Get started
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Settings.
- Under Incoming traffic detections, turn on Malicious uploads.
Enable the feature using a POST
request similar to the following:
Use Security Analytics and HTTP logs to validate that malicious content objects are being detected correctly.
You can use the EICAR anti-malware test file ↗ to test content scanning (select the ZIP format).
Alternatively, create a WAF custom rule like described in the next step using a Log action instead of a mitigation action like Block. This rule will generate security events (available in Security > Events) that will allow you to validate your configuration.
Create a WAF custom rule that blocks detected malicious content objects uploaded to your application.
For example, create a custom rule with the Block action and the following expression:
Field | Operator | Value |
---|---|---|
Has malicious content object | equals | True |
If you use the Expression Editor, enter the following expression:
This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to Content scanning fields.
Optional: Combine with other Rules language fields
You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine content scanning with other security features. For example:
-
The following expression will match requests with malicious content objects uploaded to a specific endpoint:
Field Operator Value Logic Has malicious content object equals True And URI Path contains upload.php
Expression when using the editor:
-
The following expression will match requests from bots uploading content objects:
Field Operator Value Logic Has content object equals True And Bot Score less than 10
Expression when using the editor:
For additional examples, refer to Example rules.
To check uploaded content in a way that is not covered by the default configuration, add a custom scan expression.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Security > Settings.
-
Under Incoming traffic detections, select Malicious uploads.
-
Select Add content object location.
-
In Content location, enter your custom scan expression. For example:
-
Select Save.
Use a POST
request similar to the following:
The above request will add the following expression to the current list of custom scan expressions:
The custom scan expression will scan any string found in an HTTP body with the following JSON string: