Configure via API

To enable the Cloudflare OWASP Core Ruleset for a given zone using the API, create a rule with execute action in the entry point ruleset for the http_request_firewall_managed phase. For more information on deploying a managed ruleset, refer to Deploy a managed ruleset.

To configure the Cloudflare OWASP Core Ruleset using the API, create overrides using the Rulesets API. You can perform the following configurations:

Set the paranoia level.
Configure the score threshold.
Specify the action to perform when the threat score is greater than the threshold.

You can also disable specific rules in the managed ruleset using rule overrides.

Set the paranoia level

To enable all the rules up to a specific paranoia level, create tag overrides that disable all the rules associated with higher paranoia levels.

The tags associated with the different paranoia levels are the following:

paranoia-level-1
paranoia-level-2
paranoia-level-3
paranoia-level-4

For example, to enable all the rules associated with Paranoia Level 2 (PL2), disable the rules associated with tags paranoia-level-3 and paranoia-level-4. All rules associated with paranoia levels up to the desired paranoia level will be enabled (in this example, all the rules associated with PL1 and PL2).

Example

This example sets the Cloudflare OWASP Core Ruleset's paranoia level for a zone to PL2. To perform this configuration, you must disable the tags associated with levels PL3 and PL4 (paranoia-level-3 and paranoia-level-4) using tag overrides.

Get the ID of the Cloudflare OWASP Core Ruleset using the List account rulesets method, since WAF's managed rulesets exist at the account level. Alternatively, use the following ruleset ID directly: .
Required API token permissions

At least one of the following token permissions is required:
- Mass URL Redirects Write
- Mass URL Redirects Read
- Magic Firewall Write
- Magic Firewall Read
- L4 DDoS Managed Ruleset Write
- L4 DDoS Managed Ruleset Read
- Transform Rules Write
- Transform Rules Read
- Select Configuration Write
- Select Configuration Read
- Account WAF Write
- Account WAF Read
- Account Rulesets Read
- Account Rulesets Write
- Logs Write
- Logs Read
List account rulesets
```
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
```
{
  "result": [
    {
      "id": "4814384a9e5d4991b9815dcfc25d2f1f",
      "name": "Cloudflare OWASP Core Ruleset",
      "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core  Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official  code repository",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "35",
      "last_updated": "2022-01-24T21:08:20.293196Z",
      "phase": "http_request_firewall_managed"
    }
    // (...)
  ],
  "success": true,
  "errors": [],
  "messages": []
}
```
Get the ID of the rule that deploys the OWASP ruleset to your zone using the Get a zone entry point ruleset. Search for a rule with "action": "execute" configured with the OWASP ruleset's ID in the action_parameters object (ID ). This rule will only exist if you have already deployed the OWASP ruleset.
Required API token permissions

At least one of the following token permissions is required:
- Response Compression Write
- Response Compression Read
- Config Settings Write
- Config Settings Read
- Dynamic URL Redirects Write
- Dynamic URL Redirects Read
- Cache Settings Write
- Cache Settings Read
- Custom Errors Write
- Custom Errors Read
- Origin Write
- Origin Read
- Managed headers Write
- Managed headers Read
- Zone Transform Rules Write
- Zone Transform Rules Read
- Mass URL Redirects Write
- Mass URL Redirects Read
- Magic Firewall Write
- Magic Firewall Read
- L4 DDoS Managed Ruleset Write
- L4 DDoS Managed Ruleset Read
- HTTP DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Read
- Sanitize Write
- Sanitize Read
- Transform Rules Write
- Transform Rules Read
- Select Configuration Write
- Select Configuration Read
- Bot Management Write
- Bot Management Read
- Zone WAF Write
- Zone WAF Read
- Account WAF Write
- Account WAF Read
- Account Rulesets Read
- Account Rulesets Write
- Logs Write
- Logs Read
- Logs Write
- Logs Read
Get a zone entry point ruleset
```
curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
```
{
  "result": {
    "id": "<ENTRY_POINT_RULESET_ID>",
    "name": "zone",
    "description": "",
    "source": "firewall_managed",
    "kind": "zone",
    "version": "3",
    "rules": [
      // (...)
      {
        "id": "<EXECUTE_RULE_ID>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "4814384a9e5d4991b9815dcfc25d2f1f",
          "version": "latest"
        },
        "expression": "true",
        "last_updated": "2022-02-04T16:27:58.930927Z",
        "ref": "<RULE_REF>",
        "enabled": true
      }
      // (...)
    ],
    "last_updated": "2022-02-07T10:41:31.702744Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```

Update the rule you identified using the Update a zone ruleset rule operation, adding tag overrides that disable the rules with tags paranoia-level-3 and paranoia-level-4.

Required API token permissions

At least one of the following token permissions is required:

Response Compression Write
Config Settings Write
Dynamic URL Redirects Write
Cache Settings Write
Custom Errors Write
Origin Write
Managed headers Write
Zone Transform Rules Write
Mass URL Redirects Write
Magic Firewall Write
L4 DDoS Managed Ruleset Write
HTTP DDoS Managed Ruleset Write
Sanitize Write
Transform Rules Write
Select Configuration Write
Bot Management Write
Zone WAF Write
Account WAF Write
Account Rulesets Write
Logs Write
Logs Write

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$ENTRY_POINT_RULESET_ID/rules/$EXECUTE_RULE_ID \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "action": "execute",
    "action_parameters": {
        "id": "4814384a9e5d4991b9815dcfc25d2f1f",
        "overrides": {
            "categories": [
                {
                    "category": "paranoia-level-3",
                    "enabled": false
                },
                {
                    "category": "paranoia-level-4",
                    "enabled": false
                }
            ]
        }
    },
    "expression": "true",
    "enabled": true
  }'

For more information on creating overrides, refer to Override a managed ruleset.

Configure the score threshold and the action

To define the score threshold, or to specify the action to perform when the threat score is greater than the threshold, create a rule override for the last rule in the managed ruleset that:

Specifies the action to take in the action property. The available actions are: block (default), managed_challenge, js_challenge, log, and challenge.
Defines the desired anomaly score threshold (an integer value) in the score_threshold property.

Example

This example configures the managed ruleset score threshold and the performed action by creating a rule override for the last rule of the managed ruleset.

Get the ID of the Cloudflare OWASP Core Ruleset using the List account rulesets method, since WAF's managed rulesets exist at the account level. Alternatively, use the following ruleset ID directly: .

Required API token permissions

At least one of the following token permissions is required:

Mass URL Redirects Write
Mass URL Redirects Read
Magic Firewall Write
Magic Firewall Read
L4 DDoS Managed Ruleset Write
L4 DDoS Managed Ruleset Read
Transform Rules Write
Transform Rules Read
Select Configuration Write
Select Configuration Read
Account WAF Write
Account WAF Read
Account Rulesets Read
Account Rulesets Write
Logs Write
Logs Read

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "result": [
    {
      "id": "4814384a9e5d4991b9815dcfc25d2f1f",
      "name": "Cloudflare OWASP Core Ruleset",
      "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "35",
      "last_updated": "2022-01-24T21:08:20.293196Z",
      "phase": "http_request_firewall_managed"
    }
    // (...)
  ],
  "success": true,
  "errors": [],
  "messages": []
}

Get the ID of the last rule in the Cloudflare OWASP Core Ruleset. Use the Get an account ruleset method to obtain the list of rules in the ruleset. Alternatively, use the following rule ID directly: .

Required API token permissions

At least one of the following token permissions is required:

Mass URL Redirects Write
Mass URL Redirects Read
Magic Firewall Write
Magic Firewall Read
L4 DDoS Managed Ruleset Write
L4 DDoS Managed Ruleset Read
Transform Rules Write
Transform Rules Read
Select Configuration Write
Select Configuration Read
Account WAF Write
Account WAF Read
Account Rulesets Read
Account Rulesets Write
Logs Write
Logs Read

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/$OWASP_RULESET_ID \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "result": {
    "id": "4814384a9e5d4991b9815dcfc25d2f1f",
    "name": "Cloudflare OWASP Core Ruleset",
    "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository",
    "source": "firewall_managed",
    "kind": "managed",
    "version": "36",
    "rules": [
      // (...)
      {
        "id": "6179ae15870a4bb7b2d480d4843b323c",
        "version": "35",
        "action": "block",
        "score_threshold": 40,
        "description": "949110: Inbound Anomaly Score Exceeded",
        "last_updated": "2022-02-08T16:11:18.236676Z",
        "ref": "ad0beb2fce9f149e565ee78d6e659d47",
        "enabled": true
      }
    ],
    "last_updated": "2022-02-08T16:11:18.236676Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

Get the ID of the rule that deploys the OWASP ruleset to your zone using the Get a zone entry point ruleset (in this example, <EXECUTE_RULE_ID>). Search for a rule with "action": "execute" configured with the OWASP ruleset's ID in the action_parameters object (ID ). This rule will only exist if you have already deployed the OWASP ruleset.
Required API token permissions

At least one of the following token permissions is required:
- Response Compression Write
- Response Compression Read
- Config Settings Write
- Config Settings Read
- Dynamic URL Redirects Write
- Dynamic URL Redirects Read
- Cache Settings Write
- Cache Settings Read
- Custom Errors Write
- Custom Errors Read
- Origin Write
- Origin Read
- Managed headers Write
- Managed headers Read
- Zone Transform Rules Write
- Zone Transform Rules Read
- Mass URL Redirects Write
- Mass URL Redirects Read
- Magic Firewall Write
- Magic Firewall Read
- L4 DDoS Managed Ruleset Write
- L4 DDoS Managed Ruleset Read
- HTTP DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Read
- Sanitize Write
- Sanitize Read
- Transform Rules Write
- Transform Rules Read
- Select Configuration Write
- Select Configuration Read
- Bot Management Write
- Bot Management Read
- Zone WAF Write
- Zone WAF Read
- Account WAF Write
- Account WAF Read
- Account Rulesets Read
- Account Rulesets Write
- Logs Write
- Logs Read
- Logs Write
- Logs Read
Get a zone entry point ruleset
```
curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
```
{
  "result": {
    "id": "<ENTRY_POINT_RULESET_ID>",
    "name": "zone",
    "description": "",
    "source": "firewall_managed",
    "kind": "zone",
    "version": "3",
    "rules": [
      // (...)
      {
        "id": "<EXECUTE_RULE_ID>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "4814384a9e5d4991b9815dcfc25d2f1f",
          "version": "latest"
        },
        "expression": "true",
        "last_updated": "2022-02-04T16:27:58.930927Z",
        "ref": "<RULE_REF>",
        "enabled": true
      }
      // (...)
    ],
    "last_updated": "2022-02-07T10:41:31.702744Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```
Update the rule you identified in the entry point ruleset using the Update a zone ruleset rule operation, adding a rule override for the last rule in the OWASP ruleset (identified in step 2) with the following properties and values:
- "score_threshold": 60
- "action": "managed_challenge"
Required API token permissions

At least one of the following token permissions is required:
- Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
Update a zone ruleset rule
```
curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$ENTRY_POINT_RULESET_ID/rules/$EXECUTE_RULE_ID \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "action": "execute",
    "action_parameters": {
        "id": "4814384a9e5d4991b9815dcfc25d2f1f",
        "overrides": {
            "rules": [
                {
                    "id": "6179ae15870a4bb7b2d480d4843b323c",
                    "score_threshold": 60,
                    "action": "managed_challenge"
                }
            ]
        }
    },
    "expression": "true",
    "enabled": true
  }'
```

More resources

For more API examples, refer to Managed ruleset override examples in the Ruleset Engine documentation.

Was this helpful?

Community
X
Discord
YouTube
GitHub