudflare began deploying the “new” firewall interface in what I think is last spring, almost a year ago, we’ve had issues with Bypass rules no longer bypassing built-in WAF rules when the WAF is enabled. For example, a particular administrative interface to our application allows our customers to edit html templates, and this often triggers the built-in XSS rule. For years now we’ve worked around this by adding a URI-specific bypass rule to the template editor. Well here comes the new firewall interface and these bypass rules no longer apply to built-in WAF rules. At least as far back as April '21 we’d again worked around this by disabling WAF and having CF support revert the firewall interface to the old working one. Well now support will no longer do that, so our only recourse is to disable the XSS built-in rules, which is not desirable.

Curious if anyone at CF knows when this issue will be resolved as it’s coming up on a year and the prior solution has been taken away.

I am sorry to hear this.

I might not be familiar so much with it, but may I ask and suggest below:

How about adding the IP address with the action “allow” to IP Access Rules?

Was it WAF that triggered, or rather Bot Fight Mode?

Are you using Free or a Paid Cloudflare plan?

Have you used Cloudflare Page Rules to disable WAF for particular/specific URLs or?

If you have Paid plan and can use Managed WAF, you can look up for that specific Rule and choose the default action. Have you tried that already?

May I ask which WAF rule was triggered, if so?

Have you got the ticket number?

• Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.
• Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account?

The rule that is typically triggered is “100167 XSS HTML Injection - Base Tag” or other similar rules. This occurs on Pro and Business plans we manage; you can use Ray ID 6c8fd10c4b3103c8 as reference if needed.

There is no consistent source IP because the customer and their staff reside at multiple locations but also use IPv6 which changes the source IP even internal to the same location every few hours due to privacy extensions. However, we have tried an IP-based bypass before and that fails for the same reason, which is that the new Cloudflare Firewall does not allow Bypass rules to actually bypass built-in rules, where the old Firewall did.

The particular Ray ID I mentioned earlier is on a site with a Bypass rule assigned for the URI in question, and that is the actual URI in the request that was blocked. So, the bypass rule continues to not work.

We would prefer to not alter the default setting for the XSS rule as that would be the same as turning it off, taking away that protection from the entire site when we only need it bypassed for one specific URI.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.