Firewall rule not working for Http PURGE Requests

We see huge no of HTTP purge requests (around 1 million in last 24 hours) in the Analytics dashboard. All these requests result in 301. We created a firewall rule to block these requests but unfortunately these requests are not blocked by the firewall rule. All these request are listed with cache status “none” in the cache performance dashboard. Any suggestion would be appreciated.

Note: we have Cloudflare pro account. Submitted a ticket but it’s open for last 3 days with no response from Cloudflare support team.


Can you share the firewall rule? (Copy and paste from the Expression Editor).

Hi Michael,
Here’s the expression,

(http.request.method eq “PURGE”)

Also, refer to the screenshot showing these requests in the analytics dashboard.


And you are saying requests still reach your server even though you have that rule, right?

I just tried such a setup and the request got properly blocked

  1. Are you sure the rule is in the proper order in your rule list? If any rule fires earlier, this will skip the rule altogether. Maybe post a screenshot of your rule list.
  2. Are you sure they are not connecting directly to your server? In that case the rule will obviously never fire.
  3. Are you sure the rule is active?

In general though, what’s the hostname in question?

Hey Sandro,

No , the requests don’t reach origin server - I mentioned above that cache status for these request is “none” which means that the response for these requests is generated from Cloudflare.

I suspect that these request are internal to CF and generate by APO. The firewall rules works if I explicitly trigger a PURGE request but it doesn’t work for the these internal requests. If these requests are internal to CF then these shouldn’t show up in the analytics and caching dashboards. So I am not 100% sure that’s going on.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.