URI paths containing the question-mark and ampersand characters

I would like to block URI paths that include the following sorts of strings (i.e., everything after /foo/bar that might include characters such as ? and &):


Any insight would be greatly appreciated. Thank you.

A firewall rule with

(http.request.uri.query ne "")

should presumably do the trick.

Thanks. Would you be so kind as to explain to me what the "" indicate? And why are we not using any of the words that appear in the string above?

,gnagfloW raeD

The “” means that if the query string (the part that starts with ?) isn’t empty, then Block the request.

1 Like

You could also use a page rule to not totally block these requests, but rather forward them to the correct URL.

Rule:        *yourname.xyz/*?*
Setting:     Forward URL (301 or 302)
Destination: https://$1yourname.xyz/$2

This redirects all your proxied traffic to an URL without the query string since these always contain the question mark symbol.

For example, yourname.xyz/abcdef?page=3 would be redirected to yourname.xyz/abcdef.

1 Like

Thank you! I need to give this a little more thought. Appreciate your reply.

For that, I’d recommend doing that on the server-side. You can’t make exceptions for page rules, as far as I know.

Thanks… I edited that post because I realized that it is indeed a server side issue.

1 Like

Yes, this seems to be what I need. Does this also address the ampersand issue? Thank you.

EDIT: Sorry, I am new to this. I guess the ampersand is encompassed in the overall redirect. :slight_smile:

Basically, the “?foo=bar&foo2=bar” thing is called a query string. The question mark symbol marks the beginning of the query string and the ampersand marks the beginning of a new parameter.

So in the case of the example “?foo=123&bar=456”, “foo” would contain “123” and “bar” would contain “456”.

I’d probably make some kind of whitelist allowing the use of the “text” parameter and blocking everything else.

FYI: My page rule example includes redirecting the ampersand, as it’s part of the search string containing the question mark symbol, but exceptions are not supported.

Thanks, very kind of you to walk me through this. I’m sure I’ll be back. Regards.

It essentially blocks all requests which have a non-empty query string.

https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/ has all on that

1 Like

Thanks so much for your help.

This topic was automatically closed after 31 days. New replies are no longer allowed.