With these expressions (for WAF), you can effectively block all unnecessary requests to your server, enhancing its security and performance.
Important
Additionally, it is recommended to disable the Bot Fight Mode
function found in the Security
tab.
The purpose of this feature is to detect and stop automated traffic from bots. However, it often blocks safe and legitimate bots, which is not our intention.
Please note that these expressions should not be used if you are utilizing WordPress or any similar content management system (CMS), as they may interfere with its normal functioning. They are highly recommended for Node.js applications built on frameworks like Express.js (for example).
Tip
Remember to check back here from time to time. These lists are frequently updated to stay effective against the latest threats.
This list has been carefully crafted to improve the security of your origin server by blocking a wide range of pointless and potentially malicious requests. The following is a summary of what it can block:
-
Sensitive files and directories:
- Prevents access to critical files and directories, such as
.git
,.env
,.htaccess
, which often contain sensitive information that should never be publicly accessible. It also blocks access to other commonly used configuration files and keys, such as SSH keys and similar items.
- Prevents access to critical files and directories, such as
-
Common attack vectors:
- Blocks URLs containing patterns often used in attacks, helping to thwart attempts to exploit known application vulnerabilities.
-
Backup files:
- Protects against requests for access to backup files that could contain sensitive data. This includes common backup file extensions and patterns.
-
Outdated browsers:
- Identifies and blocks outdated browser versions that are often used by bots for automated attacks or unnecessary web crawling. Additionally, it can block DDoS attacks from botnets, which commonly use outdated user agents.
-
Unwanted bots:
- Blocks various unwanted, unnecessary web crawlers and known malicious bots by analyzing specific user-agent strings. This helps reduce unwanted bot traffic and alleviate server resource strain.
-
Specific IP addresses and ASNs:
- Blocks traffic from known malicious IP addresses and ASNs, helping to prevent attacks from sources flagged as malicious. The list also includes some IP addresses associated with botnets.
By using this collection, you may significantly increase the security of your website and reduce the quantity of unwanted traffic on your server.
- Known and safe search engine indexing bots such as
Google
,Bing
,DuckDuckGo
,Yandex
,Yahoo!
, and others. - Outgoing requests from Node.js applications using libraries like
node-fetch
,axios
,superagent
,request
, and similar. - Outgoing requests from tools like
curl
,wget
,Postman
,httpie
,Insomnia
, and similar. - Legitimate traffic from commonly used APIs and services that are essential for the proper functioning of your application.
- Webhooks and callbacks from trusted third-party services, ensuring seamless integration and communication.
- Requests for standard web files such as
robots.txt
,ads.txt
,sitemap.xml
,humans.txt
, and similar, which are essential for proper web indexing and advertising management.
- Log in to your Cloudflare account.
- Select the domain where you want to add the expressions.
- Click on the
Security
tab and chooseWAF
from the dropdown list. - In the
Custom rules
tab, click theCreate rule
button. - Copy the expressions from the expressions/main.md file.
- Click
Edit expression
and paste the copied expressions. - Click the
Deploy
button to save the changes. Repeat the same process for the remaining parts of the expressions. Remember to select the appropriate Action from the file (Block or Interactive Challenge). - Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure to check if your website functions correctly. Visit this repository periodically to use the latest lists.
It is also recommended to enable DDoS protection in the Security
tab. Then, navigate to DDoS
and click the Deploy a DDoS override
button.
- Override name: DDoS L7 ruleset
- Ruleset action: Block
- Ruleset sensitivity: Default
If you have any questions or need help with the expressions, feel free to open an Issue. I will be happy to assist you.
If you have any suggestions or improvements, feel free to open a Pull request. Your contributions are highly appreciated and will help keep this list up-to-date and effective against the latest threats.
If you found this repository useful, please consider giving it a star ⭐. Thank you!
This project is licensed under the MIT License.