--- title: Cloudflare Ruleset Engine description: Create and deploy rules and rulesets across Cloudflare products using the Ruleset Engine's powerful syntax and high-performance evaluation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Ruleset Engine The Cloudflare Ruleset Engine allows you to create and deploy rules and rulesets in different Cloudflare products using the same basic syntax. ## Main features * **Powerful syntax**: Rule expressions use a powerful Rules language similar to the wirefilter syntax that allows you to create complex rules. * **High-performance rule evaluation**: Allows you to have many rules in different Cloudflare products with almost no impact on performance. * **Engine powering different Cloudflare products**: Cloudflare keeps building products on top of the Ruleset Engine, which means that you can use the same API methods for configuring different products, with the same customization possibilities. Additionally, the Ruleset Engine supports the different phases of the request life cycle at Cloudflare. ## Availability The Ruleset Engine supports different Cloudflare products. Refer to [Phases list](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) and to each product's documentation for details. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}}]} ``` --- --- title: About description: The Cloudflare Ruleset Engine allows you to create and deploy rules and rulesets. The engine syntax, inspired by the Wireshark Display Filter language, is defined by the Rules language. Cloudflare uses the Ruleset Engine in different products, allowing you to configure several products using the same basic syntax. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/about/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # About The Cloudflare Ruleset Engine allows you to create and deploy rules and rulesets. The engine syntax, inspired by the Wireshark Display Filter language, is defined by the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/). Cloudflare uses the Ruleset Engine in different products, allowing you to configure several products using the same basic syntax. There are several elements involved in the configuration and use of the Ruleset Engine. These elements are: * [**Phase**](https://developers.cloudflare.com/ruleset-engine/about/phases/): Defines a stage in the life of a request where you can execute rulesets. * [**Ruleset**](https://developers.cloudflare.com/ruleset-engine/about/rulesets/): Defines a versioned set of rules. You deploy rulesets to a phase, where they execute. * [**Rule**](https://developers.cloudflare.com/ruleset-engine/about/rules/): Defines a filter and an action to perform on incoming requests that match the filter expression. A rule with an `execute` action executes a ruleset. --- ## Get started To view existing rulesets and their properties, refer to [View rulesets](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/). For more information on deploying managed rulesets and defining overrides, refer to [Work with managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/). For more information on creating and deploying custom rulesets, refer to [Work with custom rulesets](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/about/","name":"About"}}]} ``` --- --- title: Phases description: A phase defines a stage in the life of a request where you can execute rulesets. Phases are defined by Cloudflare and cannot be modified. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/about/phases.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Phases A phase defines a stage in the life of a request where you can execute [rulesets](https://developers.cloudflare.com/ruleset-engine/about/rulesets/). Phases are defined by Cloudflare and cannot be modified. Phases exist at two levels: * At the [account](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#accounts) level * At the [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones) level For the same phase, rules defined at the account level are evaluated before the rules defined at the zone level. Each phase has at most one [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) at the account and zone level. Note Currently, phases at the account level are only available in Enterprise plans. The following diagram outlines the request handling process where requests go through the available phases: ![Diagram showing the request handling process. The user request goes through several request phases until it eventually reaches the origin server \(the request can also be blocked\). The origin returns a response, which goes through several response phases until it reaches the user.](https://developers.cloudflare.com/_astro/rulesets-phases.D4jji4ui_ZDPPel.webp) Cloudflare products are specific to one or more phases, and they add support for different features. Check the documentation for each Cloudflare product for details on the applicable phases. Refer to [Phases list](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) for a list of phases and their corresponding Cloudflare products. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/about/phases/","name":"Phases"}}]} ``` --- --- title: Rules description: A rule defines a filter and an action to perform on the incoming requests that match the filter. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/about/rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rules A rule defines a filter and an action to perform on the incoming requests that match the filter. * The rule [expression](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/), also called filter expression, defines the scope of the rule. * The rule [action](https://developers.cloudflare.com/ruleset-engine/rules-language/actions/) defines what happens when there is a match for the expression. Rule expressions are defined using the [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/). For example, consider the following ruleset with four rules (R1, R2, R3, and R4). For a given incoming request, the expression of the first two rules matches the request properties. Therefore, the action for these rules runs (_Execute_ and _Log_, respectively). The action of the first rule executes a managed ruleset, which means that every rule in the managed ruleset is evaluated. The action of the second rule logs an event associated with the current phase. There is no match for the expressions of rules 3 and 4, so their actions do not run. Since no rule blocks the request, it proceeds to the next phase. ![Example of a rule execution scenario. Defines a ruleset with four rules, where the first rule executes a managed ruleset.](https://developers.cloudflare.com/_astro/rulesets-rules-example.BDy4co6D_19jiDY.webp) Rules can have additional features through specific Cloudflare products. You may have more fields available for rule expressions, perform different actions, or configure additional behavior in a given phase. ## Rule evaluation When evaluating a rule, Cloudflare compares the values of request/response properties or derived values (obtained through [fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/)) to those defined in the rule's filter expression. If the entire expression evaluates to `true`, there is a rule match and Cloudflare triggers the [action](https://developers.cloudflare.com/ruleset-engine/rules-language/actions/) configured in the rule. If the expression evaluates to `false`, the rule does not match and its configured action is not applied. Generally speaking, for [non-terminating actions](https://developers.cloudflare.com/ruleset-engine/rules-language/actions/) the last change made by rules in the same [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) will win (later rules can overwrite changes done by previous rules). However, for terminating actions (_Block_, _Redirect_, or one of the challenge actions), rule evaluation will stop and the action will be executed immediately. For example, if multiple rules with the _Redirect_ action match, Cloudflare will always use the URL redirect of the first rule that matches. Also, if you configure URL redirects using different Cloudflare products (Single Redirects and Bulk Redirects), the product executed first will apply, if there is a rule match (in this case, Single Redirects). Refer to the [Phases list](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) for the product execution order. When you use `true` as the rule filter expression, this means "apply the rule to every incoming request" at the current [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) level, which can be zone or account. Notes * A rule filter expression must evaluate to a boolean value (either `true` or `false`). * Rules of specific Cloudflare products, such as [Transform Rules](https://developers.cloudflare.com/rules/transform/), may include other expressions used to specify dynamic values. These expressions do not have to evaluate to a boolean value. ### Field values during rule evaluation While evaluating rules for a given request/response, the values of all request and response [fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) are immutable within each phase. However, field values may change between phases. For example: * If a [URL rewrite rule](https://developers.cloudflare.com/rules/transform/url-rewrite/) #1 updates the URI path or the query string of a request, URL rewrite rule #2 will not take these earlier changes into consideration. * If a [request header transform rule](https://developers.cloudflare.com/rules/transform/request-header-modification/) #1 sets the value of an HTTP request header, request header transform rule #2 will not be able to read or evaluate this new value. * If a URL rewrite rule updates the URI path or query string of a request, the `http.request.uri`, `http.request.uri.*`, and `http.request.full_uri` fields will have a different value in phases after the `http_request_transform` phase (where URL Rewrite Rules are executed). Note If you want to use the original field values in rules evaluated later, you can use raw fields (for example, `raw.http.request.uri.path`) in their expressions. These special fields are immutable during the entire request evaluation workflow. For a list of raw fields, refer to the [Fields reference](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/?field-category=Raw+fields). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/about/rules/","name":"Rules"}}]} ``` --- --- title: Rulesets description: A ruleset is an ordered set of rules that you can apply to traffic on the Cloudflare global network. Rulesets belong to a phase and can only execute in the same phase. To deploy a ruleset to a phase, add a rule that executes the ruleset to the phase entry point ruleset. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/about/rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rulesets A ruleset is an ordered set of [rules](https://developers.cloudflare.com/ruleset-engine/about/rules/) that you can apply to traffic on the Cloudflare global network. Rulesets belong to a phase and can only execute in the same phase. To deploy a ruleset to a phase, add a rule that executes the ruleset to the [phase entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset). Rulesets are versioned. Each ruleset modification creates a new version of the ruleset. You can have several versions of a ruleset in use at the same time. When you deploy a ruleset — that is, when you create a rule that executes the ruleset — the most recent version of the ruleset is selected by default. There are several types of rulesets: * Phases have their entry point rulesets. * Cloudflare provides managed rulesets you can deploy. * You can create and manage your own custom rulesets. Specific Cloudflare products may provide other types of rulesets. ## Entry point ruleset An entry point ruleset contains a list of ordered [rules](https://developers.cloudflare.com/ruleset-engine/about/rules/) that run in a [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) at the account or zone level. This ruleset is an entry point for all rules executed in a phase. Some of these rules may run other rulesets. Each phase has at most one entry point ruleset at the account level and at the zone level. Note The `kind` field of a phase entry point ruleset has one of the following values: * `root` for a phase entry point ruleset at the account level * `zone` for a phase entry point ruleset at the zone level ## Managed rulesets Managed rulesets are preconfigured rulesets provided by Cloudflare that you can deploy to a phase. Only Cloudflare can modify these rulesets. The rules in a managed ruleset have a default action and status. However, you can define **overrides** that change these defaults. There are several Cloudflare products that provide you with managed rulesets. Check each product’s documentation for details on the available managed rulesets. For more information on deploying managed rulesets and defining overrides, refer to [Work with managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/). ## Custom rulesets Note Currently, custom rulesets are only supported by the Cloudflare WAF. Use custom rulesets to define your own sets of rules. After creating a custom ruleset, deploy it to a phase by creating a rule that executes the ruleset. For more information on creating and deploying custom rulesets, refer to [Work with custom rulesets](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/about/rulesets/","name":"Rulesets"}}]} ``` --- --- title: Work with managed rulesets description: Managed rulesets are preconfigured rulesets provided by Cloudflare that you can deploy. Only Cloudflare can modify these rulesets. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Work with managed rulesets Managed rulesets are preconfigured rulesets provided by Cloudflare that you can deploy. Only Cloudflare can modify these rulesets. The rules in a managed ruleset have a default configuration. However, you can define [overrides](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that change this default configuration. Several Cloudflare products include managed rulesets: * [Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/managed-rules/) * [DDoS Protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) Check each product's documentation for details on the available managed rulesets. ## More resources To view available managed rulesets, refer to [View rulesets](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/). To deploy a managed ruleset to a phase, refer to [Deploy a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/deploy-managed-ruleset/). To adjust the behavior of a managed ruleset, do one of the following: * Customize the behavior of one or more rules by using [overrides](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). * Skip one or more managed rules by adding [exceptions](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/create-exception/). Exceptions (only supported by the WAF) have priority over overrides. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}}]} ``` --- --- title: Create an exception description: Use exceptions to skip the execution of a managed ruleset of some of its rules. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/create-exception.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create an exception Use [exceptions](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/) to skip the execution of a managed ruleset of some of its rules. The exception configuration includes an [expression](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/) that defines the skip conditions, and the rules or managed rulesets to skip under those conditions. If you are using Terraform, refer to [Configure exceptions](https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/#configure-exceptions) in the Terraform documentation. If you are using the Cloudflare dashboard, refer to [Add an exception in the dashboard](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-dashboard/). Note Currently, only the [Cloudflare Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/) supports managed rules exceptions. ## Types of exceptions An exception can have one of the following behaviors (from highest to lowest priority): * [Skip all remaining rules in the entry point ruleset](#skip-all-remaining-rules) * [Skip one or more managed rulesets](#skip-one-or-more-managed-rulesets) * [Skip one or more rules of managed rulesets](#skip-one-or-more-rules-of-managed-rulesets) You define exceptions in a given context — zone level or account level — and they apply only to that context. For example, if you define an exception that skips all remaining rules at the account level, the rules defined in the entry point ruleset at the zone level will still be evaluated. If there is a match for the expressions of several exceptions, Cloudflare will consider the exception with the highest priority. Exceptions only apply to rules executing a managed ruleset listed after them. If you add an exception at the end of the list of rules of an entry point ruleset, nothing will be skipped. Additional requirement for account-level exceptions Rules in entry point rulesets at the account level only apply to Enterprise zones. This also includes exceptions (or skip rules). When adding an exception at the account level, you must use parentheses to enclose any custom conditions in the rule expression and end the expression with `and cf.zone.plan eq "ENT"`, or else the API operation will fail. ### Skip all remaining rules To skip all the remaining rules in the [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset), create a rule with `skip` action and include `"ruleset": "current"` in the `action_parameters` object. Example of rule definition: ``` { "expression": "", "action": "skip", "action_parameters": { "ruleset": "current" } } ``` Skipping all remaining rules only affects the rules in the current context (account or zone). For example, adding a rule with `skip` action to the account-level phase entry point ruleset has no impact on the rules defined in the zone-level phase entry point ruleset — these zone-level rules will still be evaluated. For a full example, refer to the [WAF documentation](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-api/#skip-all-remaining-rules). ### Skip one or more managed rulesets To skip one or more managed rulesets, create a rule with `skip` action containing a `rulesets` field in the `action_parameters` object. The `rulesets` field must contain a list of managed ruleset IDs you want to skip. Example of rule definition: ``` { "expression": "", "action": "skip", "action_parameters": { "rulesets": ["", ""] } } ``` For a full example, refer to the [WAF documentation](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-api/#skip-the-cloudflare-managed-ruleset). ### Skip one or more rules of managed rulesets To skip one or more rules of managed rulesets, create a rule with `skip` action containing a `rules` object in the `action_parameters` object. The `rules` object must contain one or more managed ruleset IDs as keys, and a list of rules to skip in those managed rulesets as the value of each key. Example of a rule definition that skips rules `A` and `B` of managed ruleset `1`, and rule `X` of managed ruleset `2`: ``` { "expression": "", "action": "skip", "action_parameters": { "rules": { "": ["", ""], "": [""] } } } ``` The rules in the `rules` object must belong to the specified managed rulesets, otherwise you will get an error. For a full example, refer to the [WAF documentation](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-api/#skip-one-or-more-rules-of-waf-managed-rulesets). --- ## Additional notes * Exceptions have priority over [overrides](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). * If you define an exception that skips all remaining rules, the expressions of those rules are not evaluated. * If you define an exception that skips a rule of a managed ruleset, the expression of the rule that executes the managed ruleset is evaluated and the managed ruleset rules are executed except for that specific rule, which is bypassed. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/create-exception/","name":"Create an exception"}}]} ``` --- --- title: Deploy a managed ruleset description: You can deploy a managed ruleset at the zone level or at the account level. To deploy a managed ruleset to a phase, use the Rulesets API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/deploy-managed-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy a managed ruleset You can deploy a managed ruleset at the zone level or at the account level. To deploy a managed ruleset to a phase, use the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/). If you are using Terraform, refer to [WAF Managed Rules configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/) for more information. If you are using the Cloudflare dashboard, refer to the following pages: * [Deploy a WAF managed ruleset in the dashboard (zone)](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/) * [Deploy a WAF managed ruleset in the dashboard (account)](https://developers.cloudflare.com/waf/account/managed-rulesets/deploy-dashboard/) ## Deploy a managed ruleset to a phase at the zone level Use the following workflow to deploy a managed ruleset to a phase at the zone level. 1. Get your [zone ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). 2. Invoke the [List account rulesets](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) operation to obtain the available managed rulesets. Managed rulesets exist at the account level, but you can deploy them to a zone. Find the ruleset ID of the managed ruleset you want to deploy. 3. Identify the [phase](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) where you want to deploy the managed ruleset. Ensure that the managed ruleset belongs to the same phase where you want to deploy it. 4. Add a rule to the zone-level phase [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) that executes the managed ruleset. Refer to the following example for details on this step. ### Example The following example deploys the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) to the `http_request_firewall_managed` phase of a given zone (`$ZONE_ID`) by creating a rule that executes the managed ruleset. 1. Invoke the [Get a zone entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) operation to obtain the definition of the entry point ruleset for the `http_request_firewall_managed` phase. You will need the [zone ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) for this task. Get a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "description": "Zone-level phase entry point", "id": "", "kind": "zone", "last_updated": "2024-03-16T15:40:08.202335Z", "name": "zone", "phase": "http_request_firewall_managed", "rules": [ // ... ], "source": "firewall_managed", "version": "10" }, "success": true, "errors": [], "messages": [] } ``` 2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Managed Ruleset (with ID `efb7b8c949ac4650a09736fc376e9aee`). By default, the rule will be added at the end of the list of rules already in the ruleset. Create a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true", "description": "Execute the Cloudflare Managed Ruleset" }' ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point", "description": "", "kind": "zone", "version": "11", "rules": [ // ... any existing rules { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee", "version": "latest" }, "expression": "true", "description": "Execute the Cloudflare Managed Ruleset", "last_updated": "2024-03-18T18:08:14.003361Z", "ref": "", "enabled": true } ], "last_updated": "2024-03-18T18:08:14.003361Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` 3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) operation. Include a single rule in the `rules` array that executes the Cloudflare Managed Ruleset (with ID `efb7b8c949ac4650a09736fc376e9aee`) for all incoming requests in the zone. Create a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "My ruleset", "description": "Entry point ruleset for WAF managed rulesets", "kind": "zone", "phase": "http_request_firewall_managed", "rules": [ { "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true", "description": "Execute the Cloudflare Managed Ruleset" } ] }' ``` In this example, the managed ruleset executes the behavior configured by Cloudflare. To customize the behavior of managed rulesets, refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). ## Deploy a managed ruleset to a phase at the account level Use the following workflow to deploy a managed ruleset to a phase at the account level. 1. Get your [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). 2. Invoke the [List account rulesets](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) operation to obtain the available managed rulesets. Find the ruleset ID of the managed ruleset you want to deploy. 3. Identify the [phase](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) where you want to deploy the managed ruleset. Ensure that the managed ruleset belongs to the same phase where you want to deploy it. 4. Add a rule to the account-level phase [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) that executes the managed ruleset. Use parentheses to enclose any custom conditions in the rule expression and end your expression with `and cf.zone.plan eq "ENT"` so that it only applies to zones on an Enterprise plan. Refer to the following example for details on this step. ### Example The following example deploys the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) to the `http_request_firewall_managed` phase of a given account (`$ACCOUNT_ID`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed when the zone name matches one of `example.com` or `anotherexample.com`. 1. Invoke the [Get an account entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) operation to obtain the definition of the entry point ruleset for the `http_request_firewall_managed` phase. You will need the [account ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) for this task. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` Get an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "description": "Account-level phase entry point", "id": "", "kind": "root", "last_updated": "2024-03-16T15:40:08.202335Z", "name": "root", "phase": "http_request_firewall_managed", "rules": [ // ... ], "source": "firewall_managed", "version": "10" }, "success": true, "errors": [], "messages": [] } ``` 2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create an account ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) operation to add an `execute` rule to the existing ruleset deploying the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID `efb7b8c949ac4650a09736fc376e9aee`). By default, the rule will be added at the end of the list of rules already in the ruleset. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Account WAF Write` * `Account Rulesets Write` Create an account ruleset rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"", "description": "Execute the Cloudflare Managed Ruleset" }' ``` ``` { "result": { "id": "", "name": "Account-level phase entry point", "description": "", "kind": "root", "version": "11", "rules": [ // ... any existing rules { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee", "version": "latest" }, "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"", "description": "Execute the Cloudflare Managed Ruleset", "last_updated": "2024-03-18T18:30:08.122758Z", "ref": "", "enabled": true } ], "last_updated": "2024-03-18T18:30:08.122758Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` Warning Managed rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"` or else the API operation will fail. 3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) operation. Include a single rule in the `rules` array that executes the Cloudflare Managed Ruleset (with ID `efb7b8c949ac4650a09736fc376e9aee`) for all incoming requests where the zone name matches one of `example.com` or `anotherexample.com`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Account WAF Write` * `Account Rulesets Write` Create an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "My ruleset", "description": "Entry point ruleset for WAF managed rulesets", "kind": "root", "phase": "http_request_firewall_managed", "rules": [ { "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"", "description": "Execute the Cloudflare Managed Ruleset" } ] }' ``` In this example, the managed ruleset executes the behavior configured by Cloudflare. To learn how to customize the behavior of managed rulesets, refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/deploy-managed-ruleset/","name":"Deploy a managed ruleset"}}]} ``` --- --- title: Override examples description: The examples in the topics below use overrides to customize the behavior of managed rulesets: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Override examples The examples in the topics below use overrides to customize the behavior of managed rulesets: * [ Set WordPress rules to Block ](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-wordpress-block/) * [ Enable only Joomla rules ](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-joomla-only/) * [ Enable only selected rules ](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/enable-selected-rules/) * [ Deploy a managed ruleset with ruleset, tag, and rule overrides ](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/override-ruleset-tag-rule/) * [ Adjust the sensitivity of an HTTP DDoS rule to Low ](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/override-ddos-rule-sensitivity/) * [ Adjust an L3/4 DDoS rule ](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/configure-api/#configure-an-override-for-the-network-layer-ddos-attack-protection-managed-ruleset) ## Related resources For more information on overriding managed rulesets, refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}}]} ``` --- --- title: Enable only Joomla rules description: Use the Rulesets API to configure the execution of a managed ruleset and override its behavior. By default, enabled rules perform the actions defined by the managed ruleset issuer. This example uses overrides to ensure that only rules with a specific tag are enabled. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-joomla-only.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable only Joomla rules Use the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/) to configure the execution of a managed ruleset and override its behavior. By default, enabled rules perform the actions defined by the managed ruleset issuer. This example uses overrides to ensure that only rules with a specific tag are enabled. Follow the steps below to configure the execution of a managed ruleset with two overrides for enabling only the rules tagged with `joomla`. 1. [Add a rule](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/) to a phase entry point ruleset that executes a managed ruleset. 2. [Configure a ruleset override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that disables all rules in the managed ruleset. 3. Configure a tag override that enables only the rules with a given tag. Tag overrides take precedence over ruleset overrides. Only the rules with the specified tag are enabled, and all other rules are disabled. ## Example 1 This example deploys the Cloudflare Managed Ruleset to a phase with only Joomla rules enabled. The `name`, `kind`, and `phase` fields are omitted from the request because they are immutable. Example: Enable only Joomla rules using category overrides at the zone level Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "block", "enabled": true } ] } } } ] }' ``` * `"id": ""` adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for the specified zone (`$ZONE_ID`). * `"enabled": false` defines an override at the ruleset level that disables all rules in the managed ruleset. * `"categories": [{"category": "joomla", "action": "block", "enabled": true}]` defines an override at the tag level that enables the Joomla rules and sets their action to `block`. Example: Enable only Joomla rules using category overrides at the account level Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "block", "enabled": true } ] } } } ] }' ``` * `"id": ""` adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for `example.com`. * `"enabled": false` defines an override at the ruleset level that disables all rules in the managed ruleset. * `"categories": [{"category": "joomla", "action": "block", "enabled": true}]` defines an override at the tag level that enables the Joomla rules and sets their action to `block`. You can add more than one category override to a rule. ## Example 2 This example adds two overrides to the rule that executes a managed ruleset (``) in the `http_request_firewall_managed` phase. Note that the `name`, `kind`, and `phase` fields are omitted from the request because they are immutable. Example: Add more than one category override at the zone level Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "log", "enabled": true }, { "category": "wordpress", "enabled": false } ] } } } ] }' ``` Example: Add more than one category override at the account level Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "log", "enabled": true }, { "category": "wordpress", "enabled": false } ] } } } ] }' ``` The order of the overrides in the ruleset determines if rules in the deployed managed ruleset are enabled or disabled. Overrides placed later in the list take precedence over earlier overrides. Consider four rules from the managed ruleset in the code above that have different combinations of `category` tags. The following table shows the status of the rules after the overrides. | Rule in managed ruleset | Tags | Rule status after overrides | | ----------------------- | ---------------------- | --------------------------- | | ManagedRule1 | drupal, dos | Disabled | | ManagedRule2 | drupal, dos, joomla | Enabled | | ManagedRule3 | dos, joomla, wordpress | Disabled | | ManagedRule4 | drupal, wordpress | Disabled | | ManagedRule5 | (no tags) | Disabled | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-joomla-only/","name":"Enable only Joomla rules"}}]} ``` --- --- title: Set WordPress rules to Block description: Follow the steps below to create a rule that executes a managed ruleset and defines an override for rules with a specific tag. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-wordpress-block.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set WordPress rules to Block Follow the steps below to create a rule that executes a managed ruleset and defines an override for rules with a specific tag. 1. [Add a rule](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/) to a phase entry point ruleset that executes a managed ruleset. 2. [Configure a tag override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that sets a specified action for all rules with a given tag. ## Zone-level example This example uses the [Update a zone entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to perform the following two steps in a single `PUT` request: * Set the list of rules in the `http_request_firewall_managed` phase entry point ruleset to a single rule that executes the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/). * Override rules with the `wordpress` tag to set the action to `block`. All other rules use the default action provided by the ruleset issuer. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "categories": [ { "category": "wordpress", "action": "block" } ] } } } ] }' ``` ## Account-level example This example uses the [Update an account entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to perform the following two steps in a single `PUT` request: * Set the list of rules in the `http_request_firewall_managed` phase entry point ruleset to a single rule that executes the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) for the zone `example.com`. * Override rules with the `wordpress` tag to set the action to `block`. All other rules use the default action provided by the ruleset issuer. Note At the account level, the rule expression of an `execute` rule must end with `and cf.zone.plan eq "ENT"` so that it only applies to zones on an Enterprise plan. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "categories": [ { "category": "wordpress", "action": "block" } ] } } } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/deploy-cmr-wordpress-block/","name":"Set WordPress rules to Block"}}]} ``` --- --- title: Enable only selected rules description: Use a ruleset override and a rule override in a phase entry point ruleset to execute only selected rules in a managed ruleset. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/enable-selected-rules.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable only selected rules Use a ruleset override and a rule override in a phase entry point ruleset to execute only selected rules in a managed ruleset. 1. [Add a rule](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/) to a phase entry point ruleset that executes a managed ruleset. 2. [Configure a ruleset override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that disables all rules in the managed ruleset. 3. [Configure a rule override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) to set an action for the rules you want to execute. ## Zone-level example The following `PUT` request uses the [Update a zone entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to define a configuration that executes only two rules from a managed ruleset in the `http_request_firewall_managed` phase. In this example: * `"id": ""` defines the managed ruleset to execute for requests in the specified zone (`$ZONE_ID`). * `"enabled": false` defines an override at the ruleset level to disable all rules in the managed ruleset. * `"rules": [{"id": "", "action": "block", "enabled": true}, {"id": "", "action": "log", "enabled": true}]` defines a list of overrides at the rule level to enable two individual rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "enabled": false, "rules": [ { "id": "", "action": "block", "enabled": true }, { "id": "", "action": "log", "enabled": true } ] } } } ] }' ``` ## Account-level example The following `PUT` request uses the [Update an account entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to define a configuration that executes only two rules from a managed ruleset in the `http_request_firewall_managed` phase. In this example: * `"id": ""` defines the managed ruleset to execute for requests addressed to `example.com`. * `"enabled": false` defines an override at the ruleset level to disable all rules in the managed ruleset. * `"rules": [{"id": "", "action": "block", "enabled": true}, {"id": "", "action": "log", "enabled": true}]` defines a list of overrides at the rule level to enable two individual rules. Note At the account level, the rule expression of an `execute` rule must end with `and cf.zone.plan eq "ENT"` so that it only applies to zones on an Enterprise plan. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "enabled": false, "rules": [ { "id": "", "action": "block", "enabled": true }, { "id": "", "action": "log", "enabled": true } ] } } } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/enable-selected-rules/","name":"Enable only selected rules"}}]} ``` --- --- title: Adjust an L3/4 DDoS rule image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/link-override-ddos-l34-rule-sensitivity.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Adjust an L3/4 DDoS rule ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/link-override-ddos-l34-rule-sensitivity/","name":"Adjust an L3/4 DDoS rule"}}]} ``` --- --- title: Adjust the sensitivity of an HTTP DDoS rule to Low description: Follow the steps below to override the sensitivity of a specific rule of the Cloudflare HTTP DDoS Attack Protection managed ruleset. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/override-ddos-rule-sensitivity.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Adjust the sensitivity of an HTTP DDoS rule to Low Follow the steps below to override the sensitivity of a specific rule of the Cloudflare HTTP DDoS Attack Protection managed ruleset. 1. [Add a rule](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/) to a phase to deploy the Cloudflare HTTP DDoS Attack Protection managed ruleset. You only need to deploy this specific ruleset when you wish to define one or more overrides, since it is enabled by default. 2. [Configure a rule override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that sets the `sensitivity_level` of a specific rule. ## Example The following example uses the [Update a zone entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to execute the two steps in a single `PUT` request. * Set the rules in the `ddos_l7` phase entry point ruleset to a single rule that executes the Cloudflare HTTP DDoS Attack Protection managed ruleset (with ID ``). * Create an override for the rule with ID `` and set the rule sensitivity to `low`. All other rules use the default sensitivity defined by Cloudflare. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/ddos_l7/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "rules": [ { "id": "", "sensitivity_level": "low" } ] } } } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/override-ddos-rule-sensitivity/","name":"Adjust the sensitivity of an HTTP DDoS rule to Low"}}]} ``` --- --- title: Deploy a managed ruleset with ruleset, tag, and rule overrides description: Customize the execution of managed rulesets with a combination of ruleset overrides, tag overrides, and rule overrides in your phase entry point ruleset. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-examples/override-ruleset-tag-rule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy a managed ruleset with ruleset, tag, and rule overrides Customize the execution of managed rulesets with a combination of ruleset overrides, tag overrides, and rule overrides in your phase entry point ruleset. 1. [Add a rule](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/) to a phase entry point ruleset to execute a managed ruleset. 2. [Configure a ruleset override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that disables all rules in the managed ruleset. 3. [Configure a tag override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that sets an action for rules with a given tag. 4. [Configure a rule override](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) that sets an action for the rules you want to execute. ## Zone-level example This example uses the [Update a zone entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to execute the following in a single `PUT` request: * Add a rule to the `http_request_firewall_managed` phase entry point ruleset that executes a managed ruleset. * Use category overrides to enable rules with `wordpress` and `drupal` tags and set their actions to `log`. * Add a rule override that enables a single rule. In this example: * `"id": ""` defines the managed ruleset to execute for requests addressed to a zone (`$ZONE_ID`). * `"enabled": false` defines an override at the ruleset level to disable all rules in the managed ruleset. * `"categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}]` defines an override at the tag level to enable rules tagged with `wordpress` or `drupal` and sets their action to `log`. * `"rules": [{"id": "", "action": "block", "enabled": true}]` defines an override at the rule level that enables one individual rule and sets the action to `block`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "wordpress", "action": "log", "enabled": true }, { "category": "drupal", "action": "log", "enabled": true } ], "rules": [ { "id": "", "action": "block", "enabled": true } ] } } } ] }' ``` ## Account-level example This example uses the [Update an account entry point ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) operation to execute the following in a single `PUT` request: * Add a rule to the `http_request_firewall_managed` phase entry point ruleset that executes a managed ruleset for the zone `example.com`. * Use category overrides to enable rules with `wordpress` and `drupal` tags and set their actions to `log`. * Add a rule override that enables a single rule. In this example: * `"id": ""` defines the managed ruleset to execute for requests addressed to `example.com`. * `"enabled": false` defines an override at the ruleset level to disable all rules in the managed ruleset. * `"categories": [{"category": "wordpress", "action": "log", "enabled": true}, {"category": "drupal", "action": "log", "enabled": true}]` defines an override at the tag level to enable rules tagged with `wordpress` or `drupal` and sets their action to `log`. * `"rules": [{"id": "", "action": "block", "enabled": true}]` defines an override at the rule level that enables one individual rule and sets the action to `block`. Note At the account level, the rule expression of an `execute` rule must end with `and cf.zone.plan eq "ENT"` so that it only applies to zones on an Enterprise plan. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "enabled": false, "categories": [ { "category": "wordpress", "action": "log", "enabled": true }, { "category": "drupal", "action": "log", "enabled": true } ], "rules": [ { "id": "", "action": "block", "enabled": true } ] } } } ] }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/","name":"Override examples"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/managed-rulesets/override-examples/override-ruleset-tag-rule/","name":"Deploy a managed ruleset with ruleset, tag, and rule overrides"}}]} ``` --- --- title: Override a managed ruleset description: To customize the behavior of a managed ruleset via API, override the ruleset at deployment. When you override a ruleset you specify changes to be executed on top of the default configuration. These changes take precedence over the ruleset's default behavior. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/managed-rulesets/override-managed-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Override a managed ruleset To customize the behavior of a managed ruleset via API, override the ruleset at deployment. When you override a ruleset you specify changes to be executed on top of the default configuration. These changes take precedence over the ruleset's default behavior. For example, to test a managed ruleset before enforcing it, consider executing the ruleset with all rules set to `log` instead of their default actions. To do this, override the configured behavior of the managed ruleset at the ruleset level, so that each rule uses the `log` action. If you are using Terraform, refer to the following pages: * [WAF Managed Rules configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/#configure-overrides) * [DDoS managed rulesets configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/) To define overrides in the Cloudflare dashboard, refer to the following resources: * [Configure a WAF managed ruleset in the dashboard](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset) * [Configure HTTP DDoS Attack Protection in the dashboard](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/configure-dashboard/) * [Configure Network-layer DDoS Attack Protection in the dashboard](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/configure-dashboard/) ## Work with overrides You can override a ruleset at three levels: * **Ruleset overrides** apply to all rules in the executed ruleset. * **Tag overrides** apply to all rules with a specific tag. For example, use a tag override to customize the Cloudflare Managed Ruleset so all rules with the `wordpress` tag are set to _Block_. If multiple tags have overrides and if a given rule has more than one of these tags, the tag overrides order determines the behavior. For rules tagged with multiple overridden tags, the last tag's overrides apply. * **Rule overrides** apply to specific rules in a managed ruleset, referenced by their Rule ID. Specific overrides take precedence over more general ones, and rule overrides take precedence over tag overrides, which take precedence over ruleset overrides. Important Ruleset overrides and tag overrides apply to both existing and _future_ rules in the managed ruleset. If you want to override existing rules only, you must use rule overrides. To apply an override for a managed ruleset: 1. Use one of the [update ruleset operations](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) to update your phase entry point ruleset. 2. Specify the `overrides` in the `action_parameters` of the rule that executes your managed ruleset. ``` "action_parameters": { "id": "", "overrides": { // ruleset overrides "property-to-modify": "value", "property-to-modify": "value", // tag overrides "categories": [ { "category": "", "property-to-modify": "value", "property-to-modify": "value" } ], // rule overrides "rules": [ { "id": "", "property-to-modify": "value", "property-to-modify": "value" } ] } } ``` You can override the following rule properties: * `"action"` * `"enabled"` Some managed rulesets may have additional override requirements, or they may allow you to override other rule properties. Check each Cloudflare product’s documentation for details. Important It is **not recommended** that you enable all the rules in a managed ruleset at the account level using an override, since this change could affect all the zones in your account. Some rules are disabled by default, since they could eventually affect legitimate traffic, and should not be enabled across zones without previous consideration. ## Examples ### Rule override example The following `PUT` request adds a rule that executes a managed ruleset in the `http_request_firewall_managed` phase at the zone level, and defines a rule override to enable rule `` and set its action to `log`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "description": "Deploy managed ruleset, enabling a specific rule with log action", "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "", "overrides": { "rules": [ { "id": "", "enabled": true, "action": "log" } ] } } } ] }' ``` ### Ruleset override example The following `PUT` request adds a rule that executes a managed ruleset in the `http_request_firewall_managed` phase at the account level, and defines a ruleset override that sets the action to `log` for all (enabled) rules. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "description": "Deploy managed ruleset for example.com, overriding the rules action to log", "rules": [ { "action": "execute", "expression": "(cf.zone.name eq \"example.com\") and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "", "overrides": { "action": "log" } } } ] }' ``` ## More resources For additional examples of configuring overrides via API, refer to [Override examples](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/managed-rulesets/","name":"Work with managed rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/managed-rulesets/override-managed-ruleset/","name":"Override a managed ruleset"}}]} ``` --- --- title: Work with custom rulesets description: Use the following workflow to deploy a custom ruleset: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/custom-rulesets/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Work with custom rulesets Use the following workflow to deploy a custom ruleset: 1. [Create a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/create-custom-ruleset/), optionally providing a list of rules to include in the custom ruleset. 2. (Optional) [Add rules to your custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/add-rules-ruleset/). 3. [Deploy the custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/deploy-custom-ruleset/) by adding an `execute` rule to a phase entry point ruleset. If you skip this step, the rules of the custom ruleset will not run. Currently, custom rulesets are only supported by the [Cloudflare WAF](https://developers.cloudflare.com/waf/), both at the account and the zone level. Note You cannot execute a custom ruleset from another custom ruleset, only from an [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset). ## Change the behavior of a custom ruleset To modify custom ruleset behavior, Cloudflare recommends [creating a new custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/create-custom-ruleset/) or [editing the custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/add-rules-ruleset/) instead of using overrides. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/custom-rulesets/","name":"Work with custom rulesets"}}]} ``` --- --- title: Add rules to a custom ruleset description: To add rules to an existing custom ruleset, use the Update an account or zone ruleset operation and pass the rules in an array. Each rule has an expression and an action. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/custom-rulesets/add-rules-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add rules to a custom ruleset To add rules to an existing custom ruleset, use the [Update an account or zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/update/) operation and pass the rules in an array. Each rule has an expression and an action. Choose the appropriate API method The [Update an account or zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/update/) operation replaces all the rules in the ruleset with the rules in the request. Use this API operation when you need to add or update several rules at once. This operation updates the ruleset version number only once. Depending on the update you want to perform, consider using one of the following API operations instead: * Add a single rule to an existing custom ruleset: Use the [Create an account or zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) operation. Refer to [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) for an example. * Update a single rule in a custom ruleset: Use the [Update an account or zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/edit/) operation. Refer to [Update a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/) for an example. If you are using Terraform, refer to [WAF custom rules configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/waf-custom-rules/#create-and-deploy-a-custom-ruleset) for examples of creating and deploying custom rulesets. If you are using the Cloudflare dashboard, refer to [Work with custom rulesets in the dashboard](https://developers.cloudflare.com/waf/account/custom-rulesets/create-dashboard/). ## Add rules The following request adds two rules to a custom ruleset at the account level with ID `$RULESET_ID`. These will be the only two rules in the ruleset. The response will include the rule ID of the new rules in the `id` field. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "action": "challenge", "description": "challenge GB and FR based on bot score" }, { "expression": "not http.request.uri.path matches \"^/api/.*$\"", "action": "challenge", "description": "challenge not /api" } ] }' ``` ``` { "result": { "id": "", "name": "Custom Ruleset 1", "kind": "custom", "version": "2", "rules": [ { "id": "", "version": "1", "action": "challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score", "last_updated": "2021-03-18T18:25:08.122758Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "challenge", "expression": "not http.request.uri.path matches \"^/api/.*$\"", "description": "challenge not /api", "last_updated": "2021-03-18T18:25:08.122758Z", "ref": "", "enabled": true } ], "last_updated": "2021-03-18T18:25:08.122758Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` ## Update rules To update one or more rules in a custom ruleset, use the [Update an account or zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/update/) operation. Include the ID of the rules you want to modify in the rules array and add the fields you wish to update. The request replaces the entire ruleset with a new version. Therefore, you must include the ID of all the rules you wish to keep. The following `PUT` request edits one rule in a custom ruleset at the account level and updates the execution order of the rules. The response will include the modified custom ruleset. Note that the updated rule and ruleset version number increment. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "id": "", "expression": "not http.request.uri.path matches \"^/api/.*$\"", "action": "js_challenge", "description": "js_challenge when not /api" }, { "id": "" } ] }' ``` ``` { "result": { "id": "", "name": "Custom Ruleset 1", "kind": "custom", "version": "3", "rules": [ { "id": "", "version": "2", "action": "js_challenge", "expression": "not http.request.uri.path matches \"^/api/.*$\"", "description": "js_challenge when not /api", "last_updated": "2021-03-18T18:30:08.122758Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score", "last_updated": "2021-03-18T18:25:08.122758Z", "ref": "", "enabled": true } ], "last_updated": "2021-03-18T18:30:08.122758Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` Warning The request above completely replaces the list of rules in the ruleset. If you omit an existing rule from the `rules` array, it will not appear in the new version of the ruleset. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/custom-rulesets/","name":"Work with custom rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/custom-rulesets/add-rules-ruleset/","name":"Add rules to a custom ruleset"}}]} ``` --- --- title: Create a custom ruleset description: Use the Create an account or zone ruleset operation to create a custom ruleset, making sure that you: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/custom-rulesets/create-custom-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create a custom ruleset Use the [Create an account or zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) operation to create a custom ruleset, making sure that you: * Set the `kind` field to `custom`. * Specify the name of the [phase](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) where you want to create the custom ruleset in the `phase` field. You can also specify the list of rules to include in the custom ruleset in the `rules` array. To add rules after creating the custom ruleset, refer to [Add rules to a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/add-rules-ruleset/). If you are using Terraform, refer to [WAF custom rules configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/waf-custom-rules/#create-and-deploy-a-custom-ruleset) for examples of creating and deploying custom rulesets. If you are using the Cloudflare dashboard, refer to [Work with custom rulesets in the dashboard](https://developers.cloudflare.com/waf/account/custom-rulesets/create-dashboard/). Note Currently, zone-level custom rulesets are only available in the [http\_request\_firewall\_custom](https://developers.cloudflare.com/waf/custom-rules/custom-rulesets/#deploy-a-custom-ruleset-via-api) phase. ## Example A - Custom ruleset at the account level The following request creates a new custom ruleset at the account level. The response will include the ID of the new custom ruleset in the `id` field. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Create an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Custom Ruleset 1", "description": "My First Custom Ruleset (account)", "kind": "custom", "phase": "http_request_firewall_custom" }' ``` ``` { "result": { "id": "f82ccda3d21f4a02825d3fe45b5e1c10", "name": "Custom Ruleset 1", "description": "My First Custom Ruleset (account)", "kind": "custom", "version": "1", "last_updated": "2025-08-09T10:27:30.636197Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` You can include a list of rules in the custom ruleset creation request. If you have not added any rules, refer to [Add rules to a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/add-rules-ruleset/) for more information. ## Example B - Custom ruleset at the zone level The following request creates a new custom ruleset at the zone level. The response will include the ID of the new custom ruleset in the `id` field. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Create a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Custom Ruleset 1", "description": "My First Custom Ruleset (zone)", "kind": "custom", "phase": "http_request_firewall_custom" }' ``` ``` { "result": { "id": "f82ccda3d21f4a02825d3fe45b5e1c10", "name": "Custom Ruleset 1", "description": "My First Custom Ruleset (zone)", "kind": "custom", "version": "1", "last_updated": "2025-08-09T10:27:30.636197Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` You can include a list of rules in the custom ruleset creation request. If you have not added any rules, refer to [Add rules to a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/add-rules-ruleset/) for more information. Note Currently, zone-level custom rulesets are only available in the [http\_request\_firewall\_custom](https://developers.cloudflare.com/waf/custom-rules/custom-rulesets/#deploy-a-custom-ruleset-via-api) phase. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/custom-rulesets/","name":"Work with custom rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/custom-rulesets/create-custom-ruleset/","name":"Create a custom ruleset"}}]} ``` --- --- title: Deploy a custom ruleset description: Learn how to deploy a custom ruleset to your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/custom-rulesets/deploy-custom-ruleset.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy a custom ruleset To deploy a custom ruleset, add a rule with `execute` action to the list of rules of a phase [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) at the account or zone level. The expression of the new rule will define when the custom ruleset will run. You can only deploy custom rulesets in an entry point ruleset with the same scope. For example, a custom ruleset defined at the account level can only be deployed at the account level. If you are using Terraform, refer to [WAF custom rules configuration using Terraform](https://developers.cloudflare.com/terraform/additional-configurations/waf-custom-rules/#create-and-deploy-a-custom-ruleset) for examples of creating and deploying custom rulesets. If you are using the Cloudflare dashboard, refer to [Work with custom rulesets in the dashboard](https://developers.cloudflare.com/waf/account/custom-rulesets/create-dashboard/). Note Currently, zone-level custom rulesets are only available in the [http\_request\_firewall\_custom](https://developers.cloudflare.com/waf/custom-rules/custom-rulesets/#deploy-a-custom-ruleset-via-api) phase. ## Before you begin 1. Obtain the name of the [phase](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) where you want to deploy the custom ruleset. 2. [Create a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/create-custom-ruleset/) and keep the ID of the new custom ruleset. 3. [Fetch the rules already present in the phase entry point ruleset](https://developers.cloudflare.com/ruleset-engine/basic-operations/view-rulesets/#view-the-rules-included-in-a-ruleset). You must include in the `PUT` request all existing rules you want to keep. ## Example A - Account-level deployment The following `PUT` request adds a rule that executes a custom ruleset when the zone name matches `example.com`. In the `PUT` request, you must include the IDs of all existing rules you want to keep. The response will include all the rules in the phase entry point ruleset after the update. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_custom/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "description": "Execute custom ruleset", "expression": "(cf.zone.name == \"example.com\") and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "" } }, { "id": "" }, { "id": "" } ] }' ``` ``` { "result": { "id": "", "name": "http_request_firewall_custom phase entry point ruleset for my account", "description": "Execute several rulesets", "kind": "root", "version": "3", "rules": [ { "id": "", "version": "1", "action": "execute", "description": "Execute custom ruleset", "action_parameters": { "id": "", "version": "latest" }, "expression": "(cf.zone.name == \"example.com\") and cf.zone.plan eq \"ENT\"", "last_updated": "2021-03-18T18:35:14.135697Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "", "version": "latest" }, "expression": "(cf.zone.name eq \"example.com\") and cf.zone.plan eq \"ENT\"", "last_updated": "2021-03-16T15:51:49.180378Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "", "version": "latest" }, "expression": "(cf.zone.name eq \"example.com\") and cf.zone.plan eq \"ENT\"", "last_updated": "2021-03-16T15:50:29.861157Z", "ref": "", "enabled": true } ], "last_updated": "2021-03-18T18:35:14.135697Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` Warning When deploying the custom ruleset at the account level, you must use parentheses to enclose any custom conditions and end your expression with `and cf.zone.plan eq "ENT"` like in the example above, or else the API operation will fail. ## Example B - Zone-level deployment The following `PUT` request adds a rule to a zone-level entry point ruleset that executes a custom ruleset with ID `""` for requests targeting the `/login` URI path. You must include in the `PUT` request the IDs of all existing rules you want to keep. The response will include all the rules in the phase entry point ruleset after the update. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_custom/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "description": "Execute custom ruleset (zone)", "expression": "(http.request.uri.path eq \"/login\")", "action_parameters": { "id": "" } }, { "id": "" } ] }' ``` ``` { "result": { "id": "", "name": "http_request_firewall_custom phase entry point ruleset for my zone", "description": "", "kind": "zone", "version": "3", "rules": [ { "id": "", "version": "1", "action": "execute", "description": "Execute custom ruleset (zone)", "action_parameters": { "id": "", "version": "latest" }, "expression": "(http.request.uri.path eq \"/login\")", "last_updated": "2025-08-18T18:35:14.135697Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "managed_challenge", "expression": "(cf.waf.score lt 20 and http.request.uri.path wildcard \"/admin/*\")", "last_updated": "2025-08-16T15:51:49.180378Z", "ref": "", "enabled": true } ], "last_updated": "2025-08-18T18:35:14.135697Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` Note Currently, zone-level custom rulesets are only available in the [http\_request\_firewall\_custom](https://developers.cloudflare.com/waf/custom-rules/custom-rulesets/#deploy-a-custom-ruleset-via-api) phase. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/custom-rulesets/","name":"Work with custom rulesets"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/custom-rulesets/deploy-custom-ruleset/","name":"Deploy a custom ruleset"}}]} ``` --- --- title: Rules language description: The Cloudflare Rules language is a flexible and intuitive specification for building rule expressions. Based on the widely known Wireshark display filters, the Rules language allows you to precisely target HTTP requests with a syntax and semantics familiar to security engineers. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rules language The Cloudflare Rules language is a flexible and intuitive specification for building rule expressions. Based on the widely known [Wireshark display filters ↗](https://www.wireshark.org/docs/wsug%5Fhtml%5Fchunked/ChWorkBuildDisplayFilterSection.html), the Rules language allows you to precisely target HTTP requests with a syntax and semantics familiar to security engineers. Refer to the following pages for more information about the available language elements: * [ Expressions ](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/) * [ Operators and grouping symbols ](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/) * [ Values ](https://developers.cloudflare.com/ruleset-engine/rules-language/values/) * [ Actions ](https://developers.cloudflare.com/ruleset-engine/rules-language/actions/) * [ Fields ](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) * [ Functions ](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}}]} ``` --- --- title: Actions description: Learn about actions supported by the Rules language, including Block, Skip, and Log. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/actions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Actions The action of a rule tells Cloudflare how to handle matches for the rule [expression](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). ## Supported actions The table below lists the actions available in the Rules language. Some actions like _Block_, called terminating actions, will stop the evaluation of the remaining rules. The _Skip_ action will skip the evaluation of _some_ rules when there is a match, but the exact behavior will depend on the rule configuration. The available actions depend on the [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) where you are configuring the rule. Refer to each product’s documentation for details on the phase(s) supported by that product. | Action | Description | Terminating action? | | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | | **Non-Interactive Challenge**API value: js\_challenge | Useful for ensuring that bots and spam cannot access the requested resource; browsers, however, are free to satisfy the challenge automatically.The client that made the request must pass a non-interactive Cloudflare challenge before proceeding.If successful, Cloudflare accepts the matched request; otherwise, it is blocked. | Yes | | **Managed Challenge**API value: managed\_challenge | Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet.Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from the following actions based on specific criteria:Show a non-interactive challenge page.Show a custom interactive challenge (such as click a button). | Yes | | **Interactive Challenge**API value: challenge | Useful for ensuring that the visitor accessing the site is human, not automated.The client that made the request must pass an interactive challenge.If successful, Cloudflare accepts the matched request; otherwise, it is blocked. | Yes | | **Block**API value: block | Matching requests are denied access to the site.Depending on the Cloudflare product performing the block action, the HTTP status code can be [403](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/4xx-client-error/error-403/#cloudflare-specific-information) (most security features) or [429](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/4xx-client-error/error-429/#website-end-users) (for example, rate limiting rules).Customers on paid plans can customize the HTML error page displayed to website visitors due to the block action. Refer to [Error Pages](https://developers.cloudflare.com/rules/custom-errors/#error-pages) for more information.Customers in Pro plans and above can customize the response (HTML, JSON, XML, or plain text) and the response status code for each [custom rule](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/#configure-a-custom-response-for-blocked-requests) or [rate limiting rule](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/#configure-a-custom-response-for-blocked-requests) that triggers a block action. | Yes | | **Skip**API value: skip | Allows user to dynamically skip one or more security features or products for a request.Depending on the rule configuration, matching requests will skip the evaluation of one or more security features or products:Skip all remaining rules in the current rulesetSkip all remaining rules in the current phase (zone-level only option)Skip rulesetsSkip rules of a rulesetSkip phasesSkip specific security products that are not based on the Ruleset EngineThe available skip options depend on the phase where you configure the rule. Refer to each product’s documentation for details.If you configure a rule with the _Skip_ action at the account level it will only affect rules/phases configured at the account level, not at the zone level. To skip rules/phases at the zone level you must configure a rule with the _Skip_action at the zone level. | No(but some rules may be skipped) | | **Log**API value: log | Records matching requests in the Cloudflare Logs.Only available on Enterprise plans.Recommended for validating rules before committing to a more severe action. | No | | **Execute**API value: execute | Executes the rules in the ruleset specified in the rule configuration. You can specify a managed ruleset or a custom ruleset to execute.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. | No | | **Rewrite**API value: rewrite | Rewrites the request (or response) by adjusting the URI path, query string, and/or HTTP request/response headers, according to the rule configuration.Only available in:[Transform Rules](https://developers.cloudflare.com/rules/transform/), in phases http\_request\_transform, http\_request\_late\_transform, and http\_response\_headers\_transform. In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, create a Transform Rule.WAF custom rules checking for [exposed credentials](https://developers.cloudflare.com/waf/managed-rules/check-for-exposed-credentials/), in the http\_request\_firewall\_custom phase at the account level. In the Cloudflare dashboard, this action is called _Exposed-Credential-Check Header_. | No | | **Redirect**API value: redirect | Navigates the user from a source URL to a target URL, according to the rule configuration, by replying with an HTTP redirect.Only available for [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) and [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/).In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, create a redirect rule or a bulk redirect rule. | Yes | | **Route**API value: route | Adjusts the Host header, Server Name Indication (SNI), resolved hostname, and/or resolved destination port of incoming requests.Only available for [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/), in the http\_request\_origin phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, create an origin rule. | No | | **Set Configuration**API value: set\_config | Changes the configuration settings of one or more Cloudflare products.Only available for [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/), in the http\_config\_settings phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, [create a Configuration Rule](https://developers.cloudflare.com/rules/configuration-rules/create-dashboard/). | No | | **Compress Response**API value: compress\_response | Defines compression settings for delivering responses to website visitors.Only available for [Compression Rules](https://developers.cloudflare.com/rules/compression-rules/), in the http\_response\_compression phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, [create a compression rule](https://developers.cloudflare.com/rules/compression-rules/create-dashboard/). | No | | **Set Cache Settings**API value: set\_cache\_settings | Cache Rules allows you to customize cache settings on Cloudflare.Only available for [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/), in the http\_request\_cache\_settings phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, [create a cache rule](https://developers.cloudflare.com/cache/how-to/cache-rules/create-dashboard/). | No | | **Serve Error**API value: serve\_error | Serves error content to the website visitor, according to the custom error rule configuration.Only available for [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/#custom-error-rules), in the http\_custom\_errors phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, [create a custom error rule](https://developers.cloudflare.com/rules/custom-errors/create-rules/#create-a-custom-error-rule-dashboard). | Yes | | **Log custom field**API value: log\_custom\_field | Configures custom fields for Logpush jobs in a zone.Only available for [custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/), in the http\_log\_custom\_fields phase.In the Cloudflare dashboard, this action is not listed in action selection dropdowns. To use this action, [configure custom log fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/#enable-custom-fields-via-dashboard) for Logpush jobs. | Yes | Note Cloudflare Firewall Rules, now deprecated, supports a different set of actions, including the _Allow_ and _Bypass_ actions. Refer to [Firewall rules actions](https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/actions/","name":"Actions"}}]} ``` --- --- title: Expressions description: The Rules language supports two kinds of expressions: simple and compound. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/expressions/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Expressions The Rules language supports two kinds of expressions: simple and compound. ## Simple expressions **Simple expressions** compare a value from an HTTP request to a value defined in the expression. For example, this simple expression matches Microsoft Exchange Autodiscover requests: ``` http.request.uri.path matches "/autodiscover\.(xml|src)$" ``` Simple expressions have the following syntax: ``` ``` Where: * [Fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) specify properties associated with an HTTP request. * [Comparison operators](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) define how values must relate to actual request data for an expression to return `true`. * [Values](https://developers.cloudflare.com/ruleset-engine/rules-language/values/) represent the data associated with fields. When evaluating a rule, Cloudflare compares these values with the actual data obtained from the request. ## Compound expressions **Compound expressions** use [logical operators](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#logical-operators) such as `and` to combine two or more expressions into a single expression. For example, this expression uses the `and` operator to target requests to `www.example.com` that are not on ports 80 or 443: ``` http.host eq "www.example.com" and not cf.edge.server_port in {80 443} ``` Compound expressions have the following general syntax: ``` ``` Compound expressions allow you to generate sophisticated, highly targeted rules. ## Maximum rule expression length The maximum length of a rule expression is 4,096 characters. This limit applies whether you use the visual [Expression Builder](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) to define your expression, or write the expression manually in the [Expression Editor](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor). ## Additional features You can also use the following Rules language features in your expressions: * [Grouping symbols](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#grouping-symbols) allow you to explicitly group expressions that should be evaluated together. * [Functions](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/) allow you to manipulate and validate values in expressions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/expressions/","name":"Expressions"}}]} ``` --- --- title: Edit expressions in the dashboard description: Edit expressions in the Cloudflare dashboard using the Expression Builder, which allows for a visual approach, or using the Expression Editor, in which you type the expression. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Edit expressions in the dashboard In the Cloudflare dashboard, there are two options for editing [expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/): * [Expression Builder](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder): Allows you to create expressions using drop-down lists, emphasizing a visual approach to defining an expression. * [Expression Editor](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor): A text-only interface that supports advanced features, such as grouping symbols and functions for transforming and validating values. In general, you can switch back and forth between the Expression Builder and the Expression Editor. However, the Expression Builder does not support advanced features like: * [Nested expressions](#create-nested-expressions) * [Function calls](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/) The builder may also not show all the fields you can use in the expression you are editing. If you use advanced expression features or enter unlisted fields in your expression when using the editor, you may not be able to switch to the Expression Builder. You will get a warning popup stating that the expression is not supported in the builder. To proceed, you may discard any changes made in the editor, or cancel the switch and continue working in the editor. ## Expression Builder The Expression Builder allows you to visually create rule expressions by using drop-down lists and entering field values to define one or multiple sub-expressions. ![The Expression Builder interface used to visually define expressions](https://developers.cloudflare.com/_astro/expression-builder.Cg2aqK5m_gwrLy.webp) The **Expression Preview** displays the expression in text: ``` (ip.src.country ne "GB") ``` The Expression Builder will [automatically escape](#escape-special-characters) the backslash (`\`) and double quote (`"`) special characters in string literals when using the [quoted string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#quoted-string-syntax). ## Expression Editor The **Expression Editor** is a text-only interface for defining rule expressions that supports the entire specification of Cloudflare's [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/), including parentheses as grouping symbols. ![The Expression Editor used to enter advanced expressions](https://developers.cloudflare.com/_astro/expression-editor.CI-o8RRS_Z2uXj7P.webp) To access the Expression Editor, select **Edit expression** next to the **Expression Preview**: ![Selecting Edit expression in the Create custom rule page to switch to the Expression Editor](https://developers.cloudflare.com/_astro/expression-builder.Cg2aqK5m_gwrLy.webp) To switch back from the Expression Editor to the Expression Builder, select **Use expression builder**. ### Escape special characters In expressions using the [quoted string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#quoted-string-syntax), all backslash (`\`) and double quote (`"`) characters in string literals must be escaped. The visual Expression Builder will automatically escape these special characters by prepending a backslash such that `\` and `"` become `\\` and `\"`, respectively. ``` # Example of an expression with a " character written using quoted string syntax http.request.uri.path eq "/foo\"bar" ``` The Expression Builder supports both the [quoted string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#quoted-string-syntax) and the [raw string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#raw-string-syntax). In the raw string syntax, there are no special characters or escape sequences, so all characters up to the ending delimiter are interpreted as is. ``` # Example of an expression with a " character written using the raw string syntax http.request.uri.path eq r#"/foo"bar"# ``` When you select _Matches regex_ in the **Operator** dropdown in the dashboard, the expression preview will automatically use the raw string syntax. In other situations, you may need to switch to the Expression Editor to manually enter a string using the raw string syntax. In this case, switching back to the Expression Builder will keep the syntax you used in the editor. When you write a [regular expression](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#regular-expression-matching) using the quoted string syntax, you may need to perform additional escaping — refer to [Quoted string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#quoted-string-syntax) for details. To write complex regular expressions, Cloudflare recommends that you use the [raw string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#raw-string-syntax), which needs less escaping. ### Create nested expressions The Expression Editor supports parentheses as [grouping symbols](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#grouping-symbols). Use parentheses to explicitly group and nest expressions and, in turn, create highly targeted expressions. The following rule expression will match requests from any visitor who is not from Malaysia and tries to access WordPress URI paths. ``` ((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")) and ip.src.country ne "MY" ``` Only the Expression Editor supports nested expressions such as the one above. If you create a rule with nested expressions in the Expression Editor and try to switch to the Expression Builder, a dialog will warn you that the expression is not supported in the builder. You will be prompted to **Discard changes** and switch to the Expression Builder or **Cancel** and continue working in the editor. Note String comparison in rule expressions is case-sensitive. To account for possible variations of string capitalization in an expression, you can use the [lower()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#lower) function and compare the result with a lowercased string, like in the following example: ``` lower(http.request.uri.path) contains "/wp-login.php" ``` ## Expression validation Cloudflare validates all expressions before saving them, so if your expression has errors, you will receive an error message in the Cloudflare dashboard, similar to the following: ``` Filter parsing error (1:313): ((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")) and ip.src.country ne "MY") ^ unrecognised input ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/expressions/","name":"Expressions"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/rules-language/expressions/edit-expressions/","name":"Edit expressions in the dashboard"}}]} ``` --- --- title: Fields description: The Cloudflare Rules language supports different types of fields such as: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/fields/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Fields The Cloudflare Rules language supports different types of fields such as: * Request fields that represent the basic properties of incoming requests, including specific fields for accessing request headers, URI components, and the request body. * Dynamic fields that represent computed or derived values, typically related to threat intelligence about an HTTP request. * Response fields that represent the basic properties of the received response. * Raw fields that preserve the original request values for later evaluations. Refer to the [Fields reference](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/) for the list of available fields. ## Differences from Wireshark display fields Most fields supported by the Cloudflare Rules language use the same naming conventions as [Wireshark display fields ↗](https://www.wireshark.org/docs/wsug%5Fhtml%5Fchunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark: * Wireshark supports [CIDR (Classless Inter-Domain Routing) notation ↗](https://en.wikipedia.org/wiki/Classless%5FInter-Domain%5FRouting) for expressing IP address ranges in equality comparisons (`ip.src == 1.2.3.0/24`, for example). Cloudflare does not. To evaluate a range of addresses using CIDR notation, use the [in](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) comparison operator as in this example: `ip.src in {1.2.3.0/24 4.5.6.0/24}`. * In Wireshark, `ssl` is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language [ssl](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ssl/) is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted. * The Cloudflare Rules language does not support the `slice` operator. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/fields/","name":"Fields"}}]} ``` --- --- title: Fields reference image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Copy page # Fields reference Categories Body Bots Geolocation Headers JWT validation Raw fields Request Response SSL/TLS URI mTLS [cf.api\_gateway.auth\_id\_presentIndicates whether the request contained an API session authentication token, as defined by API Shield's saved session identifiers.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.api%5Fgateway.auth%5Fid%5Fpresent/)[cf.api\_gateway.fallthrough\_detectedIndicates whether the request matched a saved endpoint in Endpoint Management.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.api%5Fgateway.fallthrough%5Fdetected/)[cf.api\_gateway.request\_violates\_schemaIndicates whether the request violated the schema assigned to the respective saved endpoint.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.api%5Fgateway.request%5Fviolates%5Fschema/)[cf.bot\_management.corporate\_proxyIndicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.corporate%5Fproxy/)[cf.bot\_management.detection\_idsList of IDs that correlate to the Bot Management heuristic detections made on a request.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.detection%5Fids/)[cf.bot\_management.ja3\_hashProvides an SSL/TLS fingerprint to help you identify potential bot requests.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.ja3%5Fhash/)[cf.bot\_management.ja4Provides an SSL/TLS fingerprint to help you identify potential bot requests.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.ja4/)[cf.bot\_management.js\_detection.passedIndicates whether the visitor has previously passed a JS Detection.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.js%5Fdetection.passed/)[cf.bot\_management.scoreRepresents the likelihood that a request originates from a bot using a score from 1–99.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.score/)[cf.bot\_management.static\_resourceIndicates whether static resources should be included when you create a rule using cf.bot\_management.score.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.static%5Fresource/)[cf.bot\_management.verified\_botIndicates whether the request originated from a known good bot or crawler.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.bot%5Fmanagement.verified%5Fbot/)[cf.client.botIndicates whether the request originated from a known good bot or crawler.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.client.bot/)[cf.edge.client\_tcpIndicates if the request was made over TCP.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.edge.client%5Ftcp/)[cf.edge.l4.delivery\_rateThe most recent data delivery rate estimate for the client connection, in bytes per second.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.edge.l4.delivery%5Frate/)[cf.edge.server\_ipRepresents the global network's IP address to which the HTTP request has resolved.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.edge.server%5Fip/)[cf.edge.server\_portRepresents the port number at which the Cloudflare global network received the request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.edge.server%5Fport/)[cf.hostname.metadataReturns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.hostname.metadata/)[cf.llm.prompt.custom\_topic\_categoriesA map of custom topic labels to relevance scores (1–99) for the LLM prompt in the request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.custom%5Ftopic%5Fcategories/)[cf.llm.prompt.detectedIndicates whether Cloudflare detected an LLM prompt in the incoming request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.detected/)[cf.llm.prompt.injection\_scoreA score from 1–99 that represents the likelihood that the LLM prompt in the request is trying to perform a prompt injection attack.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.injection%5Fscore/)[cf.llm.prompt.pii\_categoriesArray of string values with the personally identifiable information (PII) categories found in the LLM prompt included in the request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii%5Fcategories/)[cf.llm.prompt.pii\_detectedIndicates whether any personally identifiable information (PII) has been detected in the LLM prompt included in the request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii%5Fdetected/)[cf.llm.prompt.token\_countAn estimated token count for the LLM prompt in the request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.token%5Fcount/)[cf.llm.prompt.unsafe\_topic\_categoriesArray of string values with the type of unsafe topics detected in the LLM prompt.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe%5Ftopic%5Fcategories/)[cf.llm.prompt.unsafe\_topic\_detectedIndicates whether the incoming request includes any unsafe topic category in the LLM prompt.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe%5Ftopic%5Fdetected/)[cf.random\_seedReturns per-request random bytes that you can use in the uuidv4() function.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.random%5Fseed/)[cf.ray\_idThe Ray ID of the current request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.ray%5Fid/)[cf.response.1xxx\_codeContains the specific code for 1XXX Cloudflare errors.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.response.1xxx%5Fcode/)[cf.response.error\_typeA string with the type of error in the response being returned.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.response.error%5Ftype/)[cf.threat\_scoreRepresents a Cloudflare threat score.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.threat%5Fscore/)[cf.timings.client\_quic\_rtt\_msecThe smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.timings.client%5Fquic%5Frtt%5Fmsec/)[cf.timings.client\_tcp\_rtt\_msecThe smoothed TCP round-trip time (RTT) between Cloudflare and the client in milliseconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.timings.client%5Ftcp%5Frtt%5Fmsec/)[cf.timings.edge\_msecThe time spent processing a request within the Cloudflare global network in milliseconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.timings.edge%5Fmsec/)[cf.timings.origin\_ttfb\_msecThe round-trip time (RTT) between the Cloudflare global network and the origin server in milliseconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.timings.origin%5Fttfb%5Fmsec/)[cf.timings.worker\_msecThe time spent executing a Cloudflare Worker in milliseconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.timings.worker%5Fmsec/)[cf.tls\_cipherThe cipher for the connection to Cloudflare.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fcipher/)[cf.tls\_ciphers\_sha1The SHA-1 fingerprint of the client TLS cipher list in received order, encoded in Base64 using big-endian format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fciphers%5Fsha1/)[cf.tls\_client\_auth.cert\_chain\_rfc9440The mTLS client certificate chain (excluding the leaf certificate) encoded as a structured field list per RFC 9440.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440/)[cf.tls\_client\_auth.cert\_chain\_rfc9440\_too\_largeReturns true when the RFC 9440 encoded client certificate chain exceeds the 16 KiB size limit.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440%5Ftoo%5Flarge/)[cf.tls\_client\_auth.cert\_fingerprint\_sha1The SHA-1 fingerprint of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Ffingerprint%5Fsha1/)[cf.tls\_client\_auth.cert\_fingerprint\_sha256The SHA-256 fingerprint of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Ffingerprint%5Fsha256/)[cf.tls\_client\_auth.cert\_issuer\_dnThe Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn/)[cf.tls\_client\_auth.cert\_issuer\_dn\_legacyThe Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in a legacy format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn%5Flegacy/)[cf.tls\_client\_auth.cert\_issuer\_dn\_rfc2253The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in RFC 2253 format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn%5Frfc2253/)[cf.tls\_client\_auth.cert\_issuer\_serialSerial number of the direct issuer of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fserial/)[cf.tls\_client\_auth.cert\_issuer\_skiThe Subject Key Identifier (SKI) of the direct issuer of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fski/)[cf.tls\_client\_auth.cert\_not\_afterThe mTLS client certificate is not valid after this date.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fnot%5Fafter/)[cf.tls\_client\_auth.cert\_not\_beforeThe mTLS client certificate is not valid before this date.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fnot%5Fbefore/)[cf.tls\_client\_auth.cert\_presentedReturns true when an mTLS client presents a certificate (valid or not).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fpresented/)[cf.tls\_client\_auth.cert\_revokedIndicates whether the mTLS client presented a valid but revoked client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frevoked/)[cf.tls\_client\_auth.cert\_rfc9440The mTLS client certificate encoded as a Structured Fields Byte Sequence per RFC 9440.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440/)[cf.tls\_client\_auth.cert\_rfc9440\_too\_largeReturns true when the RFC 9440 encoded mTLS client certificate exceeds the 10 KiB size limit.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440%5Ftoo%5Flarge/)[cf.tls\_client\_auth.cert\_serialSerial number of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fserial/)[cf.tls\_client\_auth.cert\_skiThe Subject Key Identifier (SKI) of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fski/)[cf.tls\_client\_auth.cert\_subject\_dnThe Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn/)[cf.tls\_client\_auth.cert\_subject\_dn\_legacyThe Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in a legacy format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn%5Flegacy/)[cf.tls\_client\_auth.cert\_subject\_dn\_rfc2253The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in RFC 2253 format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn%5Frfc2253/)[cf.tls\_client\_auth.cert\_verifiedReturns true when an mTLS client presents a valid client certificate.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/)[cf.tls\_client\_extensions\_sha1The SHA-1 fingerprint of TLS client extensions, encoded in Base64 using big-endian format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fextensions%5Fsha1/)[cf.tls\_client\_extensions\_sha1\_leThe SHA-1 fingerprint of TLS client extensions, encoded in Base64 using little-endian format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fextensions%5Fsha1%5Fle/)[cf.tls\_client\_hello\_lengthThe length of the client hello message sent in a TLS handshake.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fhello%5Flength/)[cf.tls\_client\_randomThe value of the 32-byte random value provided by the client in a TLS handshake, encoded in Base64.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Frandom/)[cf.tls\_versionThe TLS version of the connection to Cloudflare.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fversion/)[cf.verified\_bot\_categoryProvides the type and purpose of a verified bot.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.verified%5Fbot%5Fcategory/)[cf.waf.auth\_detectedIndicates whether the Cloudflare WAF detected authentication credentials in the request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.auth%5Fdetected/)[cf.waf.content\_scan.has\_failedIndicates whether the file scanner was unable to scan any of the content objects detected in the request.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.has%5Ffailed/)[cf.waf.content\_scan.has\_malicious\_objIndicates whether the request contains at least one malicious content object.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.has%5Fmalicious%5Fobj/)[cf.waf.content\_scan.has\_objIndicates whether the request contains at least one content object.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.has%5Fobj/)[cf.waf.content\_scan.num\_malicious\_objThe number of malicious content objects detected in the request (zero or greater).Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.num%5Fmalicious%5Fobj/)[cf.waf.content\_scan.num\_objThe number of content objects detected in the request (zero or greater).Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.num%5Fobj/)[cf.waf.content\_scan.obj\_resultsAn array of scan results in the order the content objects were detected in the request.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.obj%5Fresults/)[cf.waf.content\_scan.obj\_sizesAn array of file sizes in bytes, in the order the content objects were detected in the request.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.obj%5Fsizes/)[cf.waf.content\_scan.obj\_typesAn array of file types in the order the content objects were detected in the request.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.content%5Fscan.obj%5Ftypes/)[cf.waf.credential\_check.password\_leakedIndicates whether the password detected in the request was previously leaked.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.credential%5Fcheck.password%5Fleaked/)[cf.waf.credential\_check.username\_and\_password\_leakedIndicates whether the auth credentials detected in the request (username-password pair) were previously leaked.Pro or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.credential%5Fcheck.username%5Fand%5Fpassword%5Fleaked/)[cf.waf.credential\_check.username\_leakedIndicates whether the username detected in the request was previously leaked.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.credential%5Fcheck.username%5Fleaked/)[cf.waf.credential\_check.username\_password\_similarIndicates whether a similar version of the username and password credentials detected in the request were previously leaked.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.credential%5Fcheck.username%5Fpassword%5Fsimilar/)[cf.waf.scoreA global score from 1–99 that combines the score of each WAF attack vector into a single score.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score/)[cf.waf.score.classThe attack score class of the current request, based on the WAF attack score.Business or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/)[cf.waf.score.rceAn attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/)[cf.waf.score.sqliAn attack score from 1–99 classifying the SQL injection (SQLi) attack vector.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/)[cf.waf.score.xssAn attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/)[cf.worker.upstream\_zoneIdentifies whether a request comes from a worker or not.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.worker.upstream%5Fzone/)[http.cookieThe entire cookie as a string.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.cookie/)[http.hostThe hostname used in the full request URI.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.host/)[http.refererThe HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.referer/)[http.request.accepted\_languagesList of language tags provided in the Accept-Language HTTP request header.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.accepted%5Flanguages/)[http.request.body.formThe HTTP request body of a form represented as a Map (or associative array).Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.form/)[http.request.body.form.namesThe names of the form fields in an HTTP request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.form.names/)[http.request.body.form.valuesThe values of the form fields in an HTTP request.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.form.values/)[http.request.body.mimeThe MIME type of the request detected from the request body.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.mime/)[http.request.body.multipartA Map (or associative array) representation of multipart names to multipart values in the request body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart/)[http.request.body.multipart.content\_dispositionsList of Content-Disposition headers for each part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.content%5Fdispositions/)[http.request.body.multipart.content\_transfer\_encodingsList of Content-Transfer-Encoding headers for each part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.content%5Ftransfer%5Fencodings/)[http.request.body.multipart.content\_typesList of Content-Type headers for each part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.content%5Ftypes/)[http.request.body.multipart.filenamesList of filenames for each part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.filenames/)[http.request.body.multipart.namesList of multipart names for every part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.names/)[http.request.body.multipart.valuesList of multipart values for every part in the multipart body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.multipart.values/)[http.request.body.rawThe unaltered HTTP request body.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.raw/)[http.request.body.sizeThe total size of the HTTP request body (in bytes).Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.size/)[http.request.body.truncatedIndicates whether the HTTP request body is truncated.Enterprise](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/)[http.request.cookiesThe Cookie HTTP header associated with a request represented as a Map (associative array).Pro or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.cookies/)[http.request.full\_uriThe full URI as received by the web server.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.full%5Furi/)[http.request.headersThe HTTP request headers represented as a Map (or associative array).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.headers/)[http.request.headers.namesThe names of the headers in the HTTP request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.headers.names/)[http.request.headers.truncatedIndicates whether the HTTP request contains too many headers.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.headers.truncated/)[http.request.headers.valuesThe values of the headers in the HTTP request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.headers.values/)[http.request.jwt.claims.audThe aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.aud/)[http.request.jwt.claims.aud.namesThe aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.aud.names/)[http.request.jwt.claims.aud.valuesThe aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.aud.values/)[http.request.jwt.claims.iat.secThe iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iat.sec/)[http.request.jwt.claims.iat.sec.namesThe iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iat.sec.names/)[http.request.jwt.claims.iat.sec.valuesThe iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iat.sec.values/)[http.request.jwt.claims.issThe iss (issuer) claim identifies the principal that issued the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iss/)[http.request.jwt.claims.iss.namesThe iss (issuer) claim identifies the principal that issued the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iss.names/)[http.request.jwt.claims.iss.valuesThe iss (issuer) claim identifies the principal that issued the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.iss.values/)[http.request.jwt.claims.jtiThe jti (JWT ID) claim provides a unique identifier for the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.jti/)[http.request.jwt.claims.jti.namesThe jti (JWT ID) claim provides a unique identifier for the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.jti.names/)[http.request.jwt.claims.jti.valuesThe jti (JWT ID) claim provides a unique identifier for the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.jti.values/)[http.request.jwt.claims.nbf.secThe nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.nbf.sec/)[http.request.jwt.claims.nbf.sec.namesThe nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.nbf.sec.names/)[http.request.jwt.claims.nbf.sec.valuesThe nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.nbf.sec.values/)[http.request.jwt.claims.subThe sub (subject) claim identifies the principal that is the subject of the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.sub/)[http.request.jwt.claims.sub.namesThe sub (subject) claim identifies the principal that is the subject of the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.sub.names/)[http.request.jwt.claims.sub.valuesThe sub (subject) claim identifies the principal that is the subject of the JWT.Enterprise add-on](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims.sub.values/)[http.request.methodThe HTTP method, returned as a string of uppercase characters.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.method/)[http.request.timestamp.msecThe millisecond when Cloudflare received the request, between 0–999.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/)[http.request.timestamp.secThe timestamp when Cloudflare received the request, expressed as UNIX time in seconds.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/)[http.request.uriThe URI path and query string of the request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri/)[http.request.uri.argsThe HTTP URI arguments associated with a request represented as a Map (associative array).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.args/)[http.request.uri.args.namesThe names of the arguments in the HTTP URI query string.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.args.names/)[http.request.uri.args.valuesThe values of arguments in the HTTP URI query string.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.args.values/)[http.request.uri.pathThe URI path of the request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.path/)[http.request.uri.path.extensionThe lowercased file extension in the URI path without the dot (.) character.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/)[http.request.uri.queryThe entire query string, without the ? delimiter.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.query/)[http.request.versionThe version of the HTTP protocol used. Use this field when different checks are needed for different versions.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.version/)[http.response.codeThe HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.response.code/)[http.response.content\_type.media\_typeThe lowercased content type (including subtype and suffix) without any extra parameters, based on the response's Content-Type header.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.response.content%5Ftype.media%5Ftype/)[http.response.headersThe HTTP response headers represented as a Map (or associative array).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.response.headers/)[http.response.headers.namesThe names of the headers in the HTTP response.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.response.headers.names/)[http.response.headers.valuesThe values of the headers in the HTTP response.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.response.headers.values/)[http.user\_agentThe HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.user%5Fagent/)[http.x\_forwarded\_forThe full value of the X-Forwarded-For HTTP header.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.x%5Fforwarded%5Ffor/)[ip.srcThe client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For or X-Real-IP.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src/)[ip.src.asnumThe 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.asnum/)[ip.src.cityThe city associated with the client IP address.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.city/)[ip.src.continentThe continent code associated with the client IP address.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.continent/)[ip.src.countryThe 2-letter country code in ISO 3166-1 Alpha 2 format.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.country/)[ip.src.is\_in\_european\_unionWhether the request originates from a country in the European Union (EU).Business or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.is%5Fin%5Feuropean%5Funion/)[ip.src.latThe latitude associated with the client IP address.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.lat/)[ip.src.lonThe longitude associated with the client IP address.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.lon/)[ip.src.metro\_codeThe metro code or Designated Market Area (DMA) code associated with the incoming request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.metro%5Fcode/)[ip.src.postal\_codeThe postal code associated with the incoming request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.postal%5Fcode/)[ip.src.regionThe region name associated with the incoming request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.region/)[ip.src.region\_codeThe region code associated with the incoming request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.region%5Fcode/)[ip.src.subdivision\_1\_iso\_codeThe ISO 3166-2 code for the first-level region associated with the IP address.Business or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.subdivision%5F1%5Fiso%5Fcode/)[ip.src.subdivision\_2\_iso\_codeThe ISO 3166-2 code for the second-level region associated with the IP address.Business or above](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.subdivision%5F2%5Fiso%5Fcode/)[ip.src.timezone.nameThe name of the timezone associated with the incoming request.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.timezone.name/)[raw.http.request.full\_uriThe raw full URI as received by the web server without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.full%5Furi/)[raw.http.request.uriThe URI path and query string of the request without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri/)[raw.http.request.uri.argsThe raw HTTP URI arguments associated with a request represented as a Map (associative array).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.args/)[raw.http.request.uri.args.namesThe raw names of the arguments in the HTTP URI query string.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.args.names/)[raw.http.request.uri.args.valuesThe raw values of arguments in the HTTP URI query string.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.args.values/)[raw.http.request.uri.pathThe raw URI path of the request without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.path/)[raw.http.request.uri.path.extensionThe raw file extension in the request URI path without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.path.extension/)[raw.http.request.uri.queryThe entire query string without the ? delimiter and without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.query/)[raw.http.response.headersThe HTTP response headers without any transformation represented as a Map (or associative array).](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.response.headers/)[raw.http.response.headers.namesThe names of the headers in the HTTP response without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.response.headers.names/)[raw.http.response.headers.valuesThe values of the headers in the HTTP response without any transformation.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.response.headers.values/)[sslReturns true when the HTTP connection to the client is encrypted.](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ssl/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/fields/","name":"Fields"}},{"@type":"ListItem","position":5,"item":{"@id":"/ruleset-engine/rules-language/fields/reference/","name":"Fields reference"}}]} ``` --- --- title: Functions description: The Cloudflare Rules language provides functions for manipulating and validating values in an expression: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/functions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Functions The Cloudflare Rules language provides functions for manipulating and validating values in an expression: * [Transformation functions](#transformation-functions) manipulate values extracted from an HTTP request. * The [HMAC validation function](#hmac-validation) tests the validity of an HMAC token. Use it to write expressions that target requests based on the presence of a valid HMAC token. ## Transformation functions The Rules language supports several functions that transform values extracted from HTTP requests. A common use case for transformation functions is the conversion of a string of characters to uppercase or lowercase, since by default, string evaluation is case-sensitive. For example, the `lower()` function converts all uppercase characters in a string to lowercase. In the expression below, the `lower()` function transforms `http.host` values to lowercase so that they match the target value `"www.cloudflare.com"`: ``` lower(http.host) == "www.cloudflare.com" ``` Transformation functions that do not take arrays as an argument type require the `[*]` index notation. Refer to [Arrays](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#arrays) for more information. The Rules language supports these transformation functions: ### `any` `` any(` Array `) ``: ` Boolean ` Returns `true` when the comparison operator in the argument returns `true` for _any_ of the values in the argument array. Returns `false` otherwise. Example: ``` any(url_decode(http.request.body.form.values[*])[*] contains "an xss attack") ``` ### `all` `` all(` Array `) ``: ` Boolean ` Returns `true` when the comparison operator in the argument returns `true` for _all_ values in the argument array. Returns `false` otherwise. Example: ``` all(http.request.headers["content-type"][*] == "application/json") ``` ### `encode_base64` `` encode_base64(input ` String | Bytes ` [, flags ` String `]) ``: ` String ` Encodes an `input` string or byte array to Base64 format. The `flags` parameter is optional. You can provide one or more flags as a single string. The available flags are the following: * `u`: Uses URL-safe Base64 encoding (uses `-` and `_` instead of `+` and `/`). * `p`: Adds padding (appends `=` characters to make the output length a multiple of 4, as required by some systems). By default, the output uses standard Base64 encoding without padding. Examples: ``` encode_base64("hello world") will return "aGVsbG8gd29ybGQ" encode_base64("hello world", "p") will return "aGVsbG8gd29ybGQ=" encode_base64("hello world", "u") will return "aGVsbG8gd29ybGQ" encode_base64("hello world", "up") will return "aGVsbG8gd29ybGQ=" ``` You can combine `encode_base64()` with other functions to create signed request headers: ``` encode_base64(sha256(concat(to_string(ip.src), http.host, "my-secret"))) ``` Note You can only use the `encode_base64()` function in [request/response header transform rules](https://developers.cloudflare.com/rules/transform/). ### `cidr` `` cidr(address ` IP address `, ipv4_network_bits ` Integer `, ipv6_network_bits ` Integer `) ``: ` IP address ` Returns the network address corresponding to an IP address (IPv4 or IPv6), given the provided IPv4 and IPv6 network bits (which determine the corresponding netmasks). The `address` parameter must be a field, that is, it cannot be a literal String. The `ipv4_network_bits` value must be between 1 and 32, and the `ipv6_network_bits` value must be between 1 and 128. Examples: * If `ip.src` is `113.10.0.2`, `cidr(ip.src, 24, 24)` will return `113.10.0.0`. * If `ip.src` is `2001:0000:130F:0000:0000:09C0:876A:130B`, `cidr(ip.src, 24, 24)` will return `2001:0000:0000:0000:0000:0000:0000:0000`. Note You can only use the `cidr()` function in [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). ### `cidr6` `` cidr6(address ` IP address `, ipv6_network_bits ` Integer `) ``: ` IP address ` Returns the IPv6 network address corresponding to an IPv6 address, given the provided network bits (which determine the netmask). If you provide an IPv4 address in the first parameter, it will be returned unchanged. The `address` parameter must be a field, that is, it cannot be a literal String. The `ipv6_network_bits` value must be between 1 and 128. This function is equivalent to: `cidr(
, 32, )`. Examples: * If `ip.src` is `2001:0000:130F:0000:0000:09C0:876A:130B`, `cidr6(ip.src, 24)` will return `2001:0000:0000:0000:0000:0000:0000:0000`. * If `ip.src` is `113.10.0.2`, `cidr6(ip.src, 24)` will return `113.10.0.2` (unchanged). Note You can only use the `cidr6()` function in [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). ### `concat` `` concat(` String | Bytes | Array `) ``: ` String | Array ` Takes a comma-separated list of values. Concatenates the argument values into a single String or array. The return type depends on the type of input arguments. For example, if you concatenate arrays, the function will return an array. For example, `concat("String1", " ", "String", "2")` will return `"String1 String2"`. ### `decode_base64` `` decode_base64(source ` String `) ``: ` String ` Decodes a Base64-encoded String specified in `source`. `source` must be a field, that is, it cannot be a literal String. For example, with the following HTTP request header: `client_id: MTIzYWJj`, `(any(decode_base64(http.request.headers["client_id"][*])[*] eq "123abc"))` would return `true`. Note You can only use the `decode_base64()` function in [Transform Rules](https://developers.cloudflare.com/rules/transform/), [custom rules](https://developers.cloudflare.com/waf/custom-rules/), and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). ### `ends_with` `` ends_with(source ` String `, substring ` String `) ``: ` Boolean ` Returns `true` when the source ends with a given substring. Returns `false` otherwise. The source cannot be a literal value (like `"foo"`). For example, if `http.request.uri.path` is `"/welcome.html"`, then `ends_with(http.request.uri.path, ".html")` will return `true`. ### `join` `` join(items ` Array `, separator ` String `) ``: ` String ` Returns a string which is the concatenation of the strings in `items` with the `separator` between each item. If any of the arguments is nil, the returned value will be nil. If the `items` array is empty, the returned value will be an empty string. If the `items` array contains a single item, then no concatenation occurs and the (single) item will be returned as is. This function does the opposite of the [split()](#split) function. Example: ``` # Joins all HTTP request header names into a single string, with names separated by commas join(http.request.headers.names, ",") ``` Note The `join()` function is only available in [Transform Rules](https://developers.cloudflare.com/rules/transform/), [custom rules](https://developers.cloudflare.com/waf/custom-rules/), and [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/#custom-error-rules). ### `has_key` `` has_key(map: ` Map `, key: ` String `) ``: ` Boolean ` Returns true if the `key` specified in the second argument, which can be a literal or a dynamic string, is an existing key in the `map` provided as first argument; returns false otherwise. The data type of the values in `map` (indicated by `T`) can be any type. If any of the arguments is nil, the returned value will be nil. Examples: ``` # Check if an HTTP request header exists: has_key(http.request.headers, "x-my-header") # Check if a request header exists based on the name of the first query argument: has_key(http.request.headers, lower(http.request.uri.args.names[0])) ``` ### `has_value` `` has_value(collection: ` Map | Array `, value: ` T `) ``: ` Boolean ` Returns true if the `value` specified in the second argument, which can be a literal or a dynamic value, is found in the `collection` provided as first argument; returns false otherwise. The data type of the values in the `collection` (indicated by `T`) must match the data type of the provided `value`. Additionally, `T` must be a primitive data type, that is, it must be one of `Boolean`, `Integer`, `String`, `Bytes`, or `IP address`. If any of the arguments is nil, the returned value will be nil. Examples: ``` # Check if there is an HTTP request header with the exact name 'X-My-Header' has_value(http.request.headers.names, "X-My-Header") # Check if there is a request header with the exact name provided as the first query argument: has_value(http.request.headers.names, http.request.uri.args.names[0]) ``` ### `len` `` len(` String | Bytes | Array `) ``: ` Integer ` Returns the byte length of a String or Bytes value, or the number of elements in an array. For example, if the value of `http.host` is `"example.com"`, then `len(http.host)` will return `11`. ### `lookup_json_integer` `` lookup_json_integer(field ` String `, key ` String | Integer `, key ` String | Integer ` optional, ...) ``: ` Integer ` Returns the integer value associated with the supplied `key` in `field`. The `field` must be a string representation of a valid JSON document. The `key` can be an attribute name, a zero-based position number in a JSON array, or a combination of these two options (as extra function parameters), while following the hierarchy of the JSON document to obtain a specific integer value. Note: This function only works for plain integers. For example, it will not work for floating numbers with a zero decimal part such as `42.0`. Examples: * Given the following JSON object contained in the `http.request.body.raw` field: `{ "record_id": "aed53a", "version": 2 }` Then `lookup_json_integer(http.request.body.raw, "version")` will return `2`. * Given the following nested object: `{ "product": { "id": 356 } }` Then `lookup_json_integer(http.request.body.raw, "product", "id")` will return `356`. * Given the following JSON array at the root level: `["first_item", -234]` Then `lookup_json_integer(http.request.body.raw, 1)` will return `-234`. * Given the following array in a JSON object attribute: `{ "network_ids": [123, 456] }` Then `lookup_json_integer(http.request.body.raw, "network_ids", 0)` will return `123`. * Given the following root-level array of JSON objects: `[{ "product_id": 123 }, { "product_id": 456 }]` Then `lookup_json_integer(http.request.body.raw, 1, "product_id")` will return `456`. ### `lookup_json_string` `` lookup_json_string(field ` String `, key ` String | Integer `, key ` String | Integer ` optional, ...) ``: ` String ` Returns the string value associated with the supplied `key` in `field`. The `field` must be a string representation of a valid JSON document. The `key` can be an attribute name, a zero-based position number in a JSON array, or a combination of these two options (as extra function parameters), while following the hierarchy of the JSON document to obtain a specific value. Examples: * Given the following JSON object contained in the `http.request.body.raw` field: `{ "company": "cloudflare", "product": "rulesets" }` Then `lookup_json_string(http.request.body.raw, "company") == "cloudflare"` will return `true`. * Given the following nested object: `{ "network": { "name": "cloudflare" } }` Then `lookup_json_string(http.request.body.raw, "network", "name") == "cloudflare"` will return `true`. * Given the following JSON array at the root level: `["other_company", "cloudflare"]` Then `lookup_json_string(http.request.body.raw, 1) == "cloudflare"` will return `true`. * Given the following array in a JSON object attribute: `{ "networks": ["other_company", "cloudflare"] }` Then `lookup_json_string(http.request.body.raw, "networks", 1) == "cloudflare"` will return `true`. * Given the following root-level array of JSON objects: `[{ "network": "other_company" }, { "network": "cloudflare" }]` Then `lookup_json_string(http.request.body.raw, 1, "network") == "cloudflare"` will return `true`. ### `lower` `` lower(` String `) ``: ` String ` Converts a string field to lowercase. Only uppercase ASCII bytes are converted. All other bytes are unaffected. For example, if `http.host` is `"WWW.cloudflare.com"`, then `lower(http.host) == "www.cloudflare.com"` will return `true`. ### `regex_replace` `` regex_replace(source ` String `, regular_expression ` String `, replacement ` String `) ``: ` String ` Replaces a part of a source string matched by a regular expression with a replacement string, returning the result. The replacement string can contain references to regular expression capture groups (for example, `${1}` and `${2}`), up to eight replacement references. Examples: * Literal match replace: `regex_replace("/foo/bar", "/bar$", "/baz") == "/foo/baz"` * If there is no match, the input string does not change: `regex_replace("/x", "^/y$", "/mumble") == "/x"` * Match is case-sensitive by default: `regex_replace("/foo", "^/FOO$", "/x") == "/foo"` * When there are multiple matches, only one replacement occurs (the first one): `regex_replace("/a/a", "/a", "/b") == "/b/a"` * Escape a `$` in the replacement string by prefixing it with another `$`: `regex_replace("/b", "^/b$", "/b$$") == "/b$"` * Replace with capture groups: `regex_replace("/foo/a/path", "^/foo/([^/]*)/(.*)$", "/bar/${2}/${1}") == "/bar/path/a/"` Create capture groups by putting part of the regular expression in parentheses. Then, reference a capture group using `${}` in the replacement string, where `` is the number of the capture group. You can only use the `regex_replace()` function once in an expression, and you cannot nest it with the [wildcard\_replace()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#wildcard%5Freplace) function. Note Currently, the `regex_replace()` function is only available in rewrite expressions of [Transform Rules](https://developers.cloudflare.com/rules/transform/) and target URL expressions of [dynamic URL redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). ### `remove_bytes` `` remove_bytes(` Bytes `) ``: ` Bytes ` Returns a new byte array with all the occurrences of the given bytes removed. For example, if `http.host` is `"www.cloudflare.com"`, then `remove_bytes(http.host, "\x2e\x77")` will return `"cloudflarecom"`. ### `remove_query_args` `` remove_query_args(field ` String `, query_param1 ` String `, query_param2 ` String `, ...) ``: ` String ` Removes one or more query string parameters from a URI query string. Returns a string without the specified parameters. The `field` must be one of the following: * `http.request.uri.query` * `raw.http.request.uri.query` The `field` cannot be a literal value such as `"search=foo&order=asc"`. The `remove_query_args()` function will remove all specified parameters (as `query_param1`, `query_param2`, etc.) , including repeated occurrences of the same parameter. The ordering of unaffected query parameters will be preserved. Examples: ``` // If http.request.uri.query is "order=asc&country=GB": remove_query_args(http.request.uri.query, "country") will return "order=asc" remove_query_args(http.request.uri.query, "order") will return "country=GB" remove_query_args(http.request.uri.query, "search") will return "order=asc&country=GB" (unchanged) // If http.request.uri.query is "category=Foo&order=desc&category=Bar": remove_query_args(http.request.uri.query, "order") will return "category=Foo&category=Bar" remove_query_args(http.request.uri.query, "category") will return "order=desc" ``` Note You can only use the `remove_query_args()` function in [rewrite expressions of Transform Rules](https://developers.cloudflare.com/rules/transform/). ### `sha256` `` sha256(input ` String | Bytes `) ``: ` Bytes ` Computes the SHA-256 cryptographic hash of the `input` string or byte array. Returns a 32-byte hash value. Use this function to generate signed request headers, validate request integrity, or create secure tokens directly in rule expressions. Examples: ``` sha256("my-token") ``` The example above returns a 32-byte hash that your origin can validate to authenticate requests. You can combine `sha256()` with [encode\_base64()](#encode%5Fbase64) to create Base64-encoded signatures: ``` encode_base64(sha256("my-token")) ``` To create a signed header value from request attributes: ``` encode_base64(sha256(concat(to_string(ip.src), to_string(http.request.timestamp.sec), "my-secret-key"))) ``` Notes The `sha256()` function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it. You can only use the `sha256()` function in rewrite expressions of [Transform Rules](https://developers.cloudflare.com/rules/transform/). ### `split` `` split(input ` String `, separator ` String `, limit ` Integer `) ``: ` Array ` Splits the `input` string into an array of strings by breaking the initial string at every occurrence of the `separator` string. The returned array will contain at most `limit` number of elements. If you provide a `limit` value lower than the actual number of substrings in the split string, the last element of the returned array will contain the remainder of the string. The `separator` must be a non-empty literal string. The `limit` is mandatory, and it must be a literal integer between 1 and 128. If `input` is nil, the returned value will be nil. This function does the opposite of the [join()](#join) function. Examples: ``` # Split a comma-separated list of categories obtained from an HTTP request header. # A) Consider the following HTTP request header: x-categories: groceries,electronics,diy,auto split(http.request.headers["x-categories"][0], ",", 64) will return ["groceries", "electronics", "diy", "auto"] split(http.request.headers["x-categories"][0], ",", 3) will return ["groceries", "electronics", "diy,auto"] # B) Consider the following HTTP request header: x-categories: groceries,,electronics split(http.request.headers["x-categories"][0], ",", 64) will return ["groceries", "", "electronics"] ``` Note The `split()` function is only available in [response header transform rules](https://developers.cloudflare.com/rules/transform/response-header-modification/) and [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/#custom-error-rules). ### `starts_with` `` starts_with(source ` String `, substring ` String `) ``: ` Boolean ` Returns `true` when the source starts with a given substring. Returns `false` otherwise. The source cannot be a literal value (like `"foo"`). For example, if `http.request.uri.path` is `"/blog/first-post"`, then `starts_with(http.request.uri.path, "/blog")` will return `true`. ### `substring` `` substring(field ` String | Bytes `, start ` Integer `, end ` Integer ` optional) ``: ` String ` Returns part of the `field` value (the value of a String or Bytes [field](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/)) from the `start` byte index up to (but excluding) the `end` byte index. The first byte in `field` has index `0`. If you do not provide the optional `end` index, the function returns the part of the string from `start` index to the end of the string. The `start` and `end` indexes can be negative integer values, which allows you to access characters from the end of the string instead of the beginning. Examples: ``` // If http.request.body.raw is "asdfghjk": substring(http.request.body.raw, 2, 5) will return "dfg" substring(http.request.body.raw, 2) will return "dfghjk" substring(http.request.body.raw, -2) will return "jk" substring(http.request.body.raw, 0, -2) will return "asdfgh" ``` ### `to_string` `` to_string(` Integer | Boolean | IP address `) ``: ` String ` Returns the string representation of an Integer, Boolean, or IP address value. Examples: ``` // If cf.bot_management.score is 5: to_string(cf.bot_management.score) will return "5" // If ssl is true: to_string(ssl) will return "true" ``` Note You can only use the `to_string()` function in rewrite expressions of [Transform Rules](https://developers.cloudflare.com/rules/transform/) and target URL expressions of [dynamic URL redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). ### `upper` `` upper(` String `) ``: ` String ` Converts a string field to uppercase. Only lowercase ASCII bytes are converted. All other bytes are unaffected. For example, if `http.host` is`"www.cloudflare.com"`, then `upper(http.host)` will return `"WWW.CLOUDFLARE.COM"`. ### `url_decode` `` url_decode(source ` String `, options ` String ` optional) ``: ` String ` Decodes a URL-formatted string defined in `source`, as in the following: * `%20` and `+` decode to a space character (` `). * `%E4%BD` decodes to `ä½`. The `source` must be a field, that is, it cannot be a literal string. The `options` parameter is optional. You must provide any options as a single string wrapped in quotes, such as `"r"` or `"ur"`. The available options are the following: * `r`: Applies recursive decoding. For example, `%2520` will be decoded twice (recursively) to a space character (` `). * `u`: Enables Unicode percent decoding. The result will be encoded in UTF-8\. For example, `"%u2601"` would be decoded to a cloud emoji (`☁️`) encoded in UTF-8 (`"\xe2\x98\x81"`, with a size of 3 bytes). Examples: ``` url_decode("John%20Doe") will return "John Doe" url_decode("John+Doe") will return "John Doe" url_decode("%2520") will return "%20" url_decode("%2520", "r") will return " " // Using url_decode() with the any() function: any(url_decode(http.request.body.form.values[*])[*] contains "an xss attack") // Using the u option to match a specific alphabet url_decode(http.request.uri.path) matches "(?u)\p{Hangul}+" ``` ### `uuidv4` `` uuidv4(source ` Bytes `) ``: ` String ` Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [cf.random\_seed](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.random%5Fseed/) field. For example, `uuidv4(cf.random_seed)` will return a UUIDv4 similar to `49887398-6bcf-485f-8899-f15dbef4d1d5`. Note You can only use the `uuidv4()` function in [rewrite expressions of Transform Rules](https://developers.cloudflare.com/rules/transform/). ### `wildcard_replace` `` wildcard_replace(source ` Bytes `, wildcard_pattern ` Bytes `, replacement ` Bytes `, flags ` Bytes ` optional) ``: ` String ` Replaces a `source` string, matched by a literal with zero or more `*` wildcard metacharacters, with a replacement string, returning the result. The replacement string can contain references to wildcard capture groups (for example, `${1}` and `${2}`), up to eight replacement references. If there is no match, the function will return `source` unchanged. The `source` parameter must be a field (it cannot be a literal string). Additionally, the entire `source` value must match the `wildcard_pattern` parameter (it cannot match only part of the field value). To enter a literal `*` character in the `wildcard_pattern` parameter, you must escape it using `\*`. Additionally, you must also escape `\` using `\\`. Two unescaped `*` characters in a row (`**`) in this parameter are considered invalid and cannot be used. If you need to perform character escaping, it is recommended that you use the [raw string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#raw-string-syntax) for the `wildcard_pattern` parameter. To enter a literal `$` character in the `replacement` parameter, you must escape it using `$$`. To perform case-sensitive wildcard matching, set the `flags` parameter to `"s"`. This function uses lazy matching, that is, it tries to match each `*` metacharacter with the shortest possible string. You can only use the `wildcard_replace()` function once in an expression, and you cannot nest it with the [regex\_replace()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#regex%5Freplace) function. Examples: * If the full URI is `https://apps.example.com/calendar/admin?expand=true`, `wildcard_replace(http.request.full_uri, "https://*.example.com/*/*", "https://example.com/${1}/${2}/${3}")` will return `https://example.com/apps/calendar/admin?expand=true` * If the full URI is `https://example.com/applications/app1`, `wildcard_replace(http.request.full_uri, "/applications/*", "/apps/${1}")` will return `https://example.com/applications/app1` (unchanged value, since there is no match for the full URI value; you should use the `http.request.uri.path` field for URI path matching). * If the URI path is `/calendar`, `wildcard_replace(http.request.uri.path, "/*", "/apps/${1}")` will return `/apps/calendar`. * If the URI path is `/Apps/calendar`, `wildcard_replace(http.request.uri.path, "/apps/*", "/${1}")` will return `/calendar` (case-insensitive match by default). * If the URI path is `/Apps/calendar`, `wildcard_replace(http.request.uri.path, "/apps/*", "/${1}", "s")` will return `/Apps/calendar` (unchanged value) because there is no case-sensitive match. * If the URI path is `/apps/calendar/login`, `wildcard_replace(http.request.uri.path, "/apps/*/login", "/${1}/login")` will return `/calendar/login`. For more examples of wildcard matching, refer to [Wildcard matching](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#wildcard-matching). Note Currently, you can only use the `wildcard_replace()` function in rewrite expressions of [URL rewrites](https://developers.cloudflare.com/rules/transform/url-rewrite/) and target URL expressions of [dynamic URL redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). ## Cloudflare Network Firewall Functions ### `bit_slice` `` bit_slice(protocol ` String `, offset_start ` Number `, offset_end ` Number `) ``: ` Number ` This function looks for matches on a given slice of bits. The offset starts on the given protocol header. For example, to match on the first bit of payload for a UDP packet, you must set `offset_start` to `64`. This is primarily intended for use with `ip`, `udp`, and `tcp`. The slice (`offset_end` – `offset_start`) cannot be longer than 32 bits, but multiple calls can be joined together by using logical expressions. The `bit_slice` offset cannot exceed 2,040 bits. ## HMAC validation Note Access to the HMAC validation function requires a Cloudflare Pro, Business, or Enterprise plan. ### Overview You can validate hash-based message authentication code (HMAC) tokens in a rule expression by using the `is_timed_hmac_valid_v0()` function, which has this signature: ``` is_timed_hmac_valid_v0( , , , , , ) -> ``` The `is_timed_hmac_valid_v0()` function has these parameter definitions: * `Key` ` String literal ` * Specifies the secret cryptographic key for validating the HMAC. * `MessageMAC` ` String ` * Contains a concatenation of these HMAC elements: `message`, `separator`, `timestamp`, `mac`. For a definition and an example, refer to [MessageMAC](#messagemac). * `ttl` ` Integer literal ` * Defines the time-to-live for the HMAC token, expressed in seconds. Determines how long the token is valid, relative to the time it was issued. * `currentTimeStamp` ` Integer ` * Represents the UNIX timestamp when Cloudflare received the request, expressed in seconds. Pass the `http.request.timestamp.sec` field as an approximate value to this argument. * `lengthOfSeparator` ` Integer literal ` optional * Specifies the length of the `separator` between the `timestamp` and the `message` in the `MessageMAC`. Expressed in bytes, with a default value of `0`. * `flags` ` String literal ` optional * When you set this optional argument to `'s'`, the function expects the value of the Base64-encoded `mac` in the `MessageMAC` argument to use the URL-safe character set with no padding. * When you do **not** set the value of `flags` to `'s'`, you must URL encode the Base64 value for `mac` in the `MessageMAC` argument. ### Usage The `is_timed_hmac_valid_v0()` function uses the supplied _Key_ to generate a message authentication code (MAC) from the `message` and the `timestamp` regions of the MessageMAC. When the generated MAC matches the `mac` region of the MessageMAC and the token has not expired, the HMAC is valid and the function returns `true`. For example, the following expression matches requests to `downloads.example.com` that do not include valid HMAC tokens: ``` http.host == "downloads.example.com" and not is_timed_hmac_valid_v0("mysecretkey", http.request.uri, 100000, http.request.timestamp.sec, 8) ``` For examples of rules that use HMAC validation, refer to [Configure token authentication](https://developers.cloudflare.com/waf/custom-rules/use-cases/configure-token-authentication/) in the WAF documentation. ### MessageMAC A valid MessageMAC satisfies the following regular expression: ``` (.+)(.*)(\d{10})-(.{43,}) ``` and is composed of these parentheses-delimited expressions: | Expression | Description | Example | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | (.+) | The message to validate. | /download/cat.jpg | | (.\*) | The separator between message and timestamp, commonly a parameter name. | &verify= | | (\\d{10}) | The 10-digit UNIX timestamp when the MAC was issued, expressed in seconds. | 1484063137 | | (.{43,}) | A Base64-encoded version of the mac. When you do not set the value of the urlSafe argument in the HMAC validation function to 's', you must URL-encode the Base64 value for mac. When the Base64 MAC encoding is URL-safe, the mac value contains 43 bytes. Otherwise, the value will be 44 bytes or more, because of URL encoding. | IaLGSmELTvlhfd0ItdN6PhhHTFhzx73EX8uy%2FcSDiIU%3D | For details on generating a MessageMAC, refer to [HMAC token generation](https://developers.cloudflare.com/waf/custom-rules/use-cases/configure-token-authentication/#hmac-token-generation). ## HMAC validation examples Note When you do not use the optional `flags` argument for `is_timed_hmac_valid_v0()`, you must URL-encode the Base64 value for `mac` in the `MessageMAC` argument. For more information, refer to [HMAC Validation: Overview](#overview). ### MessageMAC in a single field Consider the case where the MessageMAC is contained entirely within a single field, as in this example URI path: ``` /download/cat.jpg?verify=1484063787-IaLGSmELTvlhfd0ItdN6PhhHTFhzx73EX8uy%2FcSDiIU%3D ``` Note how the URI maps to the elements of the MessageMAC: | Element | Value | | --------- | ------------------------------------------------ | | message | /download/cat.jpg | | separator | ?verify= (with length 8) | | timestamp | 1484063787 | | mac | IaLGSmELTvlhfd0ItdN6PhhHTFhzx73EX8uy%2FcSDiIU%3D | When the MessageMAC is contained entirely within a single field such as `http.request.uri`, pass the field name to the `MessageMAC` argument of the HMAC validation function: ``` is_timed_hmac_valid_v0( "mysecretkey", http.request.uri, 100000, http.request.timestamp.sec, 8 ) ``` ### Concatenated MessageMAC argument To compose a MessageMAC from more than one field, use the [concat()](#concat) function. This example constructs the value of the `MessageMAC` argument by concatenating the request URI and two header fields: ``` is_timed_hmac_valid_v0( "mysecretkey", concat( http.request.uri, http.request.headers["timestamp"][0], "-", http.request.headers["mac"][0]), 100000, http.request.timestamp.sec, 0 ) ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/functions/","name":"Functions"}}]} ``` --- --- title: Operators and grouping symbols description: Learn about comparison, logical operators, and grouping symbols in Cloudflare's Rules language. Understand precedence and how to structure expressions. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/operators.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Operators and grouping symbols The Cloudflare Rules language supports comparison and logical operators: * [Comparison operators](#comparison-operators) specify how values defined in an expression must relate to the actual HTTP request value for the expression to return `true`. * [Logical operators](#logical-operators) combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated. [Grouping symbols](#grouping-symbols) allow you to organize expressions, enforce precedence, and nest expressions. ## Comparison operators Comparison operators return `true` when a value from an HTTP request matches a value defined in an expression. This is the general pattern for using comparison operators: ``` ``` The Rules language supports these comparison operators: | Name | Operator Notation | Supported Data Types | | | | | | ----------------------------------------------------- | ----------------- | -------------------- | -- | ------ | -------------------------------------------------------------------- | ----------------------------------------------------------- | | English | C-like | String1 | IP | Number | Example (operator in bold) | | | Equal | eq | \== | ✅ | ✅ | ✅ | http.request.uri.path **eq** "/articles/2008/" | | Not equal | ne | != | ✅ | ✅ | ✅ | ip.src **ne** 203.0.113.0 | | Less than | lt | < | ✅ | ❌ | ✅ | cf.waf.score **lt** 10 | | Less thanor equal | le | <= | ✅ | ❌ | ✅ | cf.waf.score **le** 20 | | Greater than | gt | \> | ✅ | ❌ | ✅ | cf.waf.score **gt** 25 | | Greater thanor equal | ge | \>= | ✅ | ❌ | ✅ | cf.waf.score **ge** 60 | | Contains | contains | ✅ | ❌ | ❌ | http.request.uri.path **contains** "/articles/" | | | [Wildcard](#wildcard-matching)(case-insensitive) | wildcard | ✅ | ❌ | ❌ | http.request.uri.path **wildcard** "/articles/\*" | | | [Strict wildcard](#wildcard-matching)(case-sensitive) | strict wildcard | ✅ | ❌ | ❌ | http.request.uri.path **strict wildcard** "/AdminTeam/\*" | | | [Matches regex](#regular-expression-matching)2 | matches | \~ | ✅ | ❌ | ❌ | http.request.uri.path **matches** "^/articles/200\[7-8\]/$" | | Is in set of values / list3 | in | ✅ | ✅ | ✅ | ip.src **in** { 203.0.113.0 203.0.113.1 }ip.src.asnum **in** $ | | 1 All string operators are case-sensitive unless explicitly stated as case-insensitive, such as the `wildcard` operator. 2 Access to the `matches` operator requires a Cloudflare Business or Enterprise plan. 3 Currently, not all Cloudflare products support lists in their expressions. For more information on lists, refer to [Inline lists](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#inline-lists) and [Lists](https://developers.cloudflare.com/waf/tools/lists/). Warning Comparison operators entered using English notation (such as `eq`, `lt`, and `gt`) must be written in lowercase. ### Additional operators in the Cloudflare dashboard The Cloudflare dashboard may show the following additional operators, depending on the exact field and the type of rule: * _starts with_ (corresponding to the [starts\_with()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#starts%5Fwith) function): Returns `true` when a string starts with a given substring, and `false` otherwise. * _ends with_ (corresponding to the [ends\_with()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#ends%5Fwith) function): Returns `true` when a string ends with a given substring, and `false` otherwise. * _is in list_ (corresponding to ` in $`): Returns `true` when the field value is present in the specified [list](https://developers.cloudflare.com/waf/tools/lists/), and `false` otherwise. For more information, refer to [Use lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/). * _is not in list_ (corresponding to `not in $`): Returns `true` when the field value is not present in the specified [list](https://developers.cloudflare.com/waf/tools/lists/), and `false` otherwise. For more information, refer to [Use lists in expressions](https://developers.cloudflare.com/waf/tools/lists/use-in-expressions/). Note When writing your own custom expressions, you must use the `starts_with()` and `ends_with()` functions in function calls, not as operators. For example: ``` # Valid function call ends_with(http.request.uri.path, ".html") # Invalid use of ends_with function http.request.uri.path ends_with ".html" ``` ### Comparing string values String comparison in rule expressions is case-sensitive. To account for possible variations of string capitalization in an expression, you can use the [lower()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#lower) function and compare the result with a lowercased string, like in the following example: ``` lower(http.request.uri.path) contains "/wp-login.php" ``` [Wildcard matching](#wildcard-matching) is only supported with the `wildcard` and `strict wildcard` operators, and [regular expression matching](#regular-expression-matching) is only supported with the `matches` operator. ### Wildcard matching The `wildcard` operator performs a case-insensitive match between a field value and a literal string containing zero or more `*` metacharacters. Each `*` metacharacter represents zero or more characters. The `strict wildcard` operator performs a similar match, but is case-sensitive. When using the `wildcard`/`strict wildcard` operator, the entire field value must match the literal string with wildcards (the literal after the operator). Example A ``` # The following expression: http.request.full_uri wildcard "http*://example.com/a/*" # Would match the following URIs: # - https://example.com/a/ (the '*' matches zero characters) # - http://example.com/a/ # - https://example.com/a/page.html # - https://example.com/a/sub/folder/?name=value # Would NOT match the following URIs: # - https://example.com/ab/ # - https://example.com/b/page.html # - https://sub.example.com/a/ ``` Example B ``` # The following expression: http.request.full_uri wildcard "*.example.com/*/page.html" # Would match the following URIs: # - http://sub.example.com/folder/page.html # - https://admin.example.com/team/page.html # - https://admin.example.com/team/subteam/page.html # Would NOT match the following URIs: # - https://example.com/ab/page.html ('*.example.com' matches only subdomains) # - https://sub.example.com/folder2/page.html?s=value (http.request.full_uri includes the query string and its full value does not match) # - https://sub.example.com/a/ ('page.html' is missing) ``` Slashes (`/`) have no special meaning in wildcard matches. In this example, the second `*` metacharacter in the expression `http.request.full_uri wildcard "*.example.com/*/page.html"` matched `folder`, `team`, and `team/subteam`. Example C ``` # The following expression: http.request.full_uri wildcard "*.example.com/*" or http.request.full_uri wildcard "http*://example.com/*" # Would match the following URIs: # - https://example.com/folder/list.htm # - https://admin.example.com/folder/team/app1/ # - https://admin.example.com/folder/team/app1/?s=foobar ``` The matching algorithm used by the `wildcard` operator is case-insensitive. To perform case-sensitive wildcard matching, use the `strict wildcard` operator. To enter a literal `*` character in a literal string with wildcards you must escape it using `\*`. Additionally, you must also escape `\` using `\\`. Two unescaped `*` characters in a row (`**`) in a wildcard literal string are considered invalid and cannot be used. If you need to perform character escaping, it is recommended that you use the [raw string syntax](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#raw-string-syntax) to specify a literal string with wildcards. Wildcard matching versus regex matching The `wildcard`/`strict wildcard` operators always consider the entire field value (left-side operand) when determining if there is a match. The `matches` operator can match a partial value. ### Regular expression matching Customers on Business and Enterprise plans have access to the `matches` operator. Regular expression matching is performed using the Rust regular expression engine. If you are using a regular expression, you can test it using a tool like [Regular Expressions 101 ↗](https://regex101.com/?flavor=rust®ex=) or [Rustexp ↗](https://rustexp.lpil.uk/). For more information on regular expressions, refer to [String values and regular expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/values/#string-values-and-regular-expressions). ## Logical operators Logical operators combine two or more expressions into a single compound expression. A compound expression has this general syntax: ``` ``` ### Supported logical operators Each logical operator has an [order of precedence](#order-of-precedence). The order of precedence (along with [grouping symbols](#grouping-symbols)) determines the order in which Cloudflare evaluates logical operators in an expression. The `not` operator ranks first in order of precedence. | Name | EnglishNotation | C-likeNotation | Example | Order of Precedence | | ------------------------- | --------------- | -------------- | ------------------------------------------------------------------------------ | ------------------- | | Logical NOT | not | ! | **not** ( http.host eq "www​.cloudflare​.com" and ip.src in {203.0.113.0/24} ) | 1 | | Logical AND | and | && | http.host eq "www​.cloudflare​.com" **and** ip.src in {203.0.113.0/24} | 2 | | Logical XOR(exclusive OR) | xor | ^^ | http.host eq "www​.cloudflare​.com" **xor** ip.src in {203.0.113.0/24} | 3 | | Logical OR | or | \|| | http.host eq "www​.cloudflare​.com" **or** ip.src in 203.0.113.0/24 | 4 | Warning Logical operators entered using English notation (such as `not`, `and`, and `or`) must be written in lowercase. ### Order of precedence When writing compound expressions, it is important to be aware of the precedence of logical operators so that your expression is evaluated the way you expect. For example, consider the following generic expression, which uses `and` and `or` operators: ``` Expression1 and Expression2 or Expression3 ``` If these operators had no order of precedence, it would not be clear which of two interpretations is correct: 1. Match when Expression 1 and Expression 2 are both true **or** when Expression 3 is true. 2. Match when Expression 1 is true **and** either Expression 2 or Expression 3 is true. Since the logical `and` operator has precedence over logical `or`, the `and` operator must be evaluated first. Interpretation 1 is correct. To avoid ambiguity when working with logical operators, use grouping symbols so that the order of evaluation is explicit. ## Grouping symbols The Rules language supports parentheses (`(`,`)`) as grouping symbols. Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions. Only the [Expression Editor](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor) and the [Cloudflare API](https://developers.cloudflare.com/api/) support grouping symbols. The [Expression Builder](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) does not. ### Group expressions Use parentheses to explicitly group expressions that should be evaluated together. In this example, the parentheses do not alter the evaluation of the expression, but they unambiguously call out which logical operators to evaluate first. ``` (Expression1 and Expression2) or Expression3 ``` Because grouping symbols are so explicit, you are less likely to make errors when you use them to write compound expressions. ### Enforce precedence Grouping symbols are a powerful tool to enforce precedence for grouped elements of a compound expression. In this example, parentheses force the logical `or` operator to be evaluated before the logical `and`: ``` Expression1 and (Expression2 or Expression3) ``` Without parentheses, the logical `and` operator would take precedence. ### Nest expressions You can nest expressions grouped by parentheses inside other groups to create very precise, sophisticated expressions, such as this example for a rule designed to block access to a domain: ``` ( (http.host eq "api.example.com" and http.request.uri.path eq "/api/v2/auth") or (http.host matches "^(www|store|blog)\.example\.com" and http.request.uri.path contains "wp-login.php") or ip.src.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.src.asnum in {12345 54321 11111} ) and not ip.src in {11.22.33.0/24} ``` Note that when evaluating the precedence of logical operators, parentheses inside strings delimited by quotes are ignored, such as those in the following regular expression, drawn from the example above: ``` "^(www|store|blog)\.example\.com" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/operators/","name":"Operators and grouping symbols"}}]} ``` --- --- title: Values description: Learn about values in Cloudflare's Rules language, including string, boolean, array, and map types, and how to use them in rule expressions. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rules-language/values.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Values When an HTTP request reaches the Cloudflare global network, Cloudflare creates a table of field–value pairs against which to match expressions. This table exists for as long as the current request is being processed. The values that populate the lookup tables of the Rules language are drawn from a variety of sources: * **Primitive properties** are obtained directly from the request (`http.request.uri.path`, for example). * **Derived values** are the product of a transformation, composition, or basic operation. For example, the transformation `lower(http.request.uri.path)` converts the value of `http.request.uri.path` to lowercase. * **Computed values** are the product of a lookup, computation, or other intelligence. For example, Cloudflare uses a machine learning process to dynamically calculate attack scores, represented by `cf.waf.score*` fields. Besides these values, expressions may also contain literal values. These are static, known values that you incorporate into expressions to compare them with values from request/response fields with or without any transformations. When working with values in rule expressions, keep in mind the information in the following sections. ## String values and regular expressions Strings are sequences of bytes enclosed by specific delimiters. Cloudflare rules support two formats for specifying literal strings, including regular expressions: [quoted literal strings](#quoted-string-syntax) and [raw strings](#raw-string-syntax). These formats have different delimiters and escaping mechanisms. You can use either of the two string formats to specify regular expressions in an expression. However, Cloudflare recommends that you use the [raw string syntax](#raw-string-syntax), since the quoted string syntax has complex escaping rules and can lead to unexpected behaviors if not thoroughly tested. Regular expression matching is performed using the Rust regular expression engine. ### Quoted string syntax When using the quoted string syntax, a string literal is delimited by `"` (double quote) characters. This format requires that you escape special characters `"` and `\` using `\"` and `\\`, respectively. The quoted string syntax has the following additional escaping requirements: * When used to specify a regular expression on the right-hand side of the [regex operator](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) (`matches` or `~`), the string is parsed using regex escaping rules. * When used on the right hand-side of expressions with other operators, or in [function parameters](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/), the string is parsed using basic escaping rules. Examples ``` # Test if URI path contains 'a"b' http.request.uri.path matches "a\"b" # Test if URI path contains 'a"#b' http.request.uri.path matches "a\"#b" # Replace 'a' with '\' (backslash) regex_replace(http.host, "a", "\\") ``` Warning In some situations you will need to double-escape a string — for example, when using the [regex\_replace()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#regex%5Freplace) function with a regular expression matching a backslash (`\`). In this case, you must do the basic escaping required by strings as function parameters (using `\\` for each `\` character) and also the regex escaping (using `\\` for each `\` character), since the backslash has a special meaning in regular expressions. Therefore, to replace a backslash (`\`) with the `a` character using `regex_replace()` you would use the following expression: ``` regex_replace(http.host, "\\\\", "a") ``` To avoid this situation, Cloudflare recommends that you use the [raw string syntax](#raw-string-syntax) for specifying regular expressions. ### Raw string syntax To specify a string (or regular expression) using the raw string syntax you use special delimiters: * The initial delimiter is composed of an `r` character, optionally followed by one or more `#` characters (up to 255), followed by a `"` (double quote) character. * The ending delimiter is a `"` (double quote) character followed by the same number of `#` characters as in the initial delimiter (from 0 to 255). In a raw string there are no special characters, so all characters up to the ending delimiter are interpreted as is (there are no escape sequences). Unlike the quoted string syntax, the raw string syntax is always the same, regardless of the context where it is being used (for example, as a regular expression with a [regex operator](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) or as a parameter of a [function call](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/)). Examples ``` # Test if URI path contains 'a"b' http.request.uri.path matches r#"a"b"# # Test if URI path contains 'a"#b' http.request.uri.path matches r##"a"#b"## # Replace '\' (backslash) with 'a' # You must still escape the '\' character in the following raw string because it has a special meaning in regular expressions regex_replace(http.host, r"\\", "a") # Test if URI path ends with '/api/login.aspx' # You must still escape the '.' character in the following raw string because it has a special meaning in regular expressions ("any character") http.request.uri.path matches r"/api/login\.aspx$" ``` ### Case sensitivity in string comparisons Since the evaluation of string literal values in expressions is case-sensitive, consider one of the following options to capture capitalization variants in your expression: * Use the [wildcard](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#wildcard-matching) operator, which is case-insensitive, to match a string literal. * Use the [lower()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#lower) function to convert the string to lowercase before comparison. * Use the [matches](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#regular-expression-matching) operator (only available in Business and Enterprise plans) with a regular expression that matches different variants. * Write several sub-expressions with the [eq](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) or [contains](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) operator, joined with the [or](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#supported-logical-operators) operator, to capture different variations of the string literal (for example, ` eq "a" or eq "A"`). ### Regular expression limits Cloudflare has a few limits in place regarding regular expressions. One of those limits is that each rule supports a maximum of 64 regular expressions (regexes), regardless of your domain's plan. You can use the following strategies to reduce the number of regular expressions in a rule: * Use the [contains](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#comparison-operators) operator. * Use the [wildcard](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#wildcard-matching) / [strict wildcard](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#wildcard-matching) operators. * Use the [starts\_with()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#starts%5Fwith) and [ends\_with()](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#ends%5Fwith) functions. ## Boolean values Simple expressions using boolean fields do not require operator notations or values. You only need to insert the field on its own, as shown in the `ssl` example below. ``` ssl ``` This simple expression matches requests where the value of the `ssl` field is `true`. To match requests where `ssl` is `false`, use the boolean `not` operator : ``` not ssl ``` ## Arrays The Cloudflare Rules language includes [fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) of `Array` type and [functions](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/) with `Array` arguments and return values. You can access individual array elements using an index (a non-negative value) between square brackets (`[]`). Array indexes start at `0` (zero). Use the special notation `[*]` when specifying an expression that will be evaluated for each array element (like the [map high-order function ↗](https://wikipedia.org/wiki/Map%5F%28higher-order%5Ffunction%29)). This special index notation will unpack the array, call the enclosing function for all its elements individually, and return a new array containing all the individual return values. ### Examples Consider the `http.request.headers.names` field with type `Array` in the following examples: * Obtain the first element in the array: `http.request.headers.names[0]` * Check if the first array element is equal to `Content-Type` (case sensitive): `http.request.headers.names[0] == "Content-Type"` * Check if any array element is equal to `Content-Type` (case sensitive): `any(http.request.headers.names[*] == "Content-Type")` * Check if any array element is equal to `Content-Type`, ignoring the case: `any(lower(http.request.headers.names[*])[*] == "content-type")` In the last example, the `lower()` function includes the `[*]` notation so that the function is evaluated for each array element. This function, used along `[*]`, returns a new array where each element of the input array is converted to lowercase. Then, the string comparison uses `[*]` to transform the array resulting from applying `lower()` to each header name into an array of boolean values. Finally, `any()` evaluates to true if at least one of these array elements is true. ### Notes It is not possible to define your own arrays. You can only use arrays returned by fields, either directly or modified by functions. Accessing an out-of-bounds array index produces a "missing value". A missing value has the following behavior: * Any comparison ` ` where `` evaluates to a missing value will evaluate to false. * Function calls like `function()`, where `` evaluates to a missing value, will return a missing value in most cases, but the exact behavior can vary per function. You can only use `[*]` multiple times in the same expression if applied to the same array. Also, you can only use `[*]` in the first argument of a function call. The Rules language [operators](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/) do not directly support arrays or the `[*]` operator — however, they support indexed array elements like `array_value[0]`. For example, you cannot use `[*]` with the `==` operator outside the context of an enclosing function call: * `http.request.headers.names[*] == "Content-Type"` — **Invalid** expression * `any(http.request.headers.names[*] == "Content-Type")` — **Valid** expression ## Maps A map, also called associative array, is a data structure that stores a collection of key-value pairs, where the key must be a `String` and the value can be of any type (for example, a `String` or an array of values). All values in a map must have the same type. The Cloudflare Rules language includes several [fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/) of `Map` data type. The type notation for map fields, for example `Map>`, indicates the data type of the values associated with keys (an `Array` of `String` elements). This means that when you access the value of key `"foo"` you will get either an array of `String` elements or a [missing value](#notes-1). To access a value in a map, enter the key between square brackets (`[]`): ``` [] ``` For maps where the values have an `Array` type, you cannot directly use [operators](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/) with the obtained (array) value, since these operators do not support arrays directly. To use an operator on an item of the array, use the special notation `[*]` when specifying an expression. This special index notation will unpack the array, call the enclosing function for all its elements individually, and return a new array containing all the individual return values. ### Examples The following example is based on the [http.request.headers](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.headers/) field with a data type of `Map>`, where array elements are of `String` data type. If an incoming HTTP request included a single `Accept: application/json` HTTP header, the following expressions would evaluate to the indicated values: ``` http.request.headers["accept"] # ==> ["application/json"] http.request.headers["accept"][0] # ==> "application/json" any(http.request.headers["accept"][*] == "application/json") # ==> true any(http.request.headers["accept"][*] == "text/plain") # ==> false ``` The following example is based on the [http.request.uri.args](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field with a data type of `Map>`, where array elements are of `String` data type. If an HTTP request included three `filter` URI arguments `waf`, `botm`, and `cdn`, the following expressions would evaluate to the indicated values: ``` # Example request URL: # https://example.com/?filter=waf&filter=botm&filter=cdn http.request.uri.args["filter"] # ==> ["waf", "botm", "cdn"] len(http.request.uri.args["filter"][1]) # ==> 4 # Check if the length of all 'filter' values is always 3 or 4 all(len(http.request.uri.args["filter"][*])[*] in {3 4}) # ==> true # Check if the length of 'filter' values (if any) is never 3 or 4 all(not len(http.request.uri.args["filter"][*])[*] in {3 4}) # ==> false # Check if the http.request.uri.args map contains a "filter" key len(http.request.uri.args["filter"]) >= 0 # ==> true # Check if the http.request.uri.args map does not contain an "order" key not len(http.request.uri.args["order"]) >= 0 # ==> true ``` For more information on `any()`, `all()`, `len()`, and other available functions, refer to [Functions](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/). ### Notes It is not possible to define your own maps. You can only use maps returned by fields. Accessing a non-existing key in a map produces a "missing value". A missing value has the following behavior: * Any comparison ` ` where `` evaluates to a missing value will evaluate to false. * Function calls like `function()`, where `` evaluates to a missing value, will return a missing value in most cases, but the exact behavior can vary per function. ## Lists Lists allow you to create a group of items and refer to them collectively, by name, in your expressions. Each list type supports items of a specific data type. All items in a list must have the same data type. For details on the available list types, refer to [Lists](https://developers.cloudflare.com/waf/tools/lists/#supported-lists). To refer to a list in a rule expression, use `$` and specify the `in` [operator](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/). Only one value in the list has to match the left-hand side of the expression (before the `in` operator) for the simple expression to evaluate to `true`. If there is no match, the expression will evaluate to `false`. The following example expression filters requests from IP addresses that are in an [IP list](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) named `office_network`: ``` (ip.src in $office_network) ``` List names can only include lowercase letters, numbers, and the underscore (`_`) character. For guidance on creating and managing lists, refer to [Lists](https://developers.cloudflare.com/waf/tools/lists/). ### Inline lists Inline lists allow you to directly include a list of values in a simple expression that uses the `in` operator. Elements in an inline list can be strings, integers, or IP addresses/ranges. All elements of an inline list must have the same data type and they must be literal values. To specify inline list elements, enter them individually, separating elements with a space. Inline lists can contain duplicate values. Additionally, for some data types you can use ranges as elements: * For integer values, enter ranges in the form `..`. An inline list can contain both integer ranges and integer values. * For IP addresses, you can enter: * Explicit IP ranges in the form `..` (for example, `198.51.100.3..198.51.100.7`). * CIDR ranges (for example, `192.0.2.0/24` or `2001:0db8::/32`). An inline list can contain explicit IP ranges, CIDR ranges, and individual IP addresses. Examples ``` http.host in {"example.com" "example.net"} ip.src in {198.51.100.1 198.51.100.3..198.51.100.7 192.0.2.0/24 2001:0db8::/32} tcp.dstport in {8000..8009 8080..8089} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rules-language/","name":"Rules language"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rules-language/values/","name":"Values"}}]} ``` --- --- title: Rulesets API description: The Rulesets API provides an interface for managing and configuring the execution of rulesets, supporting different Cloudflare products powered by the Ruleset Engine. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rulesets API The Rulesets API provides an interface for managing and configuring the execution of rulesets, supporting different Cloudflare products powered by the Ruleset Engine. ## Get started To get started, review the [JSON objects](https://developers.cloudflare.com/ruleset-engine/rulesets-api/json-object/) and the available [endpoints](https://developers.cloudflare.com/ruleset-engine/rulesets-api/endpoints/). --- ## Limits You should avoid making concurrent updates to the same ruleset. There are rate limits in place to prevent the same ruleset from being concurrently updated too many times. The exact limits depend on the size of the ruleset and volume of requests, and can be different for each ruleset. The rate limits are most frequently hit when concurrently modifying several rules in the same ruleset. To avoid this, you should [update the entire ruleset in a single operation](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) instead. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}}]} ``` --- --- title: Add a rule to a ruleset description: Adds a single rule to an existing ruleset. Use this endpoint to add a rule without having to include all the existing ruleset rules in the request. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/add-rule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add a rule to a ruleset Adds a single rule to an existing ruleset. Use this endpoint to add a rule without having to include all the existing ruleset rules in the request. Use one of the following API endpoints: * [Create an account ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) `POST /accounts/{account_id}/rulesets/{ruleset_id}/rules` * [Create a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) `POST /zones/{zone_id}/rulesets/{ruleset_id}/rules` Include the rule definition in the request body. By default, the rule will be added to the end of the existing list of rules in the ruleset. To define a specific position for the rule, include a `position` object in the request body according to the guidelines in [Change the order of a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/#change-the-order-of-a-rule-in-a-ruleset). Invoking this method creates a new version of the ruleset. ## Example The following `POST` request adds a rule to ruleset `$RULESET_ID` of zone `$ZONE_ID`. The ruleset ID was previously obtained using the [List zone rulesets](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) operation, and corresponds to the entry point ruleset for the `http_request_firewall_custom` phase. The response will include the complete ruleset after adding the rule. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Create a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "js_challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score" }' ``` ``` { "result": { "id": "", "name": "Zone Ruleset 1", "description": "My phase entry point ruleset at the zone level", "kind": "zone", "version": "11", "rules": [ { "id": "", "version": "1", "action": "challenge", "expression": "not http.request.uri.path matches \"^/api/.*$\"", "last_updated": "2023-11-23T11:36:24.192361Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "js_challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score", "last_updated": "2024-06-22T12:35:58.144683Z", "ref": "", "enabled": true } ], "last_updated": "2024-06-22T12:35:58.144683Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` ## Define the rule position in the ruleset To define the position of the new rule in the ruleset, include a `position` object in the request, containing one of the following: * `"before": ""` — Places the rule before rule ``. Use this argument with an empty rule ID value (`""`) to set the rule as the first rule in the ruleset. * `"after": ""` — Places the rule after rule ``. Use this argument with an empty rule ID value (`""`) to set the rule as the last rule in the ruleset. * `"index": ` — Places the rule in the exact position specified by the integer number ``. Position numbers start with `1`. Existing rules in the ruleset from the specified position number onward are shifted one position (no rule is overwritten). For example, when you place a rule in position n using `index`, existing rules with index n, n+1, n+2, and so on, are shifted one position — their new position will be n+1, n+2, n+3, and so forth. If the index is out of range, the method returns a `400` HTTP status code. Important You can only use one of the `before`, `after`, and `index` fields at a time. For examples of using a `position` object, refer to [Update a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/#examples). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/add-rule/","name":"Add a rule to a ruleset"}}]} ``` --- --- title: Create a ruleset description: Creates a ruleset of a given kind in the specified phase. Allows you to create phase entry point rulesets. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/create.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create a ruleset Creates a ruleset of a given kind in the specified phase. Allows you to create phase entry point rulesets. Use one of the following API endpoints: * [Create an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) `POST /accounts/{account_id}/rulesets` * [Create a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) `POST /zones/{zone_id}/rulesets` ## Parameters A `POST` request to create a ruleset supports the following parameters in the request body: * `name` ` String ` * A human-readable name for the ruleset. * The name is immutable. You cannot change it over the lifetime of the ruleset. * `description` ` String ` Optional * Optional description for the ruleset. * You can change the description over the lifetime of the ruleset. * `kind` ` String ` * The kind of ruleset the JSON object represents. * Allowed values: * `custom`: Creates a custom ruleset * `root`: Creates a phase [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) at the account level * `zone`: Creates a phase entry point ruleset at the zone level * `phase` ` String ` * The name of the [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) where the ruleset will be created. * Check the [phases list](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) or the specific Cloudflare product documentation for more information on the phases where you can create rulesets for that product. * `rules` ` Array ` Optional * A list of [rules](https://developers.cloudflare.com/ruleset-engine/rulesets-api/json-object/#rule-object-structure-and-properties) to include in the ruleset. For additional details on these parameters, refer to [JSON objects](https://developers.cloudflare.com/ruleset-engine/rulesets-api/json-object/). ## Example - Create a custom ruleset The following `POST` request creates a custom ruleset in the `http_request_firewall_custom` phase at the account level containing a single rule. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Create an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Example custom ruleset", "kind": "custom", "description": "Example ruleset description", "rules": [ { "action": "log", "expression": "cf.zone.name eq \"example.com\"" } ], "phase": "http_request_firewall_custom" }' ``` ``` { "result": { "id": "", "name": "Example custom ruleset", "description": "Example ruleset description", "kind": "custom", "version": "1", "rules": [ { "id": "", "version": "1", "action": "log", "expression": "cf.zone.name eq \"example.com\"", "last_updated": "2025-03-17T15:42:37.917815Z" } ], "last_updated": "2025-03-17T15:42:37.917815Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` ## Example - Create a zone-level phase entry point ruleset The following `POST` request creates a zone-level phase entry point ruleset at the `http_request_firewall_managed` phase with a single rule that executes a managed ruleset. Note You do not have to use this method to create a phase entry point ruleset. Cloudflare automatically creates the entry point ruleset when you add a rule to it, if it does not exist. Refer to [Add rules to phase entry point rulesets](https://developers.cloudflare.com/ruleset-engine/basic-operations/add-rule-phase-rulesets/) for more information. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Create a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Zone-level phase entry point", "kind": "zone", "description": "This ruleset executes a managed ruleset.", "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "" } } ], "phase": "http_request_firewall_managed" }' ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point", "description": "This ruleset executes a managed ruleset.", "kind": "zone", "version": "1", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2025-03-17T15:42:37.917815Z" } ], "last_updated": "2025-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ## Example - Create an account-level phase entry point ruleset The following `POST` request creates an account-level phase entry point ruleset for the `http_ratelimit` phase with a single rule that executes a rate limiting ruleset for all Enterprise zones in the account. Note You do not have to use this method to create a phase entry point ruleset. Cloudflare automatically creates the entry point ruleset when you add a rule to it, if it does not exist. Refer to [Add rules to phase entry point rulesets](https://developers.cloudflare.com/ruleset-engine/basic-operations/add-rule-phase-rulesets/) for more information. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Create an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Account-level phase entry point", "kind": "root", "description": "This ruleset executes a rate limiting ruleset.", "rules": [ { "action": "execute", "expression": "(cf.zone.plan eq \"ENT\")", "action_parameters": { "id": "" } } ], "phase": "http_ratelimit" }' ``` ``` { "result": { "id": "", "name": "Account-level phase entry point", "description": "This ruleset executes a rate limiting ruleset.", "kind": "root", "version": "1", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "(cf.zone.plan eq \"ENT\")", "action_parameters": { "id": "" }, "last_updated": "2024-09-17T15:42:37.917815Z" } ], "last_updated": "2024-09-17T15:42:37.917815Z", "phase": "http_ratelimit" }, "success": true, "errors": [], "messages": [] } ``` Warning You can only apply rate limiting rulesets to incoming traffic of zones on an Enterprise plan. To enforce this requirement, you must include `cf.zone.plan eq "ENT"` in the expression of the `execute` rule deploying the rate limiting ruleset. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/create/","name":"Create a ruleset"}}]} ``` --- --- title: Delete a ruleset description: You can use the API to delete all the versions of a ruleset or delete a specific version of a ruleset. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/delete.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Delete a ruleset You can use the API to delete all the versions of a ruleset or delete a specific version of a ruleset. * [Delete ruleset (all versions)](#delete-ruleset) * [Delete ruleset version](#delete-ruleset-version) ## Delete ruleset Deletes all the versions of an existing ruleset at the account or zone level. Use one of the following API endpoints: * [Delete an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/delete/) `DELETE /accounts/{account_id}/rulesets/{ruleset_id}` * [Delete a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/delete/) `DELETE /zones/{zone_id}/rulesets/{ruleset_id}` If the delete operation succeeds, the API method call returns a `204 No Content` HTTP status code. Note You cannot delete a ruleset that is still referenced in other rules. For example, you cannot delete a custom ruleset that is being deployed in a rule with `execute` action. To delete the ruleset, update or delete any rules that reference the ruleset and try again. ### Example The following example request deletes an existing ruleset with ID `$RULESET_ID`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Delete an account ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ## Delete ruleset version Deletes a specific version of a ruleset. Use one of the following API endpoints: * [Delete an account ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/delete/) `DELETE /accounts/{account_id}/rulesets/{ruleset_id}/versions/{version_number}` * [Delete a zone ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/delete/) `DELETE /zones/{zone_id}/rulesets/{ruleset_id}/versions/{version_number}` If the delete operation succeeds, the method call returns a `204 No Content` HTTP status code. Later updates to the ruleset will not reuse the version number of a deleted ruleset version. Note You cannot delete a ruleset version if it is the latest ruleset version and there is a rule with `execute` action deploying that ruleset. To delete the ruleset version, update or delete any rules that reference the ruleset and try again. ### Example The following example request deletes a version of an existing ruleset. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Delete an account ruleset version ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID/versions/$RULESET_VERSION" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/delete/","name":"Delete a ruleset"}}]} ``` --- --- title: Delete a rule in a ruleset description: Deletes a single rule in a ruleset at the account or zone level. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/delete-rule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Delete a rule in a ruleset Deletes a single rule in a ruleset at the account or zone level. Use one of the following API endpoints: * [Delete an account ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/delete/) `DELETE /accounts/{account_id}/rulesets/{ruleset_id}/rules/{rule_id}` * [Delete a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/delete/) `DELETE /zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}` If the delete operation succeeds, the API method call returns a `200 OK` HTTP status code with the complete ruleset in the response body. ## Example The following example deletes rule `$RULE_ID_1` belonging to ruleset `$RULESET_ID`. The response will include the complete ruleset after deleting the rule. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Delete an account ruleset rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID/rules/$RULE_ID_1" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Custom Ruleset 1", "description": "My first custom ruleset", "kind": "custom", "version": "12", "rules": [ { "id": "", "version": "2", "action": "js_challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score", "last_updated": "2021-07-22T12:54:58.144683Z", "ref": "", "enabled": true } ], "last_updated": "2021-07-22T12:54:58.144683Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/delete-rule/","name":"Delete a rule in a ruleset"}}]} ``` --- --- title: Endpoints description: For some operations, you can use specific endpoints provided by the Rulesets API for managing phase entry point rulesets. These endpoints include the phase name in the endpoint instead of the ruleset ID. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/endpoints.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Endpoints For some operations, you can use specific endpoints provided by the Rulesets API for managing phase entry point rulesets. These endpoints include the phase name in the endpoint instead of the ruleset ID. For example, instead of using the following endpoint: ``` PUT /zones/{zone_id}/rulesets/{ruleset_id} ``` You can use the following endpoint: ``` PUT /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint ``` To invoke a Rulesets API operation, append the endpoint to the Cloudflare API base URL: ``` https://api.cloudflare.com/client/v4 ``` For authentication instructions, refer to [Getting Started: Requests](https://developers.cloudflare.com/fundamentals/api/) in the Cloudflare API documentation. For help with endpoints and pagination, refer to [Getting Started: Endpoints](https://developers.cloudflare.com/fundamentals/api/). Note The Rulesets API endpoints require a value for `{account_id}` or `{zone_id}`. To retrieve a list of accounts you have access to, use the [List Accounts](https://developers.cloudflare.com/api/resources/accounts/methods/list/) operation. Note the IDs of the accounts you want to manage. To retrieve a list of zones you have access to, use the [List Zones](https://developers.cloudflare.com/api/resources/zones/methods/list/) operation. Note the IDs of the zones you want to manage. The Cloudflare Rulesets API supports the operations outlined below. Visit the associated links for API endpoints and examples. ## List and view rulesets | Operation | Method | Notes | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ | ---------------------------------------------------------------------------------- | | [List existing rulesets](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/#list-existing-rulesets) | GET | Returns the list of existing rulesets at the account level or at the zone level. | | [View a specific ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/#view-a-specific-ruleset) | GET | Returns the properties of the most recent version of a specific ruleset. | | [List all versions of a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/#list-all-versions-of-a-ruleset) | GET | Returns a list of all the versions of a ruleset. | | [View a specific version of a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/#view-a-specific-version-of-a-ruleset) | GET | Returns the configuration of a specific version of a ruleset, including its rules. | | [List rules in a managed ruleset with a specific tag](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/#list-rules-in-a-managed-ruleset-with-a-specific-tag) | GET | Returns a list of all the rules in a managed ruleset with a specific tag. | ## Create rulesets | Operation | Verb | Notes | | ----------------------------------------------------------------------------------------- | ---- | ------------------------------------------------- | | [Create a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/create/) | POST | Creates a new ruleset or a new phase entry point. | ## Update and deploy rulesets | Operation | Verb | Notes | | -------------------------------------------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------- | | [Update or deploy a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) | PUT | Updates the basic properties of a ruleset and the list of rules in the ruleset.Allows you to configure the execution of managed rulesets. | | [Add a rule to a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) | POST | Adds a single rule to an existing ruleset.Allows you to add a single rule without having to include all the existing ruleset rules in the request. | | [Update a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update-rule/) | PATCH | Updates the definition of a single rule within a ruleset.Allows you to change the order of a rule in a ruleset. | | [Delete a rule in a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete-rule/) | DELETE | Deletes a single rule in a ruleset. | ## Delete rulesets | Operation | Verb | Notes | | ------------------------------------------------------------------------------------------------------------------------ | ------ | ---------------------------------------- | | [Delete a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete/#delete-ruleset) | DELETE | Deletes all the versions of a ruleset. | | [Delete a ruleset version](https://developers.cloudflare.com/ruleset-engine/rulesets-api/delete/#delete-ruleset-version) | DELETE | Deletes a specific version of a ruleset. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/endpoints/","name":"Endpoints"}}]} ``` --- --- title: JSON objects description: This page describes the JSON objects used in API requests creating or updating rulesets and their rules via Rulesets API, as well as the objects returned by the API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) ### Tags [ JSON ](https://developers.cloudflare.com/search/?tags=JSON) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/json-object.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # JSON objects This page describes the JSON objects used in API requests creating or updating rulesets and their rules via Rulesets API, as well as the objects returned by the API. ## Ruleset object A fully populated ruleset object has the following JSON structure. ``` { "id": "6a359df138c442b385d20140d4d96919", "name": "Example Ruleset", "description": "Description of Example Ruleset", "kind": "custom", "version": "2", "phase": "http_request_firewall_custom", "rules": [ { "id": "fdb0dd271f3f40b19679cc5d91396024", "version": "2", "action": "block", "expression": "cf.zone.name eq \"example.com\" ", "last_updated": "2022-07-20T10:44:29.124515Z" } ], "last_updated": "2022-07-20T10:44:29.124515Z" } ``` For details on the properties of rules items in the `rules` array, refer to the [Rule object structure and properties](#rule-object-structure-and-properties) section. ### Properties The ruleset object has the following properties: * `id` ` String ` * A 32-character UUIDv4 string that represents the unique Cloudflare-generated identifier for a given version of a ruleset. * Unique, read-only. * `name` ` String ` * A human-readable name for the ruleset. * The name is immutable. You cannot change the name over the lifetime of the ruleset. * `description` ` String ` * Optional description for the ruleset. * You can change the description over the lifetime of the ruleset. * `kind` ` String ` * The kind of ruleset the JSON object represents. * One of `root`, `zone`, `managed`, `custom`. * `kind` is immutable. * `version` ` Integer ` * The version of the ruleset. * Read-only value starting at `1` and incremented by `1` each time the ruleset is modified. * `rules` ` Array ` * A list of rules to include in the ruleset. Refer to [Rule object structure and properties](#rule-object-structure-and-properties) for details. * `last_updated` ` Timestamp ` * The time (UTC) when the ruleset was last updated in ISO 8601 format: `YYYY-MM-DDThh:mm:ss.TZD`. * Read-only. ## Rule object structure and properties A fully populated rule JSON object has the following structure: ``` { "id": "fdb0dd271f3f40b19679cc5d91396024", "version": "2", "ref": "", "description": "", "action": "block", "action_parameters": [ // action parameters vary according to the action ], "categories": ["", ""], "expression": "cf.zone.name eq \"example.com\"", "last_updated": "2025-07-20T10:44:29.124515Z", "enabled": true } ``` The JSON object properties for a rule are defined as follows: * `id` ` String ` * A 32-character UUIDv4 string that represents the unique Cloudflare-generated identifier for a given version of a rule. * Unique, read-only. * `version` ` Integer ` * The version of the rule. * Read-only value starting at `1` and incremented by `1` each time the rule is modified. * Changing the order of a rule in a ruleset does not change its version. * `ref` ` String ` * A user-defined external identifier that must be unique for each rule in a ruleset. * Use this field in your Terraform configuration to prevent Terraform from recreating the rule on changes. Refer to [How to keep the same rule ID between modifications](https://developers.cloudflare.com/terraform/troubleshooting/rule-id-changes/#how-to-keep-the-same-rule-id-between-modifications) for more information. * `description` ` String ` * A descriptive name of the rule. * `action` ` String ` * Defines what happens when there is a match for the rule expression. * The available [actions](https://developers.cloudflare.com/ruleset-engine/rules-language/actions/) depend on the [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) where the rule's ruleset is executed. * `action_parameters` ` Object ` * One or more parameters configuring the rule action. * The exact properties vary according to the action. Refer to each Cloudflare product's API instructions for more information. * `categories` ` Array ` * Tags associated with the current rule. You can define overrides that affect rules with a given tag. * Read-only. Only available in [WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) and [DDoS managed rulesets](https://developers.cloudflare.com/ddos-protection/managed-rulesets/). * `expression` ` String ` * Criteria defining when there is a match for the current rule. * The fields and functions you can use in a rule expression depend on the phase where the rule's ruleset is executed. * `last_updated` ` Timestamp ` * The time (UTC) when the rule was last updated in ISO 8601 format: `YYYY-MM-DDThh:mm:ss.TZD`. * Read-only. * `enabled` ` Boolean ` * When set to `true`, the current rule is enabled. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/json-object/","name":"JSON objects"}}]} ``` --- --- title: Update or deploy a ruleset description: Use one of the following API endpoints to update a ruleset: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/update.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Update or deploy a ruleset Use one of the following API endpoints to update a ruleset: * [Update an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/update/) `PUT /accounts/{account_id}/rulesets/{ruleset_id}` * [Update an account entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/update/) `PUT /accounts/{account_id}/rulesets/phases/{phase_name}/entrypoint` * [Update a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/update/) `PUT /zones/{zone_id}/rulesets/{ruleset_id}` * [Update a zone entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/update/) `PUT /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint` When updating a ruleset, you can update: * The basic properties of a ruleset (currently only the description) * The list of rules in a ruleset To deploy a ruleset, add a rule with `"action": "execute"` to the list of rules of an [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset). Refer to [Deploy a ruleset](#example---deploy-a-ruleset) for an example. Note You cannot update the name of the ruleset or its type. Do not include these fields in the `data` field of your `PUT` request. ## Example - Set the rules of a ruleset The following `PUT` request defines the list of rules of a ruleset, setting it to a single rule. You must include all the rules you want to associate with the ruleset in every request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "action_parameters": { "id": "" }, "expression": "true" } ] }' ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point ruleset", "description": "This ruleset executes a managed ruleset.", "kind": "zone", "version": "4", "rules": [ { "id": "", "version": "2", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2025-03-17T15:42:37.917815Z" } ], "last_updated": "2025-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ## Example - Deploy a ruleset To deploy a ruleset, create a rule with `"action": "execute"` that executes the ruleset, and add the ruleset ID to the `action_parameters` field in the `id` parameter. The following `PUT` request deploys a managed ruleset to the `http_request_firewall_managed` phase of a zone (`$ZONE_ID`). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "action_parameters": { "id": "" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point ruleset" } ] }' ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point ruleset", "description": "", "kind": "zone", "version": "4", "rules": [ { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "", "version": "latest" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point ruleset", "last_updated": "2025-03-21T11:02:08.769537Z", "ref": "", "enabled": true } ], "last_updated": "2025-03-21T11:02:08.769537Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` For more information on deploying rulesets, refer to [Deploy rulesets](https://developers.cloudflare.com/ruleset-engine/basic-operations/deploy-rulesets/). ## Example - Update ruleset description The following `PUT` request updates the description of an existing ruleset or phase entry point. The response will include the complete ruleset definition, including all the rules. Note You cannot update the description or the rules in a managed ruleset. You can only [define overrides](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) to customize the ruleset behavior. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "description": "My updated phase entry point ruleset" }' ``` ``` { "result": { "id": "", "name": "Zone entry point", "description": "My updated phase entry point ruleset", "kind": "zone", "version": "4", "rules": [ // (...) ], "last_updated": "2025-03-30T10:49:11.006109Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/update/","name":"Update or deploy a ruleset"}}]} ``` --- --- title: Update a rule in a ruleset description: Applies one or more changes to an existing rule in a ruleset at the account or zone level. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/update-rule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Update a rule in a ruleset Applies one or more changes to an existing rule in a ruleset at the account or zone level. Use one of the following API endpoints: * [Update an account ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/edit/) `PATCH /accounts/{account_id}/rulesets/{ruleset_id}/rules/{rule_id}` * [Update a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/edit/) `PATCH /zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}` You can update the definition of the rule, changing its fields, or change the order of the rule in the ruleset. Invoking this method creates a new version of the ruleset. ## Update the definition of a rule To update the definition of a rule, include the new rule definition in the request body. You must include all the rule fields that you want to be part of the new rule definition, even if you are not changing their values. The response will include the complete ruleset after updating the rule. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `Transform Rules Write` * `Select Configuration Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` Update an account ruleset rule ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID/rules/$RULE_ID_1" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "js_challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score" }' ``` ``` { "result": { "id": "", "name": "Custom Ruleset 1", "description": "My first custom ruleset", "kind": "custom", "version": "11", "rules": [ { "id": "", "version": "2", "action": "js_challenge", "expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)", "description": "challenge GB and FR based on bot score", "last_updated": "2023-03-22T12:54:58.144683Z", "ref": "", "enabled": true }, { "id": "", "version": "1", "action": "challenge", "expression": "not http.request.uri.path matches \"^/api/.*$\"", "last_updated": "2022-11-23T11:36:24.192361Z", "ref": "", "enabled": true } ], "last_updated": "2023-03-22T12:54:58.144683Z", "phase": "http_request_firewall_custom" }, "success": true, "errors": [], "messages": [] } ``` ## Change the order of a rule in a ruleset To reorder a rule in a list of ruleset rules, include a `position` object in the request, containing one of the following: * `"before": ""` — Places the rule before rule ``. Use this argument with an empty rule ID value (`""`) to set the rule as the first rule in the ruleset. * `"after": ""` — Places the rule after rule ``. Use this argument with an empty rule ID value (`""`) to set the rule as the last rule in the ruleset. * `"index": ` — Places the rule in the exact position specified by the integer number ``. Position numbers start with `1`. Existing rules in the ruleset from the specified position number onward are shifted one position (no rule is overwritten). For example, when you place a rule in position n using `index`, existing rules with index n, n+1, n+2, and so on, are shifted one position — their new position will be n+1, n+2, n+3, and so forth. If the index is out of range, the method returns a `400` HTTP status code. Important You can only use one of the `before`, `after`, and `index` fields at a time. Reorder a rule without changing its definition by including only the `position` object in the `PATCH` request body. You can also update a rule definition and reorder it in the same `PATCH` request by including both the `rule` object and the `position` object. ### Examples The following examples build upon the following (abbreviated) ruleset: ``` { "rules": [ { "id": "" }, { "id": "" }, { "id": "" }, { "id": "" } ] } ``` #### Example 1 The following request with the `position` object places rule `$RULE_ID_2` as the first rule: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules/$RULE_ID_2" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "position": { "before": "" } }' ``` In this case, the new rule order would be: ``, ``, ``, `` #### Example 2 The following request with the `position` object places rule `$RULE_ID_2` after rule 3: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules/$RULE_ID_2" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "position": { "after": "" } }' ``` In this case, the new rule order would be: ``, ``, ``, `` #### Example 3 The following request with the `position` object places rule `$RULE_ID_1` in position 3, becoming the third rule in the ruleset: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules/$RULE_ID_1" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "position": { "index": 3 } }' ``` In this case, the new rule order would be: ``, ``, ``, `` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/update-rule/","name":"Update a rule in a ruleset"}}]} ``` --- --- title: List and view rulesets description: Describes the API operations to list and view the details of rulesets at the account or zone level. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/rulesets-api/view.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # List and view rulesets Use the API operations described in the following sections to list and view the details of rulesets at the account or zone level. * [List existing rulesets](#list-existing-rulesets) * [View a specific ruleset](#view-a-specific-ruleset) * [List all versions of a ruleset](#list-all-versions-of-a-ruleset) * [View a specific version of a ruleset](#view-a-specific-version-of-a-ruleset) * [List rules in a managed ruleset with a specific tag](#list-rules-in-a-managed-ruleset-with-a-specific-tag) ## List existing rulesets Returns the list of existing rulesets at the account level or at the zone level. Use one of the following API endpoints: * [List account rulesets](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) `GET /accounts/{account_id}/rulesets` * [List zone rulesets](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) `GET /zones/{zone_id}/rulesets` The result includes rulesets across all phases at a given level (account or zone). The `phase` field in each result element indicates the [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) where that ruleset is defined. Also, the list of rulesets at the zone level includes the account-level rulesets you may want to deploy to the specified zone. Note Not all zone-level phases support all types of rulesets, even if they are presented in the list returned by this API method. Check the documentation for each Cloudflare product for more information on which ruleset types are allowed in that product's supported phases. The result does not include the list of rules in the ruleset. Refer to [View a specific version of a ruleset](#view-a-specific-version-of-a-ruleset) to learn how to obtain the list of rules. ### Example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` List zone rulesets ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "", "name": "Zone-level phase entry point", "description": "", "kind": "zone", "version": "5", "last_updated": "2025-03-18T18:30:08.122758Z", "phase": "http_request_firewall_managed" } ], "success": true, "errors": [], "messages": [] } ``` ## View a specific ruleset Returns the properties of the most recent version of the ruleset with the specified ruleset ID. Use one of the following API endpoints: * [Get an account ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/get/) `GET /accounts/{account_id}/rulesets/{ruleset_id}` * [Get an account entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) `GET /accounts/{account_id}/rulesets/phases/{phase_name}/entrypoint` * [Get a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/get/) `GET /zones/{zone_id}/rulesets/{ruleset_id}` * [Get a zone entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) `GET /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint` Note You can only use the [Get a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/get/) operation for zone-level phase entry point rulesets (entry points where `kind` is set to `zone`). The API returns a `404 Not Found` HTTP status code under these conditions: * When a ruleset cannot be found. * When the specified ruleset is not a managed ruleset the calling account is entitled to execute. ### Example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` Get a zone ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point", "description": "Executes a managed ruleset.", "kind": "zone", "version": "3", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2025-03-17T15:42:37.917815Z" } ], "last_updated": "2025-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ## List all versions of a ruleset Returns a list of all the versions of a ruleset. Use one of the following API endpoints: * [List account ruleset versions](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/list/) `GET /accounts/{account_id}/rulesets/{ruleset_id}/versions` * [List account entry point ruleset versions](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/subresources/versions/methods/list/) `GET /accounts/{account_id}/rulesets/phases/{phase_name}/entrypoint/versions` * [List zone ruleset versions](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/list/) `GET /zones/{zone_id}/rulesets/{ruleset_id}/versions` * [List zone entry point ruleset versions](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/subresources/versions/methods/list/) `GET /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint/versions` The result contains the ruleset properties of each version, but it does not include the list of rules. Refer to [View a specific version of a ruleset](#view-a-specific-version-of-a-ruleset) for instructions on obtaining this information. When the specified phase entry point ruleset does not exist, this API method returns an empty array in the `result` field. ### Example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` List a zone ruleset's versions ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/versions" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "", "name": "Zone Ruleset 1", "description": "", "kind": "zone", "version": "1", "last_updated": "2023-02-17T11:15:13.128705Z", "phase": "http_request_firewall_managed" }, { "id": "", "name": "Zone Ruleset 1", "description": "", "kind": "zone", "version": "2", "last_updated": "2023-02-17T11:24:06.869326Z", "phase": "http_request_firewall_managed" } ], "success": true, "errors": [], "messages": [] } ``` ## View a specific version of a ruleset Returns the configuration of a specific version of a ruleset, including its rules. Use one of the following API endpoints: * [Get an account ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/get/) `GET /account/{account_id}/rulesets/{ruleset_id}/versions/{version_number}` * [Get an account entry point ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/subresources/versions/methods/get/) `GET /accounts/{account_id}/rulesets/phases/{phase_name}/entrypoint/versions/{version_number}` * [Get a zone ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/get/) `GET /zones/{zone_id}/rulesets/{ruleset_id}/versions/{version_number}` * [Get a zone entry point ruleset version](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/subresources/versions/methods/get/) `GET /zones/{zone_id}/rulesets/phases/{phase_name}/entrypoint/versions/{version_number}` When the specified phase entry point ruleset does not exist, this API method returns a `404 Not Found` HTTP status code. ### Example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` Get a zone ruleset version ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/versions/$RULESET_VERSION" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point", "description": "Executes a managed ruleset.", "kind": "zone", "version": "", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2025-03-17T15:42:37.917815Z" } ], "last_updated": "2025-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` Note When you view a specific version of a managed ruleset, each rule listed in the result can have one or more associated categories/tags, and it will not contain an expression. ## List rules in a managed ruleset with a specific tag Returns a list of all the rules in a managed ruleset with a specific tag. * List an account ruleset version's rules by tag `GET /accounts/{account_id}/rulesets/{ruleset_id}/versions/{version_number}/by_tag/{tag_name}` ### Example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` List an account ruleset version's rules by tag ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$RULESET_ID/versions/2/by_tag/wordpress" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Cloudflare Managed Ruleset", "description": "Managed ruleset created by Cloudflare", "kind": "managed", "version": "2", "rules": [ { "id": "", "version": "2", "action": "log", "categories": [ "cve-2014-5265", "cve-2014-5266", "cve-2014-5267", "dos", "drupal", "wordpress" ], "description": "Drupal, WordPress - DoS - XMLRPC - CVE:CVE-2014-5265, CVE:CVE-2014-5266, CVE:CVE-2014-5267", "last_updated": "2025-03-19T16:54:32.942986Z", "ref": "", "enabled": true }, { "id": "", "version": "2", "action": "block", "categories": ["broken-access-control", "cve-2018-12895", "wordpress"], "description": "WordPress - Broken Access Control - CVE:CVE-2018-12895", "last_updated": "2025-03-19T16:54:32.942986Z", "ref": "", "enabled": true } // (...) ], "last_updated": "2025-03-19T16:54:32.942986Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/rulesets-api/","name":"Rulesets API"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/rulesets-api/view/","name":"List and view rulesets"}}]} ``` --- --- title: Add rules to phase entry point rulesets description: A phase entry point ruleset contains an ordered list of rules that run in that phase. A rule in an entry point ruleset can execute a different ruleset. You can have entry point rulesets for each phase at the account level and at the zone level. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/basic-operations/add-rule-phase-rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add rules to phase entry point rulesets A [phase entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) contains an ordered list of rules that run in that phase. A rule in an entry point ruleset can execute a different ruleset. You can have entry point rulesets for each phase at the account level and at the zone level. To add one or more rules to a phase entry point ruleset, use one of the [ruleset update operations](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/) of the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/). When you add a rule to an entry point ruleset, the entry point ruleset is created automatically if it does not exist. This API method requires that you include in the request all rules you want to keep in the ruleset, or else they will be removed. If you are adding a single rule to a ruleset, consider using one of the [rule creation operations](https://developers.cloudflare.com/ruleset-engine/rulesets-api/add-rule/) instead. In this case, the request only includes the definition of the new rule. Creating an entry point ruleset Instead of relying on the automatic creation of an entry point ruleset, you can also create this ruleset explicitly using one of the [ruleset creation operations](https://developers.cloudflare.com/ruleset-engine/rulesets-api/create/). ## Example: Set the rules of a phase entry point ruleset at the zone level The following example sets the rules of a phase entry point ruleset at the zone level for the `http_request_firewall_managed` phase using the [Update a zone entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/update/) operation. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "action_parameters": { "id": "" }, "expression": "true" }, { "action": "execute", "action_parameters": { "id": "" }, "expression": "true" } ] }' ``` ``` { "result": { "id": "", "name": "Default", "description": "", "kind": "zone", "version": "1", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-06-17T15:42:37.917815Z" }, { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-06-17T15:42:37.917815Z" } ], "last_updated": "2021-06-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ## Example: Add a single rule to a phase entry point ruleset at the zone level The following example adds a single rule to a phase entry point ruleset (with ID `$RULESET_ID`) at the zone level using the [Create a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) operation. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Create a zone ruleset rule ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "action": "execute", "action_parameters": { "id": "" }, "expression": "true" }' ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point ruleset", "description": "", "kind": "root", "version": "2", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-03-17T15:42:37.917815Z" }, { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-06-30T15:42:37.917815Z" } ], "last_updated": "2021-06-30T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/basic-operations/","name":"Basic API operations"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/basic-operations/add-rule-phase-rulesets/","name":"Add rules to phase entry point rulesets"}}]} ``` --- --- title: Deploy rulesets description: Use the Rulesets API to deploy a ruleset. To deploy a ruleset, add a rule with "action": "execute" to a phase entry point ruleset, specifying the ruleset ID to execute as an action parameter. Use a separate rule for each ruleset you want to deploy. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/basic-operations/deploy-rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy rulesets Use the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/) to deploy a ruleset. To deploy a ruleset, add a rule with `"action": "execute"` to a [phase entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset), specifying the ruleset ID to execute as an action parameter. Use a separate rule for each ruleset you want to deploy. A rule that executes a ruleset consists of: * The ID of the ruleset you want to execute, included in `action_parameters.id`. * An expression. * The `execute` action. The rules in the ruleset execute when a request satisfies the expression. Note To apply a rule to every request in a phase at the zone level, set the rule expression to `true`. ## Example The following example deploys the [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ...376e9aee ) to the `http_request_firewall_managed` phase of a given zone (`$ZONE_ID`) by adding a rule that executes the managed ruleset. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Config Settings Write` * `Dynamic URL Redirects Write` * `Cache Settings Write` * `Custom Errors Write` * `Origin Write` * `Managed headers Write` * `Zone Transform Rules Write` * `Mass URL Redirects Write` * `Magic Firewall Write` * `L4 DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Write` * `Sanitize Write` * `Transform Rules Write` * `Select Configuration Write` * `Bot Management Write` * `Zone WAF Write` * `Account WAF Write` * `Account Rulesets Write` * `Logs Write` * `Logs Write` Update a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my zone ruleset" } ] }' ``` ``` { "result": { "id": "", "name": "Zone-level Ruleset 1", "description": "", "kind": "zone", "version": "latest", "rules": [ { "id": "", "version": "1", "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee", "version": "3" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my zone ruleset", "last_updated": "2021-03-18T18:08:14.003361Z", "ref": "", "enabled": true } ], "last_updated": "2021-03-18T18:08:14.003361Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` Warning This API request replaces any existing rules in the `http_request_firewall_managed` phase entry point ruleset with a single rule. ## Related resources For more examples of deploying rulesets, refer to the following pages: * [Deploy a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/deploy-managed-ruleset/) * [Managed ruleset override examples](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-examples/). * [Deploy a custom ruleset](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/deploy-custom-ruleset/) Refer to [Work with managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/) and [Work with custom rulesets](https://developers.cloudflare.com/ruleset-engine/custom-rulesets/) for more information. For more information on the available API endpoints for editing and deploying rulesets, refer to [Update or deploy a ruleset](https://developers.cloudflare.com/ruleset-engine/rulesets-api/update/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/basic-operations/","name":"Basic API operations"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/basic-operations/deploy-rulesets/","name":"Deploy rulesets"}}]} ``` --- --- title: View rulesets description: This page includes examples of the following API operations: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/basic-operations/view-rulesets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # View rulesets This page includes examples of the following API operations: * [View available rulesets](#view-available-rulesets) * [Get an entry point ruleset](#get-an-entry-point-ruleset) * [View the rules included in a ruleset](#view-the-rules-included-in-a-ruleset) ## View available rulesets You can list the available rulesets for a zone or account. For a list of API endpoints refer to [List and view rulesets](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/). ### Example: View available rulesets at the zone level The response to the [GET request](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) obtaining the list of rulesets at the zone level will include the following rulesets: * Managed rulesets you can deploy, indicated by `"kind": "managed"`. * Zone-level phase entry point rulesets, if configured, indicated by `"kind": "zone"`. * Custom rulesets, if configured, indicated by `"kind": "custom"`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` List zone rulesets ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "", "name": "Zone-level Ruleset 1", "description": "Ruleset for http_request_firewall_managed phase at the zone level", "kind": "zone", "version": "2", "last_updated": "2021-03-12T14:11:59.754817Z", "phase": "http_request_firewall_managed" }, 18 collapsed lines { "id": "", "name": "Cloudflare Managed Ruleset", "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives", "kind": "managed", "version": "2", "last_updated": "2021-03-18T14:42:40.972022Z", "phase": "http_request_firewall_managed" }, { "id": "", "name": "Cloudflare OWASP Core Ruleset", "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository", "kind": "managed", "version": "3", "last_updated": "2021-03-18T14:42:42.993211Z", "phase": "http_request_firewall_managed" } ], "success": true, "errors": [], "messages": [] } ``` ### Example: View available rulesets at the account level The response to the [GET request](https://developers.cloudflare.com/api/resources/rulesets/methods/list/) obtaining the list of rulesets at the account level will include the following rulesets: * Managed rulesets you can deploy, indicated by `"kind": "managed"`. * Account-level phase entry point rulesets, if configured, indicated by `"kind": "root"`. * Custom rulesets, if configured, indicated by `"kind": "custom"`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` List account rulesets ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "", "name": "Custom Ruleset 1", "description": "My custom ruleset", "kind": "custom", "version": "10", "last_updated": "2020-11-23T11:36:24.192361Z", "phase": "http_request_firewall_custom" }, 27 collapsed lines { "id": "", "name": "Account-level ruleset for http_request_firewall_managed phase", "description": "Account-level ruleset for executing one or more Managed Rulesets", "kind": "root", "version": "2", "last_updated": "2021-03-12T14:06:41.323932Z", "phase": "http_request_firewall_managed" }, { "id": "", "name": "Cloudflare Managed Ruleset", "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives", "kind": "managed", "version": "5", "last_updated": "2021-03-18T14:42:40.972022Z", "phase": "http_request_firewall_managed" }, { "id": "", "name": "Cloudflare OWASP Core Ruleset", "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository", "kind": "managed", "version": "3", "last_updated": "2021-03-18T14:42:42.993211Z", "phase": "http_request_firewall_managed" } ], "success": true, "errors": [], "messages": [] } ``` ## Get an entry point ruleset You can get the definition of the [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) of a given [phase](https://developers.cloudflare.com/ruleset-engine/about/phases/) at the zone or account level. If the entry point ruleset exists, the API will return a `200 OK` HTTP status code, along with the ruleset definition. If the entry point ruleset does not exist, the API will return a `404 Not Found` HTTP status code. ### Example: Get an entry point ruleset at the zone level The following [GET request](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) obtains the definition of the entry point ruleset for the `http_request_firewall_managed` phase at the zone level. In this case, the entry point ruleset exists and contains one rule. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` Get a zone entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point ruleset", "description": "This ruleset executes a managed ruleset.", "kind": "zone", "version": "2", "rules": [ { "id": "", 7 collapsed lines "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-03-17T15:42:37.917815Z" } ], "last_updated": "2021-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ### Example: Get an entry point ruleset at the account level The following [GET request](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) obtains the definition of the entry point ruleset for the `http_request_firewall_managed` phase at the account level. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` Get an account entry point ruleset ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ## View the rules included in a ruleset You can view all versions of phase entry point rulesets (at the account and zone levels) and custom rulesets, but you can only view the most recent version of managed rulesets. ### Example: View rules in a phase entry point ruleset at the zone level The following [GET request](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/subresources/versions/methods/get/) lists the rules in version `2` of the `http_request_firewall_managed` phase entry point ruleset at the zone level. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Response Compression Write` * `Response Compression Read` * `Config Settings Write` * `Config Settings Read` * `Dynamic URL Redirects Write` * `Dynamic URL Redirects Read` * `Cache Settings Write` * `Cache Settings Read` * `Custom Errors Write` * `Custom Errors Read` * `Origin Write` * `Origin Read` * `Managed headers Write` * `Managed headers Read` * `Zone Transform Rules Write` * `Zone Transform Rules Read` * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `HTTP DDoS Managed Ruleset Write` * `HTTP DDoS Managed Ruleset Read` * `Sanitize Write` * `Sanitize Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Bot Management Write` * `Bot Management Read` * `Zone WAF Write` * `Zone WAF Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` * `Logs Write` * `Logs Read` Get a zone entry point ruleset version ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint/versions/2" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Zone-level phase entry point ruleset", "description": "This ruleset executes a managed ruleset.", "kind": "zone", "version": "2", "rules": [ { "id": "", "version": "1", "action": "execute", "expression": "true", "action_parameters": { "id": "" }, "last_updated": "2021-03-17T15:42:37.917815Z" } ], "last_updated": "2021-03-17T15:42:37.917815Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ### Example: View rules in a managed ruleset The following [GET request](https://developers.cloudflare.com/api/resources/rulesets/subresources/versions/methods/get/) lists the rules in version `2` of a managed ruleset (the most recent version of that ruleset). Each rule in a managed ruleset can have associated tags or categories, listed in the `categories` field. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Mass URL Redirects Write` * `Mass URL Redirects Read` * `Magic Firewall Write` * `Magic Firewall Read` * `L4 DDoS Managed Ruleset Write` * `L4 DDoS Managed Ruleset Read` * `Transform Rules Write` * `Transform Rules Read` * `Select Configuration Write` * `Select Configuration Read` * `Account WAF Write` * `Account WAF Read` * `Account Rulesets Read` * `Account Rulesets Write` * `Logs Write` * `Logs Read` Get an account ruleset version ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$MANAGED_RULESET_ID/versions/2" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": { "id": "", "name": "Cloudflare Managed Ruleset", "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives", "kind": "managed", "version": "2", "rules": [ { "id": "", "version": "1", "action": "log", "categories": [ "cve-2014-5265", "cve-2014-5266", "cve-2014-5267", "dos", "drupal", "wordpress" ], "description": "Drupal, Wordpress - DoS - XMLRPC - CVE:CVE-2014-5265, CVE:CVE-2014-5266, CVE:CVE-2014-5267", "last_updated": "2021-03-18T14:42:40.972022Z", "ref": "", "enabled": true }, 11 collapsed lines { "id": "", "version": "1", "action": "block", "categories": ["broken-access-control", "cve-2018-12895", "wordpress"], "description": "Wordpress - Broken Access Control - CVE:CVE-2018-12895", "last_updated": "2021-03-18T14:42:40.972022Z", "ref": "", "enabled": true } // (...) ], "last_updated": "2021-03-18T14:42:40.972022Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] } ``` ## Related resources For more information on the available API methods for viewing rulesets, refer to [List and view rulesets](https://developers.cloudflare.com/ruleset-engine/rulesets-api/view/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/basic-operations/","name":"Basic API operations"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/basic-operations/view-rulesets/","name":"View rulesets"}}]} ``` --- --- title: Phases list description: The following tables list the phases of Cloudflare products powered by the Ruleset Engine, in the order those phases are executed. Some products such as the Cloudflare Web Application Firewall have more than one associated phase. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ruleset-engine/reference/phases-list.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Phases list The following tables list the [phases](https://developers.cloudflare.com/ruleset-engine/about/phases/) of Cloudflare products powered by the Ruleset Engine, in the order those phases are executed. Some products such as the Cloudflare Web Application Firewall have more than one associated phase. ## Network layer [Network-layer ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) phases apply to packets received on the Cloudflare global network. | Phase name | Used in product/feature | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | ddos\_l4 | [Network-layer DDoS Attack Protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/configure-api/) | | magic\_transit | [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-one/traffic-policies/packet-filtering/add-policies/) | | magic\_transit\_managed | [Cloudflare Network Firewall managed rulesets](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/enable-managed-rulesets/) | | magic\_transit\_ratelimit | [Cloudflare Network Firewall rate limiting policies](https://developers.cloudflare.com/cloudflare-network-firewall/how-to/create-rate-limiting-policies/) | | magic\_transit\_ids\_managed | [Cloudflare Network Firewall Intrusion Detection System (IDS)](https://developers.cloudflare.com/cloudflare-network-firewall/about/ids/) | ## Application layer [Application-layer ↗](https://www.cloudflare.com/learning/ddos/what-is-layer-7/) phases apply to requests received on the Cloudflare global network. ### Request phases The phases execute in the order they appear in the table. | Phase name | Used in product/feature | | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | | http\_request\_dynamic\_redirect | [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) | | http\_request\_sanitize | [URL normalization](https://developers.cloudflare.com/rules/normalization/) | | http\_request\_transform | [URL Rewrite Rules](https://developers.cloudflare.com/rules/transform/url-rewrite/) | | _N/A_ (internal phase) | [Waiting Room Rules](https://developers.cloudflare.com/waiting-room/additional-options/waiting-room-rules/) | | http\_request\_api\_gateway\_early\* | [API Shield](https://developers.cloudflare.com/api-shield/) | | http\_config\_settings | [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/) | | http\_request\_origin | [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/) | | ddos\_l7\* | [HTTP DDoS Attack Protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/) | | http\_request\_firewall\_custom | [Custom rules (Web Application Firewall)](https://developers.cloudflare.com/waf/custom-rules/) | | http\_ratelimit | [Rate limiting rules (WAF)](https://developers.cloudflare.com/waf/rate-limiting-rules/) | | http\_request\_api\_gateway\_late | [API Shield](https://developers.cloudflare.com/api-shield/) | | http\_request\_firewall\_managed | [WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) | | http\_request\_sbfm | [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) | | _N/A_ (internal phase) | [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | | http\_request\_redirect | [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) | | _N/A_ (internal phase) | [Managed Transforms](https://developers.cloudflare.com/rules/transform/managed-transforms/) | | http\_request\_late\_transform | [Request Header Transform Rules](https://developers.cloudflare.com/rules/transform/request-header-modification/) | | http\_request\_cache\_settings | [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) | | http\_request\_snippets | [Snippets](https://developers.cloudflare.com/rules/snippets/) | | http\_request\_cloud\_connector | [Cloud Connector](https://developers.cloudflare.com/rules/cloud-connector/) | \* _This phase is for configuration purposes only — the corresponding rules will not be executed at this stage in the request handling process._ Change notice for Super Bot Fight Mode rulesets Updating Super Bot Fight Mode rules via the Rulesets API is no longer supported and may cause unexpected behavior if you do so. ### Response phases The phases execute in the order they appear in the table. | Phase name | Used in product/feature | | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | http\_custom\_errors | [Custom Errors](https://developers.cloudflare.com/rules/custom-errors/) | | _N/A_ (internal phase) | [Managed Transforms](https://developers.cloudflare.com/rules/transform/managed-transforms/) | | http\_response\_headers\_transform | [Response Header Transform Rules](https://developers.cloudflare.com/rules/transform/response-header-modification/) | | http\_ratelimit | [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) (when they use response information) | | http\_response\_compression | [Compression Rules](https://developers.cloudflare.com/rules/compression-rules/) | | http\_response\_firewall\_managed | [Cloudflare Sensitive Data Detection](https://developers.cloudflare.com/waf/managed-rules/) (Data Loss Prevention) | | http\_log\_custom\_fields | [Logpush custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/) | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ruleset-engine/","name":"Ruleset Engine"}},{"@type":"ListItem","position":3,"item":{"@id":"/ruleset-engine/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ruleset-engine/reference/phases-list/","name":"Phases list"}}]} ```