Block additional request methods?

I am trying to move as much security stuff as practical from my htaccess file to CF firewall rules. The lion’s share of my htaccess is the 6G Firewall from Jeff Starr of Perishable Press. Among many other things, it blocks the following request methods: connect, debug, delete, move, put, trace, and track. Of these, only put and delete are available in the drop down choices in CF. I can type in the others in the expression editor, but they don’t save. Is there a reason the others aren’t available, and any way around it? I am on the free tier.

If you edit it manually saving actually should work. It does for me. Also, opening the rule again shows the correct method, however it is not visualised in the drop down menu, as it is not a valid option.

Whether it will actually fire in these cases is a different question and some that needs a test.

My guess why Cloudflare is not offering them is they might not proxy these requests at all.


Ah, thanks! Much appreciated.

Testing with Request Method Security Scanner
They fire! Thanks again for your help sandro.

We proxy everything! The reason we didn’t flood it was that when we analysed the data there were a ton of request methods. What we decided was to pick the most popular/most used request methods, but left free form for others to populate if they needed.

This topic was automatically closed after 30 days. New replies are no longer allowed.