You could go with / for path, however that’s not the ideal solution and cannot be accomplished, since it’ll match every request.
You’d have to upgrade to at least Pro plan to have such fields available to you, and even better WAF with Managed Rules and better performance overall.
If I may add here as a really good reference with updated info for further cases in terms of security and protection with Cloudflare from my colleague:
We can lock down our web host and allow only the Cloudflare to connect and similar techniques:
Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection: