WAF URL PATH - file blocking does not work

Hi guys i want to protect my JavaScript and CSS files from being seen/stolen by others.

When somebody loads up my site they can go for any template url ending with .css or .min.js and view content of that script in the source code.

The blocking partially works, when the visitor has the website and source code loaded they can load any file of their choice in the browser. However when i press ‘refresh’ for browser that is when the page is blocked by cloudflare.

This defeats the objective if users are allowed to load the file in the first place.

Currently i am blocking url path. So for example if i want to block ‘mytemplate.css’ which is located in templates/files/mytemplate.css i have set it up to block ‘/templates/files/’ which should block any files within that directory but this doesnt work.

Here is how i have set it up:

URL Path - Contains - /template/ext/

See attached

From what I understand and what you’re going for, since I see WordPress, I assume you’d broke your Website content for the end-visitor by doing it so? :thinking:

Furthermore, why publishing something online, being available even for the bots and crawlers, if it’s not meant to be?

If you’re developing something, I’d suggest to put it behind Cloudflare Access - that way only you can access it (or someone else too, depends how you’d configure it).

Nevertheless, someone could steal and rip-off your Website with other 3rd-party software and you couldn’t do anything if you see your Website being “duplicated”.

I’d consider using SaaS or SSCS, and minify and obfuscate the code, if so.

Otherwise, use a different approach for developing and make sure the code is compiled for the front-end.

Hi @fritex

No wordpress is not broken, i have custom exams for users who are registering and using the website regularly for almost 2 years now. This rule is not breaking wordpress as i have also personally thought this may be the case when it is not. I have also tested this thoroughly from different devices.

I am already minifying and have obfuscated the code. Realising that there are other methods i really like cloudflares solution.

What i have setup in my demonstration above works, for example if you try and visit any file in /template/ext/xxxxxx.css you will be blocked so it works. However the only time it does not work is when the user goes in via source code and opens the url for the first time. It’s as if the rules are buggy…

Thanks for feedback.

Could be

I’ve tested on my example site and it’s working as expected.
Even first-time, no cache in Web browser, I am presented with Block page from Cloudflare.
Even after the refresh, the same result.

WAF Rule:

If I want to block everything under /js/, would go like:

I am afraid you do have a cached version already in your Web browser.

I’d suggest you to test in other Web browser or clearing your cache, or in Private (Incognito) Window.

It had happened to me when I hit refresh, but a moment before I applied /js/ to block rule, I’ve already visited the .js file and was able “on refresh” to get one time a “block page” while other time the source code, then again block page.

In general, if visitor don’t have it cached, it shouldn’t see it and would be presented with the Cloudflare’s default block page.