Disabling managed WAF rules on the free tier

I run a coding playground where the user submits bits of SQL for execution, but in certain cases Cloudflare’s managed rules end up blocking these requests even when the security level is set to “essentially off”. An example blocked request is shown below:

I’d like to know if the managed WAF rules can be disabled entirely. This is a custom application and doesn’t benefit greatly from having the WAF enabled, and I accept the risks of doing so.

Thank you.

The Security Level is just thresholds for presenting a Managed Challenge to users based on their “threat score”.

The WAF Managed Rules you’re looking at can be disabled in the dashboard - SQLi is apart of Cloudflare Specials if I recall correctly.

Not sure where I can find this option, as I only have these options under security → WAF. Do note that this is for a website on Cloudflare’s free tier.

It sounds like it might be apart of the free ruleset announced in https://blog.cloudflare.com/waf-for-everyone/

Under the Deploying & Configuring section, it talks about being able to change the actions but from your screenshot, it’s possible that’s only do-able in the API at the moment.

Your best bet is disabling Cloudflare; I don’t think the managed rules can be disabled. Your case is very particular.

The rules on the free plan are made to mitigate major threats that can have major impacts globally; switching them off would result in a security hazard in most scenarios.

Just wanted to provide a short update regarding this, for the purposes of correcting the record and for documenting this behaviour.

Unfortunately, this isn’t correct. I can submit request payloads like select substr(name, 0, 2) from employees; through a residential or VPN IP and I could never reproduce it. However, once I switched to a Tor IP, submitting the same request got me the Cloudflare block page.

This indicates the Security Level setting essentially works this way:

  1. Check the request IP’s threat score (based on whether Tor is being used; I’d also assume VPNs etc. are checked for on settings higher than “Essentially Off”)

  2. If the IP is regarded as being malicious, involve WAF and other checks that Cloudflare may have.

The Security Level functionality is explained here (also talks a bit about how they determine the threat score):

https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level
https://support.cloudflare.com/hc/en-us/articles/115002059131-Understanding-your-site-protection-options#12345682

In my experience, the Security Level has no bearing on the WAF - I can trigger it from an IP address with a threat score of 0.

I am having the same problem. But this isn’t just an annoyance it’s a bug in the cloudflare firewall’s Managed rules.
I say bug because my domain has .com and .xyz suffix versions which leads to the same website. The .com domain does not exhibit this problem for people connecting with Tor (or other IP address ranges which have higher threat levels). However cloudflare mysteriously blocks connections to the .xyz version of my domain due to “threat level” when a certain URL is requested. I am on the Free tier so i cannot turn off Managed WAF and I am stuck with this issue.

The fact that MyDomain.com does not exhibit this issue while MyDomain.xyz blocks TOR users who request a certain URLs (due to CF’s managed WAF rules) tells me this is indeed a cloudflare bug that Free users cannot circumvent. All of my other firewall rules are turned off and this issue still happens. This is a particularly a major problem with my website because many of my users must use TOR to get around state censorship to reach my site. I am already seeing a noticeable drop in traffic and may have to switch to a different firewall because of this.