My proposal is to change how WAF treats OPTIONS requests. Since they are special type of requests (developer cannot add headers or modify it in any way) I think CF WAF should use AJAX scoring method instead as normal one. OPTIONS requests are only send by browsers before AJAX requests and should be treated that way. To summarize: right now OPTIONS requests will be challenged/blocked when meeting these sensitivity scores:
Low - 60 and higher
Medium - 40 and higher
High - 25 and higher
but should be challenged/blocked by these scores (as AJAX ones):
The point of WAF is to block illegitimate traffic—that is, traffic that doesn’t follow the rules. Wouldn’t assuming that OPTIONS requests are sent appropriately (via Ajax) kind of defeat the purpose?
Yes, I made an assumption, but a strong one and justified in my opinion.
CF WAF differs AJAX and non-AJAX requests based only on X-Requested-With header present (confirmed this with CF Support). So lets say I’m an attacker, at the moment I can already bypass scoring for normal requests and using higher scores (for AJAX requests) just by adding this header.
For normal usage OPTIONS requests can be treated as AJAX ones by default, since we cannot add header to them, and as I pointed above, an attacker can use other methods to bypass low scoring.