By using these WAF expressions, you can effectively block most unnecessary and potentially malicious requests targeting your origin server, thereby enhancing its security. No Pro account or higher plan is required - everything works fine on the free Cloudflare plan. If you find this repository useful, I would greatly appreciate it if you could give it a star ⭐. Thank you!
Tip
- Use a dedicated script to automatically update rules for each zone.
- Want to report Cloudflare WAF events to a public abuse database? See Cloudflare-WAF-To-SniffCat.
- Join my Discord server if you need help or want to receive notifications about important updates.
The script supports SniffCat - a service that provides a dynamic list of known malicious IP addresses.
When SNIFFCAT_API_TOKEN is set, the script fetches IPs from the SniffCat API on every sync and merges them with the static rules/ip-blocklist.txt before uploading to Cloudflare Lists.
This significantly extends the IP blocklist without any manual effort.
The integration can be controlled via two optional environment variables:
SNIFFCAT_CONFIDENCE_MIN- minimum confidence level (0-100) required to include an IP. Default:78.SNIFFCAT_LIMIT- maximum number of IPs fetched per sync. Default:3000. Cloudflare allows up to 10,000 entries per list.
Without SNIFFCAT_API_TOKEN, the integration is skipped and only the static blocklist is used.
| Part (1-5) | Description | Action |
|---|---|---|
| 🔥 Part 1 - Suspicious paths & headers | Blocks data leaks, suspicious referrers, malicious and unusual URL paths, as well as empty or anomalous User-Agents. | Block |
| 🧨 Part 2 - Malicious extensions & injections | Blocks suspicious requests, exploits, path traversal, configuration file access attempts, and the use of CLI tools in URLs. | Block |
| 🤖 Part 3 - Unwanted bots | Blocks unnecessary, harmful bots, scanners, and web scrapers. | Block |
| 🦕 Part 4 - Ancient browsers & IP blocklist | Blocks traffic from the Tor network, known malicious IP addresses, ASNs linked to botnets, and very outdated browsers. | Block |
| 🗑️ Part 5 - Deprecated browsers & CMS | Enforces additional verification for outdated browsers (Chrome 73-122, Firefox 62-118), old OS versions, and CMS scanners. | Managed Challenge |
Important
It is recommended to disable Bot Fight Mode in the Security tab.
Part 3 already controls which bots are blocked. Bot Fight Mode runs in parallel and may conflict with your rules.
>> View Main Expressions <<
You can use the JavaScript code from this repository to automatically update the rules throughout the day.
There's no need to add them manually, as the script takes care of everything for you. 😉
- Node.js LTS + npm
- PM2 (
npm i pm2 -g) - Git
- Linux (also works on Windows Server)
- Clone this repository:
git clone https://github.com/sefinek/Cloudflare-WAF-Expressions.git cf-expressions
- Install the necessary dependencies:
cd cf-expressions && npm install
- Copy the
.env.defaultfile and rename it to.env:cp .env.default .env
- Open the
.envfile and configure the following variables:
Note
Rules are deployed as WAF custom rules via the Rulesets API. The legacy Firewall Rules API was deprecated on 2025-06-15 and no longer accepts modifications. An old token may stop working if you use User API Tokens. Migrating to Account API tokens is highly recommended.
- Set
CF_ACCOUNT_IDto your Cloudflare Account ID (32 characters, found in the URL:dash.cloudflare.com/<account_id>/configurations/lists) - required for IP list synchronization - Set
CF_IP_BLOCKLIST_NAMEto a custom name for the managed IP list, or leave the default (sefinek_cf_waf)
- Set
PHP_SUPPORTtotrueif your website uses PHP (removes the Managed Challenge rule for.phpfiles) - Set
WORDPRESS_SUPPORTtotrueif your website runs WordPress (removes the Managed Challenge rules for/wp-contentand/wp-includespaths so themes, plugins, CSS and images load correctly; also setPHP_SUPPORT=true) - Set
SNIFFCAT_API_TOKENto include dynamic malicious IPs from SniffCat (optional, but highly recommended)
nano .env- Run the script 24/7 using PM2:
pm2 start && pm2 save - Configure PM2 to start on system boot:
eval "$(pm2 startup | grep sudo)"
Caution
This method is not recommended. WAF expressions and IP blocklists should be kept up to date at all times to remain effective against new threats. Updating them manually is error-prone and easy to forget. Use the automatic method instead.
- Log in to your Cloudflare account.
- Select the domain where you want to add the expressions.
- Click on the
Securitytab, then chooseWAFfrom the dropdown menu. - In the
Custom rulestab, click theCreate rulebutton. - Copy the expressions from the rules/expressions.md file.
- Click
Edit expressionand paste the copied expressions. - Click
Deployto save the changes. Repeat this process for the remaining parts of the expressions, ensuring you select the appropriate action (Block or Managed Challenge) as specified in the file. - Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure your website functions correctly, and visit this repository periodically for the latest updates.
Part 4 references a Cloudflare Custom IP List (ip.src in $sefinek_cf_waf). To set it up manually:
- Go to your Cloudflare dashboard and navigate to Manage account > Configurations > Lists.
- Click Create list, set the Identifier to
sefinek_cf_waf(cannot be changed later), and confirm. - Open the newly created list, add the IP addresses from
rules/ip-blocklist.txt, and save. - Part 4 will now block all IPs from that list.
Note
On the free Cloudflare plan, you can have only 1 custom IP list per account (up to 10,000 entries). Paid plans allow more. Remember to update it regularly as new entries are added to rules/ip-blocklist.txt. The automatic method handles this for you.
Cloudflare offers many settings that need to be configured manually according to your preferences. In this tutorial, we will enable only those that will safeguard your server from DDoS attacks. Keep in mind that there are many more measures available to mitigate DDoS attacks.
- Override name: DDoS L7 ruleset
- Ruleset action: Block
- Ruleset sensitivity: Default
- Rule name: Default rate limit
- Expression:
(starts_with(http.request.uri.path, "/"))- Field: URI Path
- Operator: starts with
- Value: /
- When rate exceeds…
- Requests: 200 (you should adjust this value yourself based on your website's traffic)
- Period: 10 seconds
- Then take action…
- Choose action: Block
- For duration…
- Duration: 10 seconds
- Make sure that your server's IP address has not been leaked.
- Your server should accept only requests coming from Cloudflare. Accessing your website directly, bypassing Cloudflare, should not be possible.
- Configure rate limits on your server to reduce its load during a DDoS attack.
To remove all WAF custom rules and the IP blocklist from Cloudflare (e.g. before a fresh install), run:
node data/tools/deleteWAFRules.jsThe script will list everything it found and ask for confirmation before deleting anything. It also clears the local rule ID cache (data/rule-ids.json).
Warning
This operation is irreversible! All custom WAF rules and the managed IP list will be permanently deleted from your Cloudflare account.
If you have any suggestions or improvements, feel free to open a Pull request. Your contribution will be appreciated and will help keep this list up-to-date and effective in combating the latest threats. Thank you!
Copyright © 2023-2026 Sefinek
![Cloudflare Web Application Firewall [WAF] Rules](/sefinek/Cloudflare-WAF-Expressions/raw/main/data/images/waf-custom-rules.png)

