Example rules
This custom rule example logs all requests with at least one uploaded content object:
-
When incoming requests match:
Field Operator Value Has content object equals True If you are using the Expression Editor:
(cf.waf.content_scan.has_obj) -
Action: Log
This custom rule example blocks requests addressed at /upload.php that contain at least one uploaded content object considered malicious:
-
When incoming requests match:
Field Operator Value Has malicious content object equals True And URI Path equals /upload.phpIf you are using the Expression Editor:
(cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php") -
Action: Block
This custom rule example blocks requests addressed at /upload with uploaded content objects that are not PDF files:
- When incoming requests match:
any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload" - Action: Block
This custom rule example blocks requests addressed at /upload with uploaded content objects over 500 KB (512,000 bytes) in size:
- When incoming requests match:
any(cf.waf.content_scan.obj_sizes[*] > 512000) and http.request.uri.path eq "/upload" - Action: Block
This custom rule example blocks requests with uploaded content objects over 50 MB in size (the current content scanning limit):
- When incoming requests match:
any(cf.waf.content_scan.obj_sizes[*] >= 52428800) - Action: Block
In this example, you must also test for equality because currently any file over 50 MB will be handled internally as if it had a size of 50 MB (52,428,800 bytes). This means that using the > (greater than) comparison operator would not work for this particular rule — you should use >= (greater than or equal) instead.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
