Create WAF rule to block abc.php

we have WAF rules blocking external requests to
The rules are extremely easy to bypass.

if we just add “/” behind you are able to hit the abc.php

To make is blocked by anyhow, I have craeted cloudflare_firewall_rule in tf.

resource "cloudflare_firewall_rule" "Block-xyz-com-abc-php" {
  action      = "block"
  description = "Block-xmlrpc"
  filter_id   =
  paused      = false
  zone_id     =

resource "cloudflare_filter" "https-xyz-com-abc-php" {
  expression = "(http.request.uri.path contains \"*/abc.php*\")"
  paused     = false
  zone_id    =

but still i can access it by add “/” as


You may wanna try this instead:

(http.request.uri.path contains "/abc.php")