WAF (owasp) blocking POST of multipart/form-data

Hi all, I’ve got a script about as simple as possible on the internet-facing side. It has a form for accepting file uploads. The uploads are sent via a form action of POST, sending content type multipart/form-data. If the files are text, it works fine. If the files are binary (mostly used for images and PDF’s), they get intercepted by the Cloudflare WAF, specifically numerous owasp rules that are part of managed rules.

I’d prefer to not turn off the firewall on this URI, or the whole site.

What I’m confused about is why an image upload would trigger rules like RCE bypass, xss attack in html tag handler, six different flavors of sql injection.

Is CF’s WAF simply incompatible with the uploading of files and I have no option but to disable every rule those trigger?


Thank you for reaching out to us. Cloudflare’s WAF uses a set of managed rules to detect and block potentially malicious traffic. These rules include checks for common web vulnerabilities like Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection. Binary file uploads might be triggering these rules due to the way the WAF inspects multipart/form-data payloads. Sometimes, the binary data might contain byte sequences that resemble attack patterns, even though they are harmless.

Have you considered adding an exception for the specific path that is being triggered by the Managed Rules?

You can check the following: Create WAF exceptions · Cloudflare Web Application Firewall (WAF) docs

Please let us know if this works.

That would not be ideal because the purpose of having the CF WAF is to protect the application. If it generates 10+ false positives for a post of binary data, and I have to turn each of those rules off, it eliminates the value of the WAF.