Cloudflare Leaked Credentials Check is not working for POST Forms with username + password


I am trying to use the managed leaked credentials ruleset in our website and noticed that POST forms with username + password condition is not working. When I clicked on the “Browse Rules” Button to explore the detailed of the managed ruleset, I saw two conditions about POST forms:

  • Checks credentials in POST forms using “username” and “password” arguments
  • Checks credentials in POST forms using “login” and “password” arguments (URI agnostic)
    I tried both cases stated above by sending POST forms requests to my websites authentication endpoints. While I can see in the WAF events that the POST forms using “login” and “password” works(which we do not use in our website), it is not getting detected by the WAF with the first condition(username password)
    Since we are handling authentication in our website, we are sending a POST request with the content type “x-www-form-urlencoded” to an endpoint “/connect/token” as seen attached postman screenshot.(which matches the first rule), I believe there is something wrong with the first rule.
    If this is intentional, could you please help me to figure out how to work around this problem preferably without modifying my authentication flow and endpoints.



I’ve just run into the same issue.
The username/password rule triggers if the endpoint URL contains ‘login’ but my actual endpoint URL does not.
Given that this behaviour difference is indicated in the rule descriptions, it seems intentional and not a bug, sadly for us.

This looks like a bug: if Content-Type is ‘application/x-www-form-urlencoded; charset=UTF-8’ (from jQuery I think) then the URI-agnostic login/password rule does not trigger.

Seems the Content-Type header must be exactly ‘application/x-www-form-urlencoded’ in order for the rule pattern to match.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.