Why do WAF rules block CSS even though the rules say to skip if referrer contains host

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Describe the issue you are having:
I’ve set the firewall rule to block the request if

  1. URI Path contains /wp-content
  2. And Referer Doesn’t contain *mayankgupta.com*

What error message or number are you receiving?
User’s request is getting blocked because the path they were trying to access was **/wp-content/cache/autoptimize/css/autoptimize_426ca4697316801476dba6b77891f3a5.css**

Please attach a screenshot of the error:


I realized that the issue may not be clear from my post - but I’m not able to edit it. So, adding a reply to add clarification.

The problem that I’m seeing is that even though I’ve set rules like these where I don’t want the request to be blocked if the Referer doesn’t contain the hostname. However, I see that CSS & JS requests are getting blocked (which come if anyone is accessing a page on my website). And in those cases, the referrer will always have the hostname, which in my case is - mayankgupta.com

The point is that CSS & JS requests will contain the hostname if anyone is trying to access any page on my website - then those requests should get skipped, why are they getting blocked?

Perhaps their browsers/extensions are blocking the referrer?

In any case, the referrer should never be trusted, as it’s easily spoofed.

The best Cloudflare protection for your WordPress backend is Zero Trust Access, which is free for up to 50 users. If you cannot use it, the second best is to craft WAF Custom Rules (aka Firewall Rules) based on behavior, as in which files are being requested. Though WordPress is based on PHP, it rarely needs to request PHP files on the open internet. So your protection will focus on /wp-login.php, /wp-admin/admin-ajax.php and other files that are in fact requested over HTTP(S).

Thank you for checking this and your suggestion.

I’ve protected WP login using firewall rules - and it was only after seeing the traffic patterns I created this wp-content, wp-includes, wp-admin rules to block the requests because no one other than me needs to access the backend of the site. No one needs to access anything behind these directories either, unless requested by the website on page load.

The reason I’m posting it is that I see quite a bit of false positives and I wanted to understand why that is the case. There should be no reason for the css or js requests to get blocked.

There was no way to get in touch with support because I’m on a free plan - I just wanted to let the product teams know about this and possibly they already do.

Why do you think they are false positives, as opposed to visits by either bots that won’t include the Referer header or a browser with some privacy extension that may exclude it as well? Are you getting blocked when testing the rule? If so, could you post a screenshot of your rule as well as of your Dev Tools Network tab with the request headers including the referer field?

I ask because I’ve just tested a similar Firewall Rule on a Free Plan and the results were the expected. With referer header, it gets a 200, without, a 403.



Curl commands used for testing:

curl -sI https://example.com/wp-content/path/to/file.svg | egrep ^'(HTTP|cf-|content)'
curl -sI https://example.com/wp-content/path/to/file.svg -H 'Referer: https://example.com' | egrep ^'(HTTP|cf-|content)'
1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.