WAF Rule based on response code

we have so many requests on our server for none existing resources
and Cloudflare don’t block them
we try to define a waf rule like:
http.response.code == 404
but we con not, Cloudflare do not allow such a rule…

this is very easy that to handle this on our firewall if we do not use Cloudflare
so, this is crazy that Cloudflare have not a simple tool like this…

If you have any solution, then please help us
But, do not tell me, that we must pay more to cloudeflare (our plan is pro)
because this is very simple waf rule!!!


Your origin server firewall can tell whether or not a resource is present. Cloudflare edge cannot, not until the request returns from the origin, at which point it makes little sense to block.

You can craft a rule in WAF to challenge any request that is not a real frontend path in your installation.

not cf.client.bot and
not http.request.uri.path in {"/path-1" "/path-2" "/path-3" etc.}
then Managed Challenge

Since a WAF Custom Rule is limited to 4kb, such a rule won’t be able to include all your legit paths unless your website contain a very limited number of them. However, if you are under attack, you should adapt a “house under fire” mindset and perhaps try it, by adding to the rule the most visited paths, and accepting that legit visitors will be challenge for not-so-frequently requested paths.

1 Like

I am totally with you - I filed a feature request for it, please vote for it there

1 Like

tanx for response.
I see, and our plan is business
but I can not find a sample syntax for http.response.code in docs
and when I use for sample http.response.code == 404 in rule syntax then the cloud-flare return ERROR…

So, can you share sample syntax for detecting http response code?

As has already been explained, if your origin has already responded with a 404, then it’s already given an error to the client, there’s no need for Cloudflare to report a different error.

If you want to reduce all this scanning for URLs cruft, we deal with this by…

  • Challenging ASNs at the WAF that make lots of these requests (either by looking at the Cloudflare or our origin logs) such as OVH, Digital Ocean and all the usual suspects.
  • Having our origin keep a small database of 403/404s, and if too many in a short time, or one match to ‘wp-’ or other typical strings, the origin automatically adds the IP address into a list using the Cloudflare API and use that as a challenge list at the WAF.