{"id":22543273,"url":"https://github.com/sefinek/cloudflare-waf-expressions","last_synced_at":"2025-08-04T06:32:37.471Z","repository":{"id":108383183,"uuid":"586549548","full_name":"sefinek/Cloudflare-WAF-Expressions","owner":"sefinek","description":"Cloudflare WAF (Web Application Firewall) rules + a script for their automatic updates. Block unwanted and malicious requests to enhance the security of your origin server!","archived":false,"fork":false,"pushed_at":"2024-12-05T10:19:25.000Z","size":1077,"stargazers_count":35,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-05T11:29:20.823Z","etag":null,"topics":["antibot","antibots","cloudflare","cloudflare-expression","cloudflare-expressions","cloudflare-firewall","cloudflare-firewall-rules","cloudflare-waf","cloudflare-waf-expression","cloudflare-waf-expressions","cloudflare-waf-rules","express","expression","expressions","expressjs","nodejs","server","server-safety","server-security","waf"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sefinek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"sefinek","ko_fi":"sefinek","buy_me_a_coffee":"sefinek","patreon":"sefinek","custom":["https://www.paypal.me/sefinek24"]}},"created_at":"2023-01-08T14:38:53.000Z","updated_at":"2024-12-05T10:19:28.000Z","dependencies_parsed_at":"2024-03-15T01:58:11.110Z","dependency_job_id":"02661bf5-7eb4-47c8-aa44-4f7dde78ac1a","html_url":"https://github.com/sefinek/Cloudflare-WAF-Expressions","commit_stats":null,"previous_names":["sefinek/cloudflare-waf-expressions"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sefinek%2FCloudflare-WAF-Expressions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sefinek%2FCloudflare-WAF-Expressions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sefinek%2FCloudflare-WAF-Expressions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sefinek%2FCloudflare-WAF-Expressions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sefinek","download_url":"https://codeload.github.com/sefinek/Cloudflare-WAF-Expressions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228604605,"owners_count":17944281,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antibot","antibots","cloudflare","cloudflare-expression","cloudflare-expressions","cloudflare-firewall","cloudflare-firewall-rules","cloudflare-waf","cloudflare-waf-expression","cloudflare-waf-expressions","cloudflare-waf-rules","express","expression","expressions","expressjs","nodejs","server","server-safety","server-security","waf"],"created_at":"2024-12-07T13:15:35.965Z","updated_at":"2025-08-04T06:32:37.440Z","avatar_url":"https://github.com/sefinek.png","language":"JavaScript","funding_links":["https://github.com/sponsors/sefinek","https://ko-fi.com/sefinek","https://buymeacoffee.com/sefinek","https://patreon.com/sefinek","https://www.paypal.me/sefinek24"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\u003ch1\u003e☁️ Cloudflare Web Application Firewall Rules\u003c/h1\u003e\u003c/div\u003e\n\nBy using these WAF expressions, you can effectively block all unnecessary and potentially malicious requests targeting your origin server, thereby enhancing its security.\nIf you find this repository useful, I would greatly appreciate it if you could give it a **star** ⭐. Thank you!\n\n\u003e [!TIP]\n\u003e - Use a [dedicated script](#automatic-installation) to automatically update rules for each zone.\n\u003e - Do you want to report events from Cloudflare WAF to AbuseIPDB? See [Cloudflare-WAF-To-AbuseIPDB](https://github.com/sefinek/Cloudflare-WAF-To-AbuseIPDB).\n\u003e - Join my [Discord server](https://discord.gg/53DBjTuzgZ) if you need help or want to receive notifications about important updates.\n\n\u003cimg src=\"assets/images/brave_7GZjqAdswro2.png\" alt=\"Cloudflare Web Application Firewall [WAF] Rules\"\u003e \n\n\n## 🛡️ What Can This List Block?\n| **Part**                                                                                                                                   | **Description**                                                                                                                | **Action**        |\n|--------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|:------------------|\n| $ **[Part 1](https://github.com/sefinek/Cloudflare-WAF-Expressions/blob/main/markdown/expressions.md#part1)\u003cbr\u003eMain firewall (I)**         | Blocks data leaks, suspicious referrers, malicious and unusual URL paths, as well as empty or anomalous User-Agents.           | Block             |\n| $ **[Part 2](https://github.com/sefinek/Cloudflare-WAF-Expressions/blob/main/markdown/expressions.md#part2)\u003cbr\u003eMain firewall (II)**        | Blocks suspicious requests, exploits, path traversal, configuration file access attempts, and the use of CLI tools in URLs.    | Block             |\n| $ **[Part 3](https://github.com/sefinek/Cloudflare-WAF-Expressions/blob/main/markdown/expressions.md#part3)\u003cbr\u003eDeprecated browsers, etc.** | Enforces additional verification for outdated browsers, operating systems, and suspicious User-Agents.                         | Managed Challenge |\n| $ **[Part 4](https://github.com/sefinek/Cloudflare-WAF-Expressions/blob/main/markdown/expressions.md#part4)\u003cbr\u003eBlock unnecessary bots**    | Blocks unnecessary, harmful bots, scanners, and web scrapers.                                                                  | Block             |\n| $ **[Part 5](https://github.com/sefinek/Cloudflare-WAF-Expressions/blob/main/markdown/expressions.md#part5)\u003cbr\u003eBlock bots, ASNs and IPs**  | Blocks traffic from the Tor network, known malicious IP addresses, and autonomous systems (ASNs) linked to botnets or attacks. | Block             |\n\n\u003e [!IMPORTANT]  \n\u003e It is also recommended to **disable** the `Bot Fight Mode` feature in the `Security` tab.  \n\u003e Although this feature helps detect and block automated bot traffic, it can inadvertently block safe, legitimate bots as well, which is not our intention.\n\n\u003cdiv align=\"center\"\u003e\n   \u003ch3\u003e\u003e\u003e \u003ca href=\"markdown/expressions.md\"\u003eView Main Expressions\u003c/a\u003e \u003c\u003c\u003c/h3\u003e\n   \u003ch3\u003e\u003e\u003e \u003ca href=\"markdown/cache.md\"\u003eView Expressions for Caching\u003c/a\u003e \u003c\u003c\u003c/h3\u003e\n\u003c/div\u003e\n\n\n## ✅ Usage\n### Automatic (Recommended)\u003cdiv id=\"automatic-installation\"\u003e\u003c/div\u003e\nYou can use the JavaScript code from this repository to automatically update the rules throughout the day.  \nThere's no need to add them manually, as the script takes care of everything for you (:\n\n#### Requirements\n1. [Node.js LTS + npm](https://nodejs.org)\n2. [PM2](https://www.npmjs.com/package/pm2) (`npm i pm2 -g`)\n3. [Git](https://git-scm.com/downloads)\n4. Linux (also works on Windows Server)\n\n#### Tutorial (for Linux)\n1. Clone this repository:\n   ```bash\n   git clone https://github.com/sefinek/Cloudflare-WAF-Expressions.git cf-expressions\n   ```\n2. Install the necessary dependencies:\n   ```bash\n   cd cf-expressions \u0026\u0026 npm install\n   ```\n3. Copy the `.env.default` file and rename it to `.env`:\n   ```bash\n   cp .env.default .env\n   ```\n4. Open the `.env` file and ensure `NODE_ENV` is set to `production`. Paste your Cloudflare token in place of `CF_API_TOKEN`.\n   ```bash\n   nano .env\n   ```\n   ![brave_JDyTDLnUFonD.png](assets/images/brave_JDyTDLnUFonD.png)\n5. Run the script 24/7 using PM2:\n   ```bash\n   pm2 start \u0026\u0026 pm2 save\n   ```\n6. Configure PM2 to start on system boot:\n   ```bash\n   pm2 startup\n   ```\n   Then, execute the generated command from the output.\n\n### Manually\n1. Log in to your [Cloudflare](https://dash.cloudflare.com) account.\n2. Select the domain where you want to add the expressions.\n3. Click on the `Security` tab, then choose `WAF` from the dropdown menu.\n4. In the `Custom rules` tab, click the `Create rule` button.\n5. Copy the expressions from the [markdown/expressions.md](markdown/expressions.md) file.\n6. Click `Edit expression` and paste the copied expressions.\n7. Click `Deploy` to save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file.\n8. Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure your website functions correctly, and visit this repository periodically for the latest updates.\n\n\n## 🔥 DDoS Protection (Additional Security Measures)\nCloudflare offers many settings that need to be configured manually according to your preferences.\nIn this tutorial, we will enable only those that will safeguard your server from DDoS attacks.\nKeep in mind that there are many more measures available to mitigate DDoS attacks.\n\n### 1: Creating DDoS L7 Ruleset\n#### Security \u003e DDoS \u003e Deploy a DDoS override\n1. **Override name:** DDoS L7 ruleset\n2. **Ruleset action:** Block\n3. **Ruleset sensitivity:** Default\n\n### 2: Rate Limits\n#### Security \u003e Rate limiting rules \u003e Create rule\n1. **Rule name:** Default rate limit\n2. Expression: `(starts_with(http.request.uri.path, \"/\"))`\n   - **Field:** URI Path\n   - **Operator:** starts with\n   - **Value:** /\n3. When rate exceeds…\n   - **Requests:** 200 (you should adjust this value yourself based on your website's traffic)\n   - **Period:** 10 seconds\n4. Then take action…\n   - **Choose action:** Block\n5. For duration…\n   - **Duration:** 10 seconds\n\n### 3: Good to Know\n1. Make sure that your server's IP address has not been leaked.\n2. Your server should accept only requests coming from Cloudflare. Accessing your website directly, bypassing Cloudflare, should not be possible.\n3. Configure rate limits on your server to reduce its load during a DDoS attack.\n\n\n## 🤝 Pull requests\nIf you have any suggestions or improvements, feel free to open a [Pull request](https://github.com/sefinek/Cloudflare-WAF-Expressions/pulls).\nYour contribution will be appreciated and will help keep this list up-to-date and effective in combating the latest threats. Thank you!\n\n\n## 🔖 [MIT License](LICENSE)\nCopyright 2023-2025 © by Sefinek. All Rights Reserved.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsefinek%2Fcloudflare-waf-expressions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsefinek%2Fcloudflare-waf-expressions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsefinek%2Fcloudflare-waf-expressions/lists"}