I run a coding playground where the user submits bits of SQL for execution, but in certain cases Cloudflare’s managed rules end up blocking these requests even when the security level is set to “essentially off”. An example blocked request is shown below:
I’d like to know if the managed WAF rules can be disabled entirely. This is a custom application and doesn’t benefit greatly from having the WAF enabled, and I accept the risks of doing so.
The Security Level is just thresholds for presenting a Managed Challenge to users based on their “threat score”.
The WAF Managed Rules you’re looking at can be disabled in the dashboard - SQLi is apart of Cloudflare Specials if I recall correctly.
Not sure where I can find this option, as I only have these options under security → WAF. Do note that this is for a website on Cloudflare’s free tier.
It sounds like it might be apart of the free ruleset announced in https://blog.cloudflare.com/waf-for-everyone/
Under the Deploying & Configuring section, it talks about being able to change the actions but from your screenshot, it’s possible that’s only do-able in the API at the moment.
Your best bet is disabling Cloudflare; I don’t think the managed rules can be disabled. Your case is very particular.
The rules on the free plan are made to mitigate major threats that can have major impacts globally; switching them off would result in a security hazard in most scenarios.
Just wanted to provide a short update regarding this, for the purposes of correcting the record and for documenting this behaviour.
Unfortunately, this isn’t correct. I can submit request payloads like
select substr(name, 0, 2) from employees; through a residential or VPN IP and I could never reproduce it. However, once I switched to a Tor IP, submitting the same request got me the Cloudflare block page.
This indicates the Security Level setting essentially works this way:
Check the request IP’s threat score (based on whether Tor is being used; I’d also assume VPNs etc. are checked for on settings higher than “Essentially Off”)
If the IP is regarded as being malicious, involve WAF and other checks that Cloudflare may have.
The Security Level functionality is explained here (also talks a bit about how they determine the threat score):
In my experience, the Security Level has no bearing on the WAF - I can trigger it from an IP address with a threat score of