Get started

1. Enable WAF content scanning

Dashboard
API

Log in to the Cloudflare dashboard ↗, and select your account and domain.
Go to Security > Settings.
Under Incoming traffic detections, turn on Malicious uploads.

Enable the feature using a POST request similar to the following:

curl --request POST \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/enable" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"

2. Validate the content scanning behavior

Use Security Analytics and HTTP logs to validate that malicious content objects are being detected correctly.

You can use the EICAR anti-malware test file ↗ to test content scanning (select the ZIP format).

Alternatively, create a WAF custom rule like described in the next step using a Log action instead of a mitigation action like Block. This rule will generate security events (available in Security > Events) that will allow you to validate your configuration.

3. Create a WAF custom rule

Create a WAF custom rule that blocks detected malicious content objects uploaded to your application.

For example, create a custom rule with the Block action and the following expression:

Field	Operator	Value
Has malicious content object	equals	True

If you use the Expression Editor, enter the following expression:

(cf.waf.content_scan.has_malicious_obj)

This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to Content scanning fields.

Optional: Combine with other Rules language fields

You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine content scanning with other security features. For example:

The following expression will match requests with malicious content objects uploaded to a specific endpoint:

Field Operator Value Logic
Has malicious content object equals True And
URI Path contains upload.php

Expression when using the editor:
```
(cf.waf.content_scan.has_malicious_obj and http.request.uri.path contains "upload.php")
```
The following expression will match requests from bots uploading content objects:

Field Operator Value Logic
Has content object equals True And
Bot Score less than 10

Expression when using the editor:
```
(cf.waf.content_scan.has_obj and cf.bot_management.score lt 10)
```

Field	Operator	Value	Logic
Has malicious content object	equals	True	And
URI Path	contains	`upload.php`

Field	Operator	Value	Logic
Has content object	equals	True	And
Bot Score	less than	`10`

For additional examples, refer to Example rules.

4. (Optional) Configure a custom scan expression

To check uploaded content in a way that is not covered by the default configuration, add a custom scan expression.

Dashboard
API

Log in to the Cloudflare dashboard ↗, and select your account and domain.
Go to Security > Settings.
Under Incoming traffic detections, select Malicious uploads.
Select Add content object location.
In Content location, enter your custom scan expression. For example:
```
lookup_json_string(http.request.body.raw, "file")
```
Select Save.

Use a POST request similar to the following:

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/content-upload-scan/payloads" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '[
  {
    "payload": "lookup_json_string(http.request.body.raw, \"file\")"
  }
]'

The above request will add the following expression to the current list of custom scan expressions:

lookup_json_string(http.request.body.raw, "file")

The custom scan expression will scan any string found in an HTTP body with the following JSON string:

{ "file": "<BASE64_ENCODED_STRING>" }

Refer to the lookup_json_string() function reference for more information and additional examples of looking up fields in nested JSON payloads.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings