{"id":29985796,"url":"https://github.com/buybitart/cloudflare-security-art","last_synced_at":"2026-05-15T20:06:13.670Z","repository":{"id":306427250,"uuid":"1026145654","full_name":"buybitart/cloudflare-security-art","owner":"buybitart","description":"Cloudflare free plan security: WAF rules, DDoS protection, HTTP headers and AI bot control","archived":false,"fork":false,"pushed_at":"2025-10-06T07:27:31.000Z","size":104,"stargazers_count":3,"open_issues_count":0,"forks_count":5,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-06T09:37:23.131Z","etag":null,"topics":["antibots","art","bitcoin","cloudflare","cloudflare-expression","cloudflare-firewall-rules","cloudflare-waf-expression","cloudflare-waf-expressions","cloudflare-waf-rules","ddos-protection","security-headers","waf"],"latest_commit_sha":null,"homepage":"https://buybitart.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buybitart.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-25T11:38:34.000Z","updated_at":"2025-10-06T07:27:34.000Z","dependencies_parsed_at":"2025-07-25T17:52:50.186Z","dependency_job_id":"e8679cab-ce8a-41c2-9e2f-6be461302744","html_url":"https://github.com/buybitart/cloudflare-security-art","commit_stats":null,"previous_names":["buybitart/cloudflare-security-art"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/buybitart/cloudflare-security-art","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buybitart%2Fcloudflare-security-art","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buybitart%2Fcloudflare-security-art/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buybitart%2Fcloudflare-security-art/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buybitart%2Fcloudflare-security-art/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buybitart","download_url":"https://codeload.github.com/buybitart/cloudflare-security-art/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buybitart%2Fcloudflare-security-art/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33078052,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-15T20:05:40.333Z","status":"ssl_error","status_checked_at":"2026-05-15T20:05:38.672Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antibots","art","bitcoin","cloudflare","cloudflare-expression","cloudflare-firewall-rules","cloudflare-waf-expression","cloudflare-waf-expressions","cloudflare-waf-rules","ddos-protection","security-headers","waf"],"created_at":"2025-08-04T22:01:55.842Z","updated_at":"2026-05-15T20:06:13.663Z","avatar_url":"https://github.com/buybitart.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# Cloudflare Security Configuration (Free Plan) \n\nI’m Aksana (5Ksana), founder of the open‑source [BitcoinArt project](https://github.com/buybitart/bitcoinart) . My husband Aliaksandr, a few friends, and I built this platform with our own savings so that Bitcoin artists everywhere can run a fully self‑hosted site, sell their handmade work, and accept payments in BTC, USDT (BTCPay), or credit card (Stripe) without middlemen or censorship.\n\nIf you like what we’re doing, please consider a donation-any amount helps us keep improving the gallery, auction tools, and multilingual support for creators around the world. Thank you for helping us protect artistic freedom and grow Bitcoin culture.\n\nIf you'd like to support the project, please visit the [**donation page**](https://buybitart.com/support). or If this repo made your life a little easier, please consider dropping a star ⭐ it really helps and totally makes my day! Thank you! 💖\n\n**This guide will help you protect your website using Cloudflare. It includes firewall rules, DDoS protection, security headers, and bot settings.**\n\n**It includes**:\n\n- ✅ Firewall rules  \n- ✅ DDoS protection  \n- ✅ Security headers  \n- ✅ Bot management settings\n---\n**My Cloudflare rule is**:\n\n- ✅ Tested and safe  \n- ✅ Does **not** break your site  \n- ✅ Blocks harmful bots, including AI scrapers  \n- ✅ Based on a [**ZERO TRUST**](https://4sysops.com/archives/block-ai-scrapers-and-other-web-parasites-with-cloudflare/) approach\n\n**AI bots try to copy your content!**.\nSee [**How AI is stealing your art**](https://juliabausenhardt.com/how-ai-is-stealing-your-art/) and [**‘Mass theft’: Thousands of artists call for AI art auction to be cancelled**](https://www.theguardian.com/technology/2025/feb/10/mass-theft-thousands-of-artists-call-for-ai-art-auction-to-be-cancelled) \n\u003e **\"One of the main points of art is to dialogue with culture.**  \n\u003e Even if unintentional, every piece of art reflects the unique background of its creator-shaped by food, religion, music, ethics, visual art, and more.  \n\u003e \n\u003e Imagine a child raised in isolation, shown only paintings 16 hours a day, and punished if their weekly drawing doesn't replicate those images closely enough. They don’t know why they draw-they just mimic. They aren’t creating. They aren’t dialoguing with art.  \n\u003e \n\u003e A computer is even simpler. It doesn't feel, doesn't reflect, doesn't remember the sound of jazz in the 1920s or the first time it saw Warhol.  \n\u003e \n\u003e But a human artist does.  \n\u003e They carry experience, emotion, and intention. They borrow from the past, mix it with the present, and speak in their own voice. That’s art. That’s the difference.\n\u003e\n\u003e When art is just imitation for profit, it’s empty. But when it speaks-it matters.\"\n\nAI pretend to be search engines, but they don't bring you visitors.  \nSome even use fake user agents, so basic Cloudflare settings may not stop them.\nThis rule blocks **all** bots by default, and then **only allows useful bots** that help your website get indexed.\n\n| Step | Description |\n|------|-------------|\n| [**STEP 1 – Web Application Firewall (WAF) Rules**](#step-1) | Blocks bots, crawlers, exploits and malicious requests (Parts 1‑5). |\n| [**STEP 2 – DDoS L7 Protection \u0026 Rate Limiting**](#step-2) | Adds Layer‑7 override and rate limits to stop floods. |\n| [**STEP 3 – Bot Management**](#step-3) | Configures Cloudflare bot settings to block AI and unwanted bots. |\n| [**STEP 4 – Security Headers**](#step-4) | Sets recommended HTTP headers to harden the site. |\n\n\u003e [!IMPORTANT]  \n\u003e It is also recommended to **disable** the **`Bot Fight Mode`** feature in the **`Security`** tab.  \n\u003e This guide already blocks all unwanted bots and AI crawlers while allowing only the important and trusted bots used for indexing your site such as:  \n\u003e - google  \n\u003e - bing  \n\u003e - slurp  \n\u003e - duckduckbot  \n\u003e - cloudflare  \n\u003e Because of this, there is no need to enable Bot Fight Mode as it could interfere with these allowed bots and disrupt proper indexing.\n\n---\n\n\u003ca id=\"step-1\"\u003e\u003c/a\u003e\n## STEP 1 – Web Application Firewall (WAF) Rules\n\nCopy these expressions into your Cloudflare dashboard for custom WAF rules.\n\n- Go to Security \u003e **WAF** \u003e **Custom rules**. \n- To create a new empty rule, select Create rule. \n\nRead [Create a custom rule in the dashboard](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/).\n\n\u003cimg width=\"1066\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6c77eaae-0e9a-496c-84b4-2a91518f7af3\" /\u003e\n\n\n### Part 1 – Block Bot Parasites\n\nThis rule stops bad automated web traffic by checking each request and blocking empty or strange User‑Agent names like headless browsers or scanners and traffic from certain IP groups that use \"siteaudit\" and Host headers that have \":80\" or \":443\" and wrong Cloudflare cookies and any Cloudflare client.bot that is not a verified search crawler or an ACME challenge and any HTTP/1.0 or HTTP/1.1 request unless it asks for \"/robots.txt\" or comes from a real search bot or an ACME check.\n\n\u003e NOTE🔒 **This rule stops about 90% of all threats. It cuts off bad bot traffic before it reaches the application.**\n\n**Action:** Block\n\n```plaintext\n(\n  (\n  http.user_agent eq \"\"\n  or http.user_agent eq \" \"\n  or http.user_agent eq \"'\"\n  or http.request.headers[\"user-agent\"][0] eq \"\"\n  or lower(http.user_agent) contains \"puppeteer\"\n  or lower(http.user_agent) contains \"phantomjs\"\n  or lower(http.user_agent) contains \"selenium\"\n  or lower(http.user_agent) contains \"slimerjs\"\n  or lower(http.user_agent) contains \"nightmare\"\n  or lower(http.user_agent) contains \"casperjs\"\n  or lower(http.user_agent) contains \"pyppeteer\"\n  )\n  or (ip.src.asnum in {135061 23724 4808} and http.user_agent contains \"siteaudit\")\n  or (http.host contains \":80\")\n  or (http.host contains \":443\")\n  or (\n    http.cookie contains \"cf_use_ob=\"\n    and not http.cookie contains \"0\"\n    and not http.cookie contains \"80\"\n    and not http.cookie contains \"443\"\n    and not cf.client.bot\n  )\n  or (\n    cf.client.bot\n    and not (\n      (\n        cf.verified_bot_category in {\"Search Engine Crawler\"}\n        and (\n          lower(http.user_agent) contains \"google\"\n          or lower(http.user_agent) contains \"bing\"\n          or lower(http.user_agent) contains \"slurp\"\n          or lower(http.user_agent) contains \"duckduckbot\"\n          or lower(http.user_agent) contains \"cloudflare\"\n\n        )\n      )\n      or lower(http.user_agent) contains \"google-inspectiontool\"\n      or lower(http.user_agent) contains \"google-siteverification\"\n      or lower(http.user_agent) contains \"googlebot\"\n      or lower(http.user_agent) contains \"chrome-lighthouse\"\n      or http.request.uri.path contains \"acme-challenge\"\n      or lower(http.user_agent) contains \"adsbot-google\"\n      or lower(http.user_agent) contains \"google-adwords\"\n    \n       )\n  )\n)\nor\n(\n  http.request.version in {\"HTTP/1.0\" \"HTTP/1.1\"}\n  and not (\n    cf.client.bot\n    or lower(http.user_agent) contains \"google\"\n    or lower(http.user_agent) contains \"bing\"\n    or lower(http.user_agent) contains \"slurp\"\n    or lower(http.user_agent) contains \"duckduckbot\"\n    or lower(http.user_agent) contains \"cloudflare\"\n    or lower(http.user_agent) contains \"google-inspectiontool\"\n    or lower(http.user_agent) contains \"google-siteverification\"\n    or lower(http.user_agent) contains \"googlebot\"\n    or lower(http.user_agent) contains \"chrome-lighthouse\"\n    or http.request.uri.path contains \"acme-challenge\"\n    or lower(http.user_agent) contains \"adsbot-google\"\n    or lower(http.user_agent) contains \"google-adwords\"\n\n  )\n)\n```\n\n### Part 2 – Block AI and Bad Crawlers\n\nThis rule blocks many automated bots and crawlers. It stops AI crawlers like \"amazonbot\", \"gptbot\", \"claudebot\", \"mistralai\" and others. It also blocks any user agent with \"bot\", \"crawl\" or \"spider\" in its name from certain IP groups. It still allows real search engines like Google or Bing and ACME challenge requests.\n\n**Action:** Block\n\n```plaintext\n(\n  lower(http.user_agent) contains \"amazonbot\"           or\n  lower(http.user_agent) contains \"googleother\"         or\n  lower(http.user_agent) contains \"gptbot\"              or\n  lower(http.user_agent) contains \"oai-searchbot\"       or\n  lower(http.user_agent) contains \"chatgpt\"             or\n  lower(http.user_agent) contains \"perplexitybot\"       or\n  lower(http.user_agent) contains \"claudebot\"           or\n  lower(http.user_agent) contains \"sbintuitionsbot\"     or\n  lower(http.user_agent) contains \"mistralai\"           or\n  lower(http.user_agent) contains \"youbot\"              or\n  lower(http.user_agent) contains \"timpibot\"            or\n  lower(http.user_agent) contains \"omgili\"              or\n  lower(http.user_agent) contains \"diffbot\"             or\n  lower(http.user_agent) contains \"ccbot\"               or\n  lower(http.user_agent) contains \"ai2bot\"              or\n  lower(http.user_agent) contains \"cohere\"              or\n  lower(http.user_agent) contains \"duckassistbot\"       or\n  lower(http.user_agent) contains \"bytespider\"          or\n  lower(http.user_agent) contains \"applebot\"            or\n  lower(http.user_agent) contains \"google-extended\"     or\n  lower(http.user_agent) contains \"anthropic\"           or\n\n  (cf.verified_bot_category in {\"AI Crawler\" \"Other\"})  or\n\n  (http.user_agent wildcard \"*2ip*\") or\n  (http.user_agent wildcard \"*archive.org_bot*\") or\n  (http.user_agent wildcard \"*awariobot*\") or\n  (http.user_agent wildcard \"*barkrowler*\") or\n  (http.user_agent wildcard \"*blexbot*\") or\n  (http.user_agent wildcard \"*bomborabot*\") or\n  (http.user_agent wildcard \"*buck*\") or\n  (http.user_agent wildcard \"*bvbot*\") or\n  (http.user_agent wildcard \"*bytespider*\") or\n  (http.user_agent wildcard \"*ccbot*\") or\n  (http.user_agent wildcard \"*checkhost*\") or\n  (http.user_agent wildcard \"*cincraw*\") or\n  (http.user_agent wildcard \"*claudebot*\") or\n  (http.user_agent wildcard \"*clickagy*\") or\n  (http.user_agent wildcard \"*cocolyzebot*\") or\n  (http.user_agent wildcard \"*criteobot*\") or\n  (http.user_agent wildcard \"*df bot 1.0*\") or\n  (http.user_agent wildcard \"*domainstatsbot*\") or\n  (http.user_agent wildcard \"*domcopbot*\") or\n  (http.user_agent wildcard \"*dotbot*\") or\n  (http.user_agent wildcard \"*globalping*\") or\n  (http.user_agent wildcard \"*gulperbot*\") or\n  (http.user_agent wildcard \"*httrack*\") or\n  (http.user_agent wildcard \"*internet-structure*\") or\n  (http.user_agent wildcard \"*internetmeasurement*\") or\n  (http.user_agent wildcard \"*ioncrawl*\") or\n  (\n    (\n      ip.src.asnum in {7224 16509 14618 15169 8075 396982}\n      or lower(http.user_agent) contains \"crawl\"\n      or lower(http.user_agent) contains \"bot\"\n      or lower(http.user_agent) contains \"spider\"\n      or lower(http.user_agent) contains \"scrapy\"\n    )\n    and not cf.client.bot\n    and not (\n      (\n        cf.verified_bot_category in {\"Search Engine Crawler\"}\n        and (\n          lower(http.user_agent) contains \"google\"\n          or lower(http.user_agent) contains \"bing\"\n          or lower(http.user_agent) contains \"slurp\"\n          or lower(http.user_agent) contains \"duckduckbot\"\n          or lower(http.user_agent) contains \"cloudflare\"\n          or lower(http.user_agent) contains \"adsbot-google-mobile\"\n          or lower(http.user_agent) contains \"google-adwords\"\n        )\n      )\n      or lower(http.user_agent) contains \"google-inspectiontool\"\n      or lower(http.user_agent) contains \"google-siteverification\"\n      or lower(http.user_agent) contains \"googlebot\"\n      or lower(http.user_agent) contains \"chrome-lighthouse\"\n      or lower(http.user_agent) contains \"adsbot-google\"\n      or lower(http.user_agent) contains \"google-adwords\"\n      or lower(http.user_agent) contains \"prerender\"\n      or lower(http.user_agent) contains \"headlesschrome\"\n    )\n    and not http.request.uri.path contains \"acme-challenge\"\n  )\n)\n```\n\n### Part 3 – Block Hackers\n\nThis rule blocks bad requests with leaked passwords or empty or strange User‑Agent.\nIt stops fake referers like \"binance.com\", \"google.com\", or \"n666888.com\" and blocks access to hidden or system files and folders (backup, git, .env, actuator, phpMyAdmin).\nIt also stops strange path symbols (\\ or //) and a special cat API request if IP group and User‑Agent do not match.\n\n**Action:** Block\n\n```plaintext\n(cf.waf.credential_check.password_leaked) or\n(http.referer eq \"binance.com\") or\n(http.referer eq \"google.com\") or\n(http.referer eq \"https://google.com\") or\n(http.referer eq \"bing.com\") or\n(http.referer eq \"https://bing.com\") or\n(http.referer eq \"http://n666888.com\") or\n(http.request.full_uri eq \"https://api.sefinek.net/api/v2/random/animal/cat\" and ip.geoip.asnum eq 8075 and http.user_agent eq \"python-requests/2.31.0\") or\n(http.request.uri.path contains \"\\\\\") or\n(http.request.uri.path eq \"/backup\") or\n(http.request.uri.path eq \"/git\") or\n(http.request.uri.path eq \"/old\") or\n(http.request.uri.path wildcard \"*.env*\") or\n(http.request.uri.path wildcard \"*/.*\" and not starts_with(http.request.uri.path, \"/.well-known/\")) or\n(http.request.uri.path wildcard \"*//*\") or\n(http.request.uri.path wildcard \"*/actuator*\") or\n(http.request.uri.path wildcard \"*/cms*\") or\n(http.request.uri.path wildcard \"*/credentials*\") or\n(http.request.uri.path wildcard \"*/dbadmin*\") or\n(http.request.uri.path wildcard \"*/debug*\") or\n(http.request.uri.path wildcard \"*/env*\") or\n(http.request.uri.path wildcard \"*/etc*\") or\n(http.request.uri.path wildcard \"*/login.action*\") or\n(http.request.uri.path wildcard \"*/phpmyadmin*\") or\n(http.request.uri.path wildcard \"*/readme*\") or\n(http.request.uri.path wildcard \"*/sito*\") or\n(http.request.uri.path wildcard \"*/ssh*\") or\n(http.request.uri.path wildcard \"*/user.action*\") or\n(http.request.uri.path wildcard \"*/webdav*\") or\n(http.request.uri.path wildcard \"*/~adm*\") or\n(http.request.uri.path wildcard \"*/~sysadm*\") or\n(http.request.uri.path wildcard \"*/~webmaster*\") or\n(http.request.uri.path wildcard \"*appsettings*\") or\n(http.request.uri.path wildcard \"*authorized_keys*\") or\n(http.request.uri.path wildcard \"*backup.*\") or\n(http.request.uri.path wildcard \"*config*\" and not http.host contains \"cdn.\") or\n(http.request.uri.path wildcard \"*docker-compose*\") or\n(http.request.uri.path wildcard \"*dockerfile*\") or\n(http.request.uri.path wildcard \"*dump.*\") or\n(http.request.uri.path wildcard \"*file_put_contents*\") or\n(http.request.uri.path wildcard \"*id_rsa*\") or\n(http.request.uri.path wildcard \"*keys.json*\") or\n(http.request.uri.path wildcard \"*pboot:if*\") or\n(http.request.uri.path wildcard \"*server.key*\") or\n(http.request.uri.path wildcard \"*sftp*\") or\n(http.request.uri.path wildcard \"*wlwmanifest*\") or\n(http.request.uri.path wildcard \"*www-sql*\") or\n(http.request.uri.path wildcard \"*_all_dbs*\") or\n(http.request.uri.path wildcard \"*_debugbar*\") or\n(http.request.uri.path wildcard \"*~ftp*\") or\n(http.request.uri.path wildcard \"*~tmp*\") or\n(http.request.uri.query wildcard \"*.env*\") or\n(http.request.uri.query wildcard \"*etc/passwd*\") or\n(http.user_agent contains \"   \") or\n(http.user_agent eq \"\" and not http.host contains \"api.\" and not http.host contains \"cdn.\" and http.host ne \"blocklist.sefinek.net\") or\n(http.user_agent eq \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\") or\n(http.user_agent eq \"Mozilla/5.0\") or\n(http.user_agent wildcard \"*embeddedbrowser*\" and not http.host contains \"api.\" and not http.host contains \"cdn.\") or\n(http.user_agent wildcard \"*go-http-client*\" and not http.host contains \"api.\" and not http.host contains \"cdn.\" and http.host ne \"blocklist.sefinek.net\") or\n(http.user_agent wildcard \"*headless*\" and not (lower(http.user_agent) contains \"prerender\")) or\n(http.user_agent wildcard \"*mozilla/4.0*\") or\n(http.user_agent wildcard \"*private_keys*\") or\n(http.user_agent wildcard \"*windows 11*\")\n```\n\n### Part 4 – Block Hackers\n\nThis rule stops tools like “curl”, “wget”, “aiohttp”, “python‑requests”, “node” or “okhttp” when they ask for the home page. It also blocks requests for files with extensions such as .log, .py, .sh, .yaml, auth.json or php.ini. It rejects any query that has “..”, “file://”, “php://”, “\u003c?php”, “script\u003e”, “alert(” or other dangerous code patterns.\n\n**Action:** Block\n\n```plaintext\n(\n  http.user_agent contains \"aiohttp\" or\n  http.user_agent contains \"aioquic\" or\n  http.user_agent contains \"curl\" or\n  http.user_agent contains \"okhttp\" or\n  http.user_agent contains \"python-requests\" or\n  http.user_agent contains \"python-httpx\" or\n  http.user_agent contains \"wget\"\n) and not (\n  starts_with(http.host, \"api.\") or\n  starts_with(http.host, \"cdn.\") or\n  http.host eq \"blocklist.sefinek.net\"\n) or\n(http.request.uri.path wildcard \"*.log*\" and not http.host contains \"cdn.\" and http.host ne \"blocklist.sefinek.net\") or\n(http.request.uri.path wildcard \"*.py*\") or\n(http.request.uri.path wildcard \"*.sh*\" and http.host ne \"cdn.sefinek.net\") or\n(http.request.uri.path wildcard \"*.yaml*\") or\n(http.request.uri.path wildcard \"*.yml*\") or\n(http.request.uri.path wildcard \"*auth.json*\") or\n(http.request.uri.path wildcard \"*conf.*\") or\n(http.request.uri.path wildcard \"*crlfinjection*\") or\n(http.request.uri.path wildcard \"*curl%20*\") or\n(http.request.uri.path wildcard \"*curl+*\") or\n(http.request.uri.path wildcard \"*fancyupload*\") or\n(http.request.uri.path wildcard \"*php.ini*\") or\n(http.request.uri.path wildcard \"*phpinfo*\") or\n(http.request.uri.path wildcard \"*phpsysinfo*\") or\n(http.request.uri.path wildcard \"*settings.local*\") or\n(http.request.uri.path wildcard \"*settings.prod*\") or\n(http.request.uri.path wildcard \"*wget%20*\") or\n(http.request.uri.path wildcard \"*wget+*\") or\n(http.request.uri.query contains \"%00\") or\n(http.request.uri.query contains \"%0A\") or\n(http.request.uri.query contains \"%0D\") or\n(http.request.uri.query contains \"%2e%2e\") or\n(http.request.uri.query contains \"..%2f\") or\n(http.request.uri.query contains \"..%5c\") or\n(http.request.uri.query contains \"../\") or\n(http.request.uri.query contains \"..\\\\\") or\n(http.request.uri.query contains \"squelette=../\") or\n(http.request.uri.query wildcard \"*auto_prepend_file*\") or\n(http.request.uri.query wildcard \"*crlfinjection*\") or\n(http.request.uri.query wildcard \"*curl%20*\") or\n(http.request.uri.query wildcard \"*curl+*\") or\n(http.request.uri.query wildcard \"*ed25519*\") or\n(http.request.uri.query wildcard \"*file://*\") or\n(http.request.uri.query wildcard \"*php://*\") or\n(http.request.uri.query wildcard \"*secrets.json*\") or\n(http.request.uri.query wildcard \"*set-cookie:*\") or\n(http.request.uri.query wildcard \"*wget%20*\") or\n(http.request.uri.query wildcard \"*wget+*\") or\n(http.user_agent wildcard \"*alittle client*\") or\n(http.user_agent wildcard \"*example.com*\") or\n(http.user_agent wildcard \"*php7.4-global*\") or\n(http.request.uri.query contains \")/*\") or \n(http.request.uri.query contains \")--\") or \n(http.request.uri.query contains \"benchmark(\") or \n(http.request.uri.query contains \"'0:0:20'\") or (\nhttp.request.uri.query contains \"MD5(\") or \n(http.request.uri.query contains \"%22\") or \n(http.request.uri.query contains \"%20/*\") or \n(http.request.uri.query contains \"%20--\") or \n(http.request.uri.query contains \"%20%23\") or \n(http.request.uri.query contains \")%23\") or (\nhttp.request.uri.query contains \"script\u003e\") or \n(http.request.uri.query contains \"%40\") or \n(http.request.uri.query contains \"%00\") or \n(http.request.uri.query contains \"\u003c?php\") or \n(http.request.uri.query contains \"0x00\") or \n(http.request.uri.query contains \"0x08\") or \n(http.request.uri.query contains \"0x09\") or \n(http.request.uri.query contains \"0x0a\") or \n(http.request.uri.query contains \"0x0d\") or \n(http.request.uri.query contains \"0x1a\") or \n(http.request.uri.query contains \"0x22\") or \n(http.request.uri.query contains \"0x25\") or \n(http.request.uri.query contains \"0x27\") or \n(http.request.uri.query contains \"0x5c\") or \n(http.request.uri.query contains \"0x5f\") or \n(http.request.uri.query contains \"0x50\") or \n(http.request.uri.query contains \"0x3e\") or \n(http.request.uri.query contains \"\u003cimg\") or \n(http.request.uri.query contains \"\u003cimage\") or \n(http.request.uri.query contains \"document.cookie\") or \n(http.request.uri.query contains \"onerror()\") or \n(http.request.uri.query contains \"alert(\") \n```\n\n### Part 5 – Deprecated browsers, etc.\n\nThis rule stops requests that look unsafe or very old. It blocks any request with a referer that has \"http://\" from another site, unless it is \"localhost\" or \"127.0.0.1\". It also blocks a specific upload URL on sefinek.net. It does not allow requests for any \".php\" files except \"clientarea.php\", and it blocks access to WordPress admin (\"wp-admin\") and includes (\"wp-includes\") folders. It also rejects requests from very old browsers and bots by checking for old versions of Chrome, Firefox, Internet Explorer, Android 8, Symbian, Mac OS X 10.9 and similar user‑agent strings.\n\n**Action:** Block\n\n```plaintext\n(\n  (http.referer contains \"http://\" and not http.referer contains \"localhost\" and not http.referer contains \"127.0.0.1\")\n  or (http.request.uri.path wildcard \"*.php*\" and not http.request.uri.path contains \"/clientarea.php\")\n  or (http.request.uri.path wildcard \"*/wp-admin*\")\n  or (http.request.uri.path wildcard \"*/wp-content*\")\n  or (http.request.uri.path wildcard \"*/wp-includes*\")\n  or (http.user_agent contains \"Windows NT 5\" and not http.user_agent contains \"(via ggpht.com GoogleImageProxy)\")\n  or (http.user_agent wildcard \"*android 8*\")\n\n  or (http.user_agent wildcard \"*chrome/101.*\")\n  or (http.user_agent wildcard \"*chrome/103.*\")\n  or (http.user_agent wildcard \"*chrome/104.*\")\n  or (http.user_agent wildcard \"*chrome/112.*\")\n  or (http.user_agent wildcard \"*chrome/113.*\")\n  or (http.user_agent wildcard \"*chrome/114.*\")\n  or (http.user_agent wildcard \"*chrome/118.*\")\n  or ((http.user_agent wildcard \"*chrome/119.*\") and ip.geoip.asnum ne 14618)\n  or (http.user_agent wildcard \"*chrome/120.*\")\n  or (http.user_agent wildcard \"*chrome/122.*\")\n  or (http.user_agent wildcard \"*chrome/17.*\")\n  or (http.user_agent wildcard \"*chrome/30.*\")\n  or (http.user_agent wildcard \"*chrome/31.*\")\n  or (http.user_agent wildcard \"*chrome/32.*\")\n  or (http.user_agent wildcard \"*chrome/33.*\")\n  or (http.user_agent wildcard \"*chrome/34.*\")\n  or (http.user_agent wildcard \"*chrome/35.*\")\n  or (http.user_agent wildcard \"*chrome/36.*\")\n  or (http.user_agent wildcard \"*chrome/37.*\")\n  or (http.user_agent wildcard \"*chrome/38.*\")\n  or (http.user_agent wildcard \"*chrome/39.*\")\n  or (http.user_agent wildcard \"*chrome/41.*\")\n  or (http.user_agent wildcard \"*chrome/42.*\")\n  or (http.user_agent wildcard \"*chrome/44.*\")\n  or (http.user_agent wildcard \"*chrome/48.*\")\n  or (http.user_agent wildcard \"*chrome/49.*\")\n  or (http.user_agent wildcard \"*chrome/52.*\")\n  or (http.user_agent wildcard \"*chrome/53.*\")\n  or (http.user_agent wildcard \"*chrome/58.*\")\n  or (http.user_agent wildcard \"*chrome/59.*\")\n  or (http.user_agent wildcard \"*chrome/60.*\")\n  or (http.user_agent wildcard \"*chrome/61.*\")\n  or (http.user_agent wildcard \"*chrome/62.*\")\n  or (http.user_agent wildcard \"*chrome/64.*\")\n  or (http.user_agent wildcard \"*chrome/65.*\")\n  or (http.user_agent wildcard \"*chrome/67.*\")\n  or (http.user_agent wildcard \"*chrome/68.*\")\n  or (http.user_agent wildcard \"*chrome/69.*\")\n  or (http.user_agent wildcard \"*chrome/71.*\")\n  or (http.user_agent wildcard \"*chrome/73.*\")\n  or ((http.user_agent wildcard \"*chrome/74.*\") and not http.user_agent contains \"Better Uptime Bot\")\n  or (http.user_agent wildcard \"*chrome/77.*\")\n  or (http.user_agent wildcard \"*chrome/78.*\")\n  or (http.user_agent wildcard \"*chrome/79.*\")\n  or (http.user_agent wildcard \"*chrome/80.*\")\n  or (http.user_agent wildcard \"*chrome/81.*\")\n  or (http.user_agent wildcard \"*chrome/83.*\")\n  or (http.user_agent wildcard \"*chrome/84.*\")\n  or (http.user_agent wildcard \"*chrome/85.*\")\n  or (http.user_agent wildcard \"*chrome/86.*\")\n  or (http.user_agent wildcard \"*chrome/87.*\")\n  or (http.user_agent wildcard \"*chrome/88.*\")\n  or (http.user_agent wildcard \"*chrome/89.*\")\n  or (http.user_agent wildcard \"*chrome/91.*\")\n  or (http.user_agent wildcard \"*chrome/92.*\")\n  or (http.user_agent wildcard \"*chrome/93.*\")\n  or (http.user_agent wildcard \"*chrome/94.*\")\n  or (http.user_agent wildcard \"*chrome/95.*\")\n  or (http.user_agent wildcard \"*chrome/96.*\")\n  or (http.user_agent wildcard \"*chrome/97.*\")\n  or (http.user_agent wildcard \"*chrome/98.*\")\n  or (http.user_agent wildcard \"*crios/121.*\")\n  or (http.user_agent wildcard \"*firefox/45.*\")\n  or (http.user_agent wildcard \"*firefox/52.*\")\n  or (http.user_agent wildcard \"*firefox/57.*\")\n  or (http.user_agent wildcard \"*firefox/62.*\")\n  or (http.user_agent wildcard \"*firefox/76.*\")\n  or (http.user_agent wildcard \"*html5plus*\")\n  or (http.user_agent wildcard \"*msie*\")\n  or (http.user_agent wildcard \"*netfront*\")\n  or (http.user_agent wildcard \"*symbianos*\")\n  or (http.user_agent wildcard \"*trident/*\")\n)\n```\n\n\u003ca id=\"step-2\"\u003e\u003c/a\u003e\n## STEP 2 – DDoS L7 Protection \u0026 Rate Limiting\n\nCloudflare has many settings you set yourself. In this guide, we turn on only the ones that protect your server from DDoS attacks. Remember, there are more ways to stop DDoS attacks.\n\n### 1: Creating DDoS L7 Ruleset\n\u003cimg width=\"1076\" height=\"556\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a900cc3c-37fb-4b34-9afe-02ff7136c74a\" /\u003e\n\n#### Security \u003e DDoS \u003e Deploy a DDoS override\n1. **Override name:** DDoS L7 ruleset\n2. **Ruleset action:** Block\n3. **Ruleset sensitivity:** Default\n\n### 2: Rate Limits\n\u003cimg width=\"1075\" height=\"561\" alt=\"image\" src=\"https://github.com/user-attachments/assets/53780bff-05d6-42a6-9822-b789bbec69c7\" /\u003e\n\n#### Security \u003e Rate limiting rules \u003e Create rule\n1. **Rule name:** Default rate limit\n2. Expression: `(http.request.uri.path eq \"/\")`\n   - **Field:** URI Path\n   - **Operator:** starts with\n   - **Value:** /\n3. When rate exceeds…\n   - **Requests:** 2 (protection against HTTP/2 Rapid Reset attack (CVE-2023-44487))\n   - **Period:** 10 seconds\n4. Then take action…\n   - **Choose action:** Block\n5. For duration…\n   - **Duration:** 10 seconds\n   \n\u003ca id=\"step-3\"\u003e\u003c/a\u003e\n## STEP 3 – Bot Management\n\nGo to **Security** \u003e **Bots**\n\n\u003cimg width=\"1040\" height=\"822\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9855f668-fd18-443b-bd08-b478016d55c3\" /\u003e\n\n\n1. **Bot Fight Mode** - off\n2. **Block AI Bots** - Block on all pages\n3. **AI Labyrinth** - on\n4. **Instruct AI bots to not scrape content** - off\n\n\u003ca id=\"step-4\"\u003e\u003c/a\u003e\n## STEP 4 – Security Headers\n\n1. From your domain dashboard, go to **Rules-** and navigate to **Transform Rules**.\n2. On the **Transform Rules page**, select **Modify Response Header**.\n3. Click the **Create rule button** to create a new rule.\n4. Give the rule a name; here, I will name mine **\"Security Header\"**.\n5. Since I need to apply this rule to **All incoming requests** to my website, I select the first option for the If… section.\n6. In the Then… section, I will use Set **static** to set up security headers for my site. Here, I will add **7 recommended security headers**:\n\n\u003cimg width=\"988\" height=\"610\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59dc56ff-29c6-48a4-a7e3-fbce86f02028\" /\u003e\n\n\n\n| Header name                    | Value                                                |\n|--------------------------------|------------------------------------------------------|\n| cross-origin-opener-policy     | same-origin-allow-popups                             |\n| cross-origin-resource-policy   | same-site                                            |\n| x-xss-protection               | 1; mode=block                                        |\n| strict-transport-security      | max-age=31536000; includeSubDomains; preload         |\n| referrer-policy                | no-referrer-when-downgrade                           |\n| content-security-policy        | upgrade-insecure-requests; block-all-mixed-content   |\n| permissions-policy             | accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=() |\n\nGo to [**securityheaders.com**](https://securityheaders.com/) securityheaders.com to check the result. Here is mine:\n\n\u003cimg width=\"1207\" height=\"315\" alt=\"image\" src=\"https://github.com/user-attachments/assets/75c54d43-f152-4447-9c58-59d68e9fbb91\" /\u003e\n\n\n\n\n## References\n\n- https://github.com/sefinek/Cloudflare-WAF-Expressions\n- https://github.com/V4NT-ORG/Cloudflare-Firewall?tab=readme-ov-file#free-plan\n- https://github.com/SocolSRT/cloudflare-rules/tree/main\n- https://webagencyhero.com/cloudflare-waf-rules-v3/\n- https://4sysops.com/archives/block-ai-scrapers-and-other-web-parasites-with-cloudflare/\n- https://algustionesa.com/security-headers/\n\n## [MIT License](LICENSE)\nCopyright 2025 © by 5ksana. All Rights Reserved.\n\n[![Buy me a coffee](https://img.shields.io/badge/Buy%20me%20a%20coffee-coff.ee-yellow)](https://coff.ee/bitcoinart)\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuybitart%2Fcloudflare-security-art","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuybitart%2Fcloudflare-security-art","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuybitart%2Fcloudflare-security-art/lists"}