What is the name of the domain?
dash.cloudflare.com Cannot share domain due to security.
What is the error number?
0
What is the error message?
0
What is the issue you’re encountering
Regex rule is not working in WAF custom rules
What steps have you taken to resolve the issue?
The WAF Custom Rule regex is not correctly matching header values, causing the rule to fail in blocking targeted requests.
We are using the regex pattern \d{9,}|e[+-]?\d+ to match unusually large numeric values in the Accept-Encoding header, aiming to block payloads such as 11111111111111111111111111111111111 or scientific notation (e.g., 1e+100) to mitigate potential integer overflow vulnerabilities.
However, all such requests are currently bypassing the rule.
I have tried different & simple one also no regex rules seems to be working. When I checked other rules than regex it is working fine.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
Use this WAF rule expression:-
(any(http.request.headers[“accept-encoding”][*] matches “r"\d{9,}|e[\-]?\d+"”))
I tried sending request using POSTMAN - All other rules with Accept-Encoding header, aiming to block payloads such as 11111111111111111111111111111111111.
Got 200 Status Code.