Cloudflare Firewall blocks admins adding legitimate JavaScript on pages

What is the name of the domain?

example.com

What is the error number?

xxx

What is the error message?

xxx

What is the issue you’re encountering

How to allowlist admins but not by using their IP addresses because are dynamic?

What steps have you taken to resolve the issue?

Our admins edit pages that sometimes contain Javascript. The JS is legitimate. Cloudflare’s Web Application Firewall (WAF) thinks that is an XSS attempt and blocks the admin. How do we allowlist admins so that they can edit pages with scripts?

  • We tried allowlisting by IP address but several of our admins are assigned IP addresses dynamically, so we end up changing the allowlist almost daily.

  • We tried adding a custom variable to the User Agent on admins’ browsers and having Cloudflare allowlist any request with that custom variable. But only Chrome has an extension to modify your user agent, and every time there is an update to Chrome the user agent changes,

If you can’t allowlist the path due to dynamic IPs, you can explore using Cloudflare Access and a WAF custom rule with a skip action. This way, you can still protect the specific path while allowing certain requests to bypass the security rules.

or using the WAF rule to check mTLS.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.