Getting Blocked with false positive XSS / script code injection error

I have setup Zero Trust Access to /admin on my website. I tested this and I get the CF Access page and am able to log-in to access the /admin interface of my website CMS.

However, when adding content to my site that has code in it, CF sees this as a false positive of XSS Code injection and presents a Site Blocked error page with a Ray ID.

When I look into Security → Events and filter by the Ray ID, I see my attempt to save content as a XSS Code injection false positive.

I then created a WAF → Managed Rules → Exception
I tried a URI exception for /admin
I tried a URI Path exception for /admin

None of it seems to work and I still am prompted with a “Sorry, you have been blocked” error.

What’s odd is that this has not happened ever, and I have been using this website this same way for some time now. Given I have not updated this particular page in a little while, but the last time I did, there was no issue.

I think I just need some help connecting the dots between Zero Trust, WAF Exceptions.


  • IP Allow Listing is out of the question as there are multiple authors on the site who need similar access, and all of us are on rotating IP addresses (thanks to our ISPs)

Thanks in advance for any advice you can provide!

Answering my own question:

I was able to bypass this by changing the URI matching operator to “contains” — that way any URL that had “/admin” in it would match and bypass CF managed filters.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.