I’m using a development website where I want all security and firewall turned off.
I’ve applied the following rules:
Page rule: https://dev.mydomain.com/* Disabled Security, Web Application Firewall OFF, Cache-level Bypass
Configuration rule: if hostname contains dev.mydomain.com Security Level: Essentially Off.
But I’m still blocked for example when I try to upload a file:
Adobe ColdFusion - Dangerous File Upload - CVE:CVE-2019-7816
Why is that? How can I make it so that WAF is completely turned off for the dev site? It’s password protected anyway.
Weird that the page rule wouldn’t do it, but you can add an exception in the WAF itself as well.
In the Cloudflare dashboard, inside of your website/zone, navigate to Security → WAF → Managed Rules (magic link: https://dash.cloudflare.com/?to=/:account/:zone/security/waf/managed-rules)
Then click “Add Exception”
Once you create it, make sure to drag it above the other rulesets.
You can also just bypass that single Rule: