Our WP based website gets 403 in the backend (in particular when doing a POST on /wp-json/wp/v2/media?_locale=user) despite the path has been deliberately excluded from WAF and security in the pages rules and even when the global WAF rules are disabled:
As you can see, the rule seems to not exist in both the Cloudflare Managed Ruleset and the OWASP Core Ruleset, and therefore it seems that this specific rule is not captured by any of the page rules / CF settings.
The only way to bypass this rule is to disable WAF entirely through IP exceptions (it seems that page rules exceptions don’t work either), and it really seems that somehow there are some dangling rules that have not been allocated in any accessible category.
It looks like an internal CF issue. Can this be checked?
Even if I add a specific exception for that specific rule matching that specific endpoint, it doesn’t work. It gets triggered (and yes, I’ve also swapped the order of execution between the skipped - executed ones).
Inbound Anomaly Score itself isn’t a rule other than it takes the rules which were triggered in the OWASP ruleset and assigns it a score. based on your WAF settings if the request is anomalous ‘enouhg’ the request is denied. The OWASP score in your screenshot was 65. The JSON details will highlight which rules were triggered.
Without knowing what you’re creating an exception for vs. what is being triggered… I can only suggest you’ve used the wrong criteria.
Click the export event json in your first screenshot in this thread and review which rules are actually being triggered.