Block HEAD requests

My service provider is claiming that my website is under a DDoS attack and that I need to block HEAD requests as that is what is being sent (millions of requests per hour). I have Cloudflare setup, but how do I configure things to block that? Ideally I would just setup limits vs. blocking all head requests.

You cannot set limits, but you can use a WAF rule to challenge HEAD requests

Go here to create a rule


Thanks for your reply! What type of challenge is the most appropriate for this - one that still enables normal functionality but would stop DDoS attacks with HEAD requests?

I’d start with managed challenge to see if that reduces the traffic to a level acceptable to your service provider. Are the requests hitting the service provider hitting through cloudflare or are they bypassing an going to directly to the origin? If bypassing, your hosting provider can help you to set up your server to only accept traffic from cloudflare IPs.

Thanks - things are going through Cloudflare, but I just can’t get the WAF to block things. Currently it is showing as 175 requests for HEAD that were triggered in the WAF over past 24 hours which is normal, yet I’m getting 40,000 requests per minute. Also tried blocking unknown agents (see my other post), but that has 0 hits.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.