You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Required firewall rule changes to enable URL normalization
5
-
6
5
---
7
6
8
-
import { Render } from"~/components"
7
+
import { Render } from"~/components";
9
8
10
9
<Renderfile="deprecation-notice" />
11
10
12
11
On 2021-04-08, Cloudflare announced [URL normalization](/rules/normalization/), a feature that protects zones by normalizing HTTP request URI paths.
13
12
14
-
Malicious users can craft specific URIs that could be interpreted differently by firewall systems and origin systems. When you enable **Normalize incoming URLs**, all rules filtering on the URI path will receive the URL in a canonical form, which provides an extra layer of protection against these malicious users.
13
+
Malicious users can craft specific URIs that could be interpreted differently by firewall systems and origin systems. When you enable **Normalize incoming URLs**, all rules filtering on the URI path will receive the URL in a canonical form, which provides an extra layer of protection against these malicious users.
15
14
16
-
Cloudflaregradually enabled URL normalization for all Cloudflare zones except for those that could be impacted by this change. We determined the impacted zones by analyzing all firewall rules, looking for patterns in HTTP fields that would no longer match when using URL normalization techniques.
15
+
Cloudflaregradually enabled URL normalization for all Cloudflare zones except for those that could be impacted by this change. We determined the impacted zones by analyzing all firewall rules, looking for patterns in HTTP fields that would no longer match when using URL normalization techniques.
17
16
18
17
These fields are the following:
19
18
20
-
*`http.request.uri.path`
21
-
*`http.request.full_uri`
22
-
*`http.request.uri`
19
+
-`http.request.uri.path`
20
+
-`http.request.full_uri`
21
+
-`http.request.uri`
23
22
24
23
Cloudflare did not enable URL normalization automatically for zones that would be impacted by these changes to prevent any change in behavior of your existing firewall rules.
25
24
26
25
## Why URL normalization is important
27
26
28
-
Cloudflare strongly recommends that you enable **Normalize incoming URLs** in **Rules** > **Settings** to strengthen your zone's security posture. Not doing so leaves your zone at greater risk of a successful attack. Malicious parties could craft the URL in a way that the rules are not accounting for.
27
+
Cloudflare strongly recommends that you enable **Normalize incoming URLs** in **Rules** > **URL Normalization** to strengthen your zone's security posture. Not doing so leaves your zone at greater risk of a successful attack. Malicious parties could craft the URL in a way that the rules are not accounting for.
29
28
30
29
For example, a firewall rule with an expression such as `http.request.uri.path contains "/login"` could be bypassed if the malicious actor has encoded the `l` character as `%6C`. In this scenario, and with URL normalization disabled, traffic would not be matched by the firewall rule.
31
30
32
31
Refer to [How URL normalization works](/rules/normalization/how-it-works/) for more information and additional examples.
33
32
34
-
***
33
+
---
35
34
36
35
## Recommended procedure
37
36
@@ -46,23 +45,23 @@ These steps will ensure a stronger security posture on your zone(s).
46
45
47
46
Before enabling URL normalization, you should review the affected firewall rules on your zone(s) and take one of the following approaches:
48
47
49
-
* Edit these firewall rules to remove the parts which will no longer trigger once normalized — for example, any rules that look for `//` or `../` in URL paths. Administrators previously created these rules to perform a limited URL normalization, and these rules can now be safely disabled and then deleted.
48
+
- Edit these firewall rules to remove the parts which will no longer trigger once normalized — for example, any rules that look for `//` or `../` in URL paths. Administrators previously created these rules to perform a limited URL normalization, and these rules can now be safely disabled and then deleted.
50
49
51
-
* If you wish to identify visitors with non-normalized URI paths with these firewall rules, you should update them to use the original (or raw) non-normalized fields. These fields are the following:
50
+
- If you wish to identify visitors with non-normalized URI paths with these firewall rules, you should update them to use the original (or raw) non-normalized fields. These fields are the following:
52
51
53
-
*`raw.http.request.uri.path`
54
-
*`raw.http.request.full_uri`
55
-
*`raw.http.request.uri`
52
+
-`raw.http.request.uri.path`
53
+
-`raw.http.request.full_uri`
54
+
-`raw.http.request.uri`
56
55
57
56
### 2. Enable URL normalization
58
57
59
-
Once you have updated the affected firewall rules, enable URL normalization in **Rules** > **Settings**.
58
+
Once you have updated the affected firewall rules, enable URL normalization in **Rules** > **URL Normalization**.
60
59
61
60
A Cloudflare user must have the [Firewall role](/fundamentals/setup/manage-members/roles/) or one of the Administrator roles to access URL normalization settings in the dashboard.
description: Examples of the impact of different URL normalization settings in
10
8
the URLs of incoming requests.
11
-
9
+
tableOfContents: false
12
10
---
13
11
14
12
The following table shows how different [URL normalization settings](/rules/normalization/settings/) affect request URLs before they pass to other Cloudflare features and to the origin server:
15
13
16
-
17
-
18
14
| Incoming URL | Normalization type | Normalize incoming URLs | Normalize URLs to origin | URL at Cloudflare's network | URL passed to origin server |
Cloudflare provides a URL normalization feature to modify the URLs of incoming requests so that they conform to a consistent formatting standard.
12
11
13
12
When you enable URL normalization, all incoming URLs are normalized before they pass to subsequent global network features that accept a URL input, such as WAF custom rules, Workers, and Access. Rule expressions that filter traffic based on URLs will therefore trigger correctly, regardless of the format of the incoming URL. When URL normalization is disabled, Cloudflare forwards the URL to origin in its original form.
14
13
15
14
:::caution
16
15
17
-
When traffic is proxied via Cloudflare, essential request URL normalization is always applied regardless whether URL normalization is enabled for a specific zone. For example, you cannot disable the conversion of two or more adjacent slashes into a single slash in a request URL by turning off URL normalization.
16
+
When traffic is proxied via Cloudflare, essential request URL normalization is always applied regardless whether URL normalization is enabled for a specific zone. For example, you cannot disable the conversion of two or more adjacent slashes into a single slash in a request URL by turning off URL normalization.
18
17
:::
19
18
20
19
URL normalization does not perform any <GlossaryTooltipterm="redirect">redirects</GlossaryTooltip>, and therefore it will not change the address displayed in the visitor's browser. The normalization operation, when enabled, occurs on the global network and affects Cloudflare features executed later and (optionally) the URL received at the origin server.
The Cloudflare dashboard provides the following settings to manage URL normalization:
13
10
11
+
-**Normalization type** (default: _RFC-3986_)
14
12
13
+
- Selects the type of normalization to perform:
15
14
16
-
***Normalization type** (default: *RFC-3986*)
17
-
18
-
* Selects the type of normalization to perform:
19
-
20
-
**RFC-3986* – Applies URL normalization strictly according to [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).
21
-
22
-
**Cloudflare* – In addition to what is defined in RFC 3986, applies [extra URL normalization techniques](/rules/normalization/how-it-works/#cloudflare-normalization).
23
-
24
-
***Normalize incoming URLs** (default: *On*)
15
+
-_RFC-3986_ – Applies URL normalization strictly according to [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).
25
16
26
-
* Configures the URLs of all incoming traffic to Cloudflare:
17
+
-_Cloudflare_ – In addition to what is defined in RFC 3986, applies [extra URL normalization techniques](/rules/normalization/how-it-works/#cloudflare-normalization).
27
18
28
-
* When enabled, all incoming URLs are normalized before they pass to subsequent Cloudflare features that can receive a URL as input, such as Page Rules, WAF custom rules, Workers, and Access.
29
-
* When disabled, incoming URLs are not normalized before passing to subsequent Cloudflare features.
19
+
-**Normalize incoming URLs** (default: _On_)
30
20
31
-
***Normalize URLs to origin** (default: *Off*)
21
+
- Configures the URLs of all incoming traffic to Cloudflare:
32
22
33
-
* Configures URLs sent to the origin:
23
+
- When enabled, all incoming URLs are normalized before they pass to subsequent Cloudflare features that can receive a URL as input, such as Page Rules, WAF custom rules, Workers, and Access.
24
+
- When disabled, incoming URLs are not normalized before passing to subsequent Cloudflare features.
34
25
35
-
* When enabled, requests sent to the origin are normalized.
36
-
* When disabled, requests sent to the origin are not modified.
26
+
-**Normalize URLs to origin** (default: _Off_)
37
27
38
-
* You can only view and enable this option when **Normalize incoming URLs** is enabled.
28
+
- Configures URLs sent to the origin:
39
29
30
+
- When enabled, requests sent to the origin are normalized.
31
+
- When disabled, requests sent to the origin are not modified.
40
32
33
+
- You can only view and enable this option when **Normalize incoming URLs** is enabled.
41
34
42
35
For examples of how these settings affect URL normalization, refer to the [URL normalization examples](/rules/normalization/examples/).
0 commit comments