OWASP 3.x blocking perfectly normal Drupal workflows

With the upgrade to OWASP Ruleset 3.x, we’ve had administrators on a number of the Drupal sites we manage report that are no longer to upload content files (e.g. .pdf, .jpg). We’ve created “skip” rules for specific rules in the OWASP ruleset when this has occurred.

Taking a step back we’re concerned that OWASP/Cloudflare is overly concerned by a normal Drupal activities, of which Drupal has adequate security.

I’m curious to know what others who administer Drupal websites have done to “tune” Cloudflare.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.