Source from repo

Cloudflare Platform Skill

Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.

cloudflareGitHub cloudflareSource repo Original GitHub link Publisher page

Files

321

Skill

n/a

Size

1.4 MB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/waf/configuration.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown203 linesFree

references/waf/configuration.md

1# Configuration
2 
3## Prerequisites
4 
5**API Token**: Create at https://dash.cloudflare.com/profile/api-tokens
6- Permission: `Zone.WAF Edit` or `Zone.Firewall Services Edit`
7- Zone Resources: Include specific zones or all zones
8 
9**Zone ID**: Found in dashboard > Overview > API section (right sidebar)
10 
11```bash
12# Set environment variables
13export CF_API_TOKEN="your_api_token_here"
14export ZONE_ID="your_zone_id_here"
15```
16 
17## TypeScript SDK Usage
18 
19```bash
20npm install cloudflare
21```
22 
23```typescript
24import Cloudflare from 'cloudflare';
25 
26const client = new Cloudflare({ apiToken: process.env.CF_API_TOKEN });
27 
28// Custom rules
29await client.rulesets.create({
30  zone_id: process.env.ZONE_ID,
31  kind: 'zone',
32  phase: 'http_request_firewall_custom',
33  name: 'Custom WAF',
34  rules: [
35    { action: 'block', expression: 'cf.waf.score gt 50', enabled: true },
36    { action: 'challenge', expression: 'http.request.uri.path eq "/admin"', enabled: true },
37  ],
38});
39 
40// Managed ruleset
41await client.rulesets.create({
42  zone_id: process.env.ZONE_ID,
43  phase: 'http_request_firewall_managed',
44  rules: [{
45    action: 'execute',
46    action_parameters: { id: 'efb7b8c949ac4650a09736fc376e9aee' },
47    expression: 'true',
48  }],
49});
50 
51// Rate limiting
52await client.rulesets.create({
53  zone_id: process.env.ZONE_ID,
54  phase: 'http_ratelimit',
55  rules: [{
56    action: 'block',
57    expression: 'http.request.uri.path starts_with "/api"',
58    action_parameters: {
59      ratelimit: {
60        characteristics: ['cf.colo.id', 'ip.src'],
61        period: 60,
62        requests_per_period: 100,
63        mitigation_timeout: 600,
64      },
65    },
66  }],
67});
68```
69 
70## Terraform Configuration
71 
72```hcl
73provider "cloudflare" {
74  api_token = var.cloudflare_api_token
75}
76 
77resource "cloudflare_ruleset" "waf_custom" {
78  zone_id = var.zone_id
79  kind    = "zone"
80  phase   = "http_request_firewall_custom"
81 
82  rules {
83    action     = "block"
84    expression = "cf.waf.score gt 50"
85  }
86}
87```
88 
89**Managed Ruleset & Rate Limiting**:
90```hcl
91resource "cloudflare_ruleset" "waf_managed" {
92  zone_id = var.zone_id
93  name    = "Managed Ruleset"
94  kind    = "zone"
95  phase   = "http_request_firewall_managed"
96 
97  rules {
98    action = "execute"
99    action_parameters {
100      id = "efb7b8c949ac4650a09736fc376e9aee"
101      overrides {
102        rules {
103          id = "5de7edfa648c4d6891dc3e7f84534ffa"
104          action = "log"
105        }
106      }
107    }
108    expression = "true"
109  }
110}
111 
112resource "cloudflare_ruleset" "rate_limiting" {
113  zone_id = var.zone_id
114  phase   = "http_ratelimit"
115 
116  rules {
117    action = "block"
118    expression = "http.request.uri.path starts_with \"/api\""
119    ratelimit {
120      characteristics     = ["cf.colo.id", "ip.src"]
121      period              = 60
122      requests_per_period = 100
123      mitigation_timeout  = 600
124    }
125  }
126}
127```
128 
129## Pulumi Configuration
130 
131```typescript
132import * as cloudflare from '@pulumi/cloudflare';
133 
134const zoneId = 'zone_id';
135 
136// Custom rules
137const wafCustom = new cloudflare.Ruleset('waf-custom', {
138  zoneId,
139  phase: 'http_request_firewall_custom',
140  rules: [
141    { action: 'block', expression: 'cf.waf.score gt 50', enabled: true },
142    { action: 'challenge', expression: 'http.request.uri.path eq "/admin"', enabled: true },
143  ],
144});
145 
146// Managed ruleset
147const wafManaged = new cloudflare.Ruleset('waf-managed', {
148  zoneId,
149  phase: 'http_request_firewall_managed',
150  rules: [{
151    action: 'execute',
152    actionParameters: { id: 'efb7b8c949ac4650a09736fc376e9aee' },
153    expression: 'true',
154  }],
155});
156 
157// Rate limiting
158const rateLimiting = new cloudflare.Ruleset('rate-limiting', {
159  zoneId,
160  phase: 'http_ratelimit',
161  rules: [{
162    action: 'block',
163    expression: 'http.request.uri.path starts_with "/api"',
164    ratelimit: {
165      characteristics: ['cf.colo.id', 'ip.src'],
166      period: 60,
167      requestsPerPeriod: 100,
168      mitigationTimeout: 600,
169    },
170  }],
171});
172```
173 
174## Dashboard Configuration
175 
1761. Navigate to: **Security** > **WAF**
1772. Select tab:
178   - **Managed rules** - Deploy/configure managed rulesets
179   - **Custom rules** - Create custom rules
180   - **Rate limiting rules** - Configure rate limits
1813. Click **Deploy** or **Create rule**
182 
183**Testing**: Use Security Events to test expressions before deploying.
184 
185## Wrangler Integration
186 
187WAF configuration is zone-level (not Worker-specific). Configuration methods:
188- Dashboard UI
189- Cloudflare API via SDK
190- Terraform/Pulumi (IaC)
191 
192**Workers benefit from WAF automatically** - no Worker code changes needed.
193 
194**Example: Query WAF API from Worker**:
195```typescript
196export default {
197  async fetch(request: Request, env: Env): Promise<Response> {
198    return fetch(`https://api.cloudflare.com/client/v4/zones/${env.ZONE_ID}/rulesets`, {
199      headers: { 'Authorization': `Bearer ${env.CF_API_TOKEN}` },
200    });
201  },
202};
203```

Cloudflare Platform Skill

references/waf/configuration.md

Preparing the source view

Cloudflare Platform Skill

references/waf/configuration.md