With the upgrade to OWASP Ruleset 3.x, we’ve had administrators on a number of the Drupal sites we manage report that are no longer to upload content files (e.g. .pdf, .jpg). We’ve created “skip” rules for specific rules in the OWASP ruleset when this has occurred.
Taking a step back we’re concerned that OWASP/Cloudflare is overly concerned by a normal Drupal activities, of which Drupal has adequate security.
I’m curious to know what others who administer Drupal websites have done to “tune” Cloudflare.