WAF - OWASP total score and Ajax requests


I’m having an issue with OWASP firewall rules. I set Sensivity to High and some of requests are Challenged because of total score exceeded.

For normal requests (entering the site directly from browser, I guess) Sensivity level scores are more strict (lower score triggers action) than for Ajax requests. This is based on CF docs You can see here https://support.cloudflare.com/hc/en-us/articles/200172016 (search for “The sensitivity score required to trigger the WAF for a specific Sensitivity is as follows”)

I have the example request blocked with score 28 which should trigger OWASP WAF rule for normal requests, but not for Ajax one:

Just to clarify the situation request is send to our JSON-based REST API on different subdomain that website which uses this API: website - www.example.com, API - backend.example.com.

How CloudFlare differs Ajax from not-Ajax requests and what is the possible reason it doesn’t recognize ours as Ajax ones?

Just received response for ticket in the same matter:

“If the header “x-requested-with: xmlhttprequest” is found, AJAX logic will kick in.”

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.