Add an exception via API
To add a managed rules exception via API, create a rule with skip action in a phase entry point ruleset of the http_request_firewall_managed phase. You can define exceptions at the account level and at the zone level. Exceptions are also called skip rules.
To configure the exception, define the action_parameters object according to the exception type. Refer to the following examples:
- Skip all remaining rules
- Skip the Cloudflare Managed Ruleset
- Skip one or more rules of WAF managed rulesets
For more information on creating exceptions via API, refer to Create an exception in the Ruleset Engine documentation.
Examples
Skip all remaining rules
The following example adds a rule that skips all remaining rules in the entry point ruleset for requests matching the dev.example.com hostname.
Invoke the Get a zone entry point ruleset operation to obtain the current configuration of the entry point ruleset of the
http_request_firewall_managedphase.Request
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>"Example response
{"result": {"id": "060013b1eeb14c93b0dcd896537e0d2c", // entry point ruleset ID"name": "default","description": "","source": "firewall_managed","kind": "zone","version": "3","rules": [// (...)],"last_updated": "2024-01-20T14:29:00.190643Z","phase": "http_request_firewall_managed"},"success": true,"errors": [],"messages": []}Save the entry point ruleset ID (
...537e0d2c) for the next step.Invoke the Create a zone ruleset rule operation (a
POSTrequest) to add an exception (or skip rule) at the beginning of the rules list, since a skip rule applies only to rules listed after it. The exact rule location is defined in thepositionobject.Request
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{entry_point_ruleset_id}/rules" \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"expression": "(http.host eq \"dev.example.com\")","description": "Skip managed rules for dev.example.com","action": "skip","action_parameters": {"ruleset": "current"},"position": {"before": ""}}'
For more information on skipping all remaining rules via API, refer to Create an exception in the Ruleset Engine documentation.
Skip the Cloudflare Managed Ruleset
The following example adds a rule that skips the Cloudflare Managed Ruleset for requests matching the dev.example.com hostname.
Invoke the Get a zone entry point ruleset operation to obtain the current configuration of the entry point ruleset of the
http_request_firewall_managedphase.Request
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>"Example response
{"result": {"id": "060013b1eeb14c93b0dcd896537e0d2c", // entry point ruleset ID"name": "default","description": "","source": "firewall_managed","kind": "zone","version": "3","rules": [// (...){"id": "1bdb49371c1f46958fc8b985efcb79e7", // `execute` rule ID"version": "1","action": "execute","expression": "true","last_updated": "2024-01-20T14:21:28.643979Z","ref": "1bdb49371c1f46958fc8b985efcb79e7","enabled": true,"action_parameters": {"id": "efb7b8c949ac4650a09736fc376e9aee", // "Cloudflare Managed Ruleset" ID"version": "latest"}},// (...)],"last_updated": "2024-01-20T14:29:00.190643Z","phase": "http_request_firewall_managed"},"success": true,"errors": [],"messages": []}Identify the rule deploying the Cloudflare Managed Ruleset by searching for an
executerule withaction_parameters>idequal to...376e9aee(the managed ruleset ID).Save the following IDs for the next step:
- The ID of the entry point ruleset (
...537e0d2cin this example) - The ID of the
executerule deployment the managed ruleset (...efcb79e7in this example)
- The ID of the entry point ruleset (
Invoke the Create a zone ruleset rule operation (a
POSTrequest) to add an exception (or skip rule) immediately before theexecuterule deploying the Cloudflare Managed Ruleset, since a skip rule applies only to rules listed after it. The exact rule location is defined in thepositionobject.Request
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{entry_point_ruleset_id}/rules" \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"expression": "(http.host eq \"dev.example.com\")","description": "Skip the Cloudflare Managed Ruleset for dev.example.com","action": "skip","action_parameters": {"rulesets": ["efb7b8c949ac4650a09736fc376e9aee"]},"position": {"before": "1bdb49371c1f46958fc8b985efcb79e7"}}'
For more information on skipping one or more managed rulesets via API, refer to Create an exception in the Ruleset Engine documentation.
Skip one or more rules of WAF managed rulesets
The following example adds a rule that skips a particular rule of the Cloudflare Managed Ruleset for requests matching the dev.example.com hostname.
Invoke the Get a zone ruleset operation to obtain a list of rules in the Cloudflare Managed Ruleset (ruleset ID
...376e9aee).
You can get the managed ruleset details using the account-level endpoint ( Get an account ruleset) or the zone-level endpoint ( Get a zone ruleset).Request
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/efb7b8c949ac4650a09736fc376e9aee \--header "Authorization: Bearer <API_TOKEN>"Example response
{"result": {"id": "efb7b8c949ac4650a09736fc376e9aee","name": "Cloudflare Managed Ruleset","description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives.","source": "firewall_managed","kind": "managed","version": "180","rules": [// (...){"id": "d9e350f1b72d4730899c8a420e48a85d", // ID of rule to skip"version": "180","action": "block","categories": ["file-inclusion","october-cms"],"description": "October CMS - File Inclusion","last_updated": "2024-02-05T07:12:54.565276Z","ref": "adb550873eb92d32372ed08514d33241","enabled": true},// (...)],"last_updated": "2024-02-05T07:12:54.565276Z","phase": "http_request_firewall_managed"},"success": true,"errors": [],"messages": []}Take note of the ID of the rule you want to skip (
...0e48a85din this example).Invoke the Get a zone entry point ruleset operation to obtain the current configuration of the entry point ruleset of the
http_request_firewall_managedphase.Request
curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint \--header "Authorization: Bearer <API_TOKEN>"Example response
{"result": {"id": "060013b1eeb14c93b0dcd896537e0d2c", // entry point ruleset ID"name": "default","description": "","source": "firewall_managed","kind": "zone","version": "3","rules": [// (...){"id": "1bdb49371c1f46958fc8b985efcb79e7", // `execute` rule ID"version": "1","action": "execute","expression": "true","last_updated": "2024-01-20T14:21:28.643979Z","ref": "1bdb49371c1f46958fc8b985efcb79e7","enabled": true,"action_parameters": {"id": "efb7b8c949ac4650a09736fc376e9aee", // "Cloudflare Managed Ruleset" ID"version": "latest"}},// (...)],"last_updated": "2024-01-20T14:29:00.190643Z","phase": "http_request_firewall_managed"},"success": true,"errors": [],"messages": []}Identify the rule deploying the Cloudflare Managed Ruleset by searching for an
executerule withaction_parameters>idequal to...376e9aee(the managed ruleset ID).Save the following IDs for the next step:
- The ID of the entry point ruleset (
...537e0d2cin this example) - The ID of the
executerule deploying the Cloudflare Managed Ruleset (...efcb79e7in this example)
You will also use the following IDs:
- The ID of the Cloudflare Managed Ruleset (
...376e9aee) - The ID of the rule to skip (
...0e48a85din this example)
- The ID of the entry point ruleset (
Invoke the Create a zone ruleset rule operation (a
POSTrequest) to add an exception (or skip rule) immediately before theexecuterule deploying the Cloudflare Managed Ruleset, since a skip rule applies only to rules listed after it.Request
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{entry_point_ruleset_id}/rules" \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"expression": "(http.host eq \"dev.example.com\")","description": "Skip a single rule for dev.example.com","action": "skip","action_parameters": {"rules": {"efb7b8c949ac4650a09736fc376e9aee": ["d9e350f1b72d4730899c8a420e48a85d"]}},"position": {"before": "1bdb49371c1f46958fc8b985efcb79e7"}}'The
action_parameters>rulesobject contains the ID of the Cloudflare Managed Ruleset with an associated list of rule IDs to skip (in this case, only one rule). Thepositionobject defines the exact rule placement in the entry point ruleset (before rule...efcb79e7).
For more information on skipping one or more rules of managed rulesets via API, refer to Create an exception in the Ruleset Engine documentation.