What is the recommend WAF rulesets for XenForo?

As the title of this post states I want to know what is the recommend WAF rulesets for XenForo? XenForo is paid forum software written in PHP used by a large number of discussion boards on the internet. I saw that Cloudflare Pro has a ruleset specific to phpBB & WordPress but not for XenForo. Should I just enable the PHP & special rulesets or is there something more specific I can do? I looked at the OWASP rulesets but am worried that XenForo’s “bbcode” could trigger false positives on the XSS filter. What is Cloudflare’s advice for pro customers who want to use the WAF in front of XenForo?

It seems like all the basic rules for PHP applications should work fine or almost fine there. You have to count, that CloudFlare doesn’t provide specific rules for every particular application or platform you have, and you can’t configure it manually.

I should highly recommend you to check the list of all the known XenForo issues here: https://xenforo.com/community/tags/security-vulnerability/ and send these payloads to verify that your installation is secure.

1 Like

My main concern is that a code block for showing embeded PHP could would trigger the code injection filter. I’m not sure if Cloudflare has rules in place to prevent this issue.

Hmm looks like I can disabled the managed rulesets and enable the OWASP ones instead with high sensitivity and use challenge instead of block. That’s a nice compromise. Is it possible to have the Cloudflare managed rules default to challenge instead of block?

This topic was automatically closed after 30 days. New replies are no longer allowed.