I have several OWASP core rules that generate false positive for a specific URL across several similar sites in the same zone/domain.
The CF UI only allows me to either limit the scope for the whole OWASP core ruleset (hence removing all the ruleset rules for the specific URL, which is not good, less security for it) or disable the specific rules entirely (hence losing their protection for all the zone).
I could not find a way to exclude a specific URL for a specific rule. Am I missing something?
You should create a WAF Exception, which is the way to skip a managed ruleset, such as OWASP, or a rule within it.
When incoming requests match...
URI Path equals /my-path
If you want the same path to skip the specific rule in all subdomains (including naked domain) of a zone, the above condition should suffice. Otherwise, couple it with
Hostname is in sub1.example.com sub2.example.com etc.
Then select the OWASP ruleset, then select the specific rule.