Additional information
Cloudflare performs a validation check for every request. The Validation component executes prior to all other WAF features like custom rules or WAF Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs. Actions performed by the Validation component appear in the Activity log associated with the Validation service and without a rule ID. Security events downloaded from the API show source as Validation and action as drop when this behavior occurs.
The following example shows a request blocked by the Validation component due to a malformed User-Agent HTTP request header:
In the downloaded JSON file for the event, the ruleId value indicates the detected issue — in this case, it was a Shellshock attack.
{ "action": "drop", "ruleId": "sanity-shellshock", "source": "sanitycheck", "userAgent": "() { :;}; printf \\\\\"detection[%s]string\\\\\" \\\\\"TjcLLwVzBtLzvbN\\\\" //...}