"Cloudflare Specials" WAF ruleset is blocking API tokens

I am hosting an API behind Cloudflare and have set up a system where certain clients can use optional tokens to gain enhanced access to the API.
Two of my clients have reported receiving HTTP 403 error codes and the Cloudflare WAF event log shows them as being blocked because of “Cloudflare Specials”, which reported “Anomaly:Header, Anomaly:URL - Invalid UTF-8 Encoding”.
The only headers they are using are “User-Agent”, “Accept” and “Authorization”, the URL looks completely fine and they have no other kind of rule blocking them.
My server does not receive the requests so I’m almost 100% sure Cloudflare is blocking them.
After turning off the “Cloudflare Specials” ruleset, they aren’t blocked anymore.

There are a number of rules in that ruleset. A specific rule ID should be visible in the logs. You could perhaps disable that specific rule rather than the entire ruleset.

Can you please share an example of the request, or particular header/token value? It seems like a WAF UTF-8 problem.

This topic was automatically closed after 30 days. New replies are no longer allowed.