Http.request.body.mime in WAF Custom Rules does not seem to work

Based on Fields reference · Cloudflare Ruleset Engine docs - I understand that http.request.body.mime is available for all plans.

However, when attempting to create a WAF Custom Rule with http.request.body.mime eq "text/html", for example, the page loads without any challenge/block.

The same is tried when attempting to catch all MIME types by using http.request.body.mime ne "", nothing is challenged or blocked.

I am, however, able to challenge/block when removing that field when paired with an AND operator to a particular page.

This led me to believe that this field is not working as expected.

I see the same result regardless of plan level, and have requested escalation of this issue.

1 Like

It’s annoying that you can’t use this field in Transform Rules to get the text of it, but it seems fine to me.

It’s based off the request though, not the response.
Is your user uploading text/html?

This would only be true if the user was uploading something that it could detect. I tried with a jpeg image and image/jpeg and it was fine, as well as uploading with not equal to an empty string, both triggered a custom rule. Might still be helpful for someone from CF to explain exactly how it works (seems it’s not just off content type), and what happens if it can’t detect what is being uploaded.

Maybe more helpful to explain what exactly you’re trying to do/if you’re trying to get the response content type instead of the request?

Oh, I totally missed that it’s the request and not the response MIME type. Nevermind.

1 Like

My intention was to use this in WAF Custom Rules to challenge only text/html when accessed by a particular ASN and to give leeway to MIME types that contain image/.

Currently what I use is to match according to path contains .jp, .png, etc.

I noticed that this MIME type can be used in custom rules and thought of giving it a go, especially since my thought that it could save a few bytes by collectively matching image/ as opposed to having multiple ANDs for each file type in path.

http.request.body.mime, the field you tried to use, is off the request body, aka what the user uploaded.

There is http.response.content_type.media_type off the response, but you can’t use it in Custom Rules (nor any response field), would be a bit silly to make the origin do the work just to block them, and would require Custom Rules to run twice, etc.

Short of that, you do have http.request.uri.path.extension which is just the raw part of the extension (png, jpg, etc), and you could use to with is in like (http.host eq "google.com" and http.request.uri.path.extension in {"png" "jpg"}) but of course that’s not necessarily the content type the origin will return/nothing for html. Could do something like if extension not in and asn equals.