[Rules] Snippets updates (#22303)

pedrosousa · web-flow · commit fe5be3f44b03 · 2025-05-09T11:24:05.000+01:00
* Update IP lists anchor name

* Mention WAF attack score

* Update two snippet examples with rules also
diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx
@@ -22,7 +22,7 @@ Use overrides to configure the HTTP DDoS Attack Protection managed ruleset. Over
 
 Overrides can have a ruleset, tag, or rule scope. Tag and rule configurations have greater priority than ruleset configurations.
 
-You can create overrides at the zone level and at the account level. Account-level overrides allow you to apply the same override to several zones in your account with a single rule. For example, you can use an account-level override to lower the sensitivity of a specific managed ruleset rule or exclude an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) for multiple zones. However, if a given zone has overrides for the HTTP DDoS Attack Protection managed ruleset, the account-level overrides will not be evaluated for that zone.
+You can create overrides at the zone level and at the account level. Account-level overrides allow you to apply the same override to several zones in your account with a single rule. For example, you can use an account-level override to lower the sensitivity of a specific managed ruleset rule or exclude an [IP list](/waf/tools/lists/custom-lists/#ip-lists) for multiple zones. However, if a given zone has overrides for the HTTP DDoS Attack Protection managed ruleset, the account-level overrides will not be evaluated for that zone.
 
 :::caution[Important]
 
@@ -141,7 +141,7 @@ For more information on defining overrides for managed rulesets using the Rulese
 
 ### Account-level configuration example
 
-The following `PUT` example creates a new phase ruleset (or updates the existing one) for the `ddos_l7` phase at the account level. The example defines a single rule override for requests coming from IP addresses in the `allowlisted_ips` [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), with the following configuration:
+The following `PUT` example creates a new phase ruleset (or updates the existing one) for the `ddos_l7` phase at the account level. The example defines a single rule override for requests coming from IP addresses in the `allowlisted_ips` [IP list](/waf/tools/lists/custom-lists/#ip-lists), with the following configuration:
 
 - The rule with ID `<MANAGED_RULESET_RULE_ID>`, belonging to the HTTP DDoS Attack Protection managed ruleset (with ID `<MANAGED_RULESET_ID>`), will have an `eoff` (_Essentially Off_) sensitivity level and it will perform a `log` action.
 
diff --git a/src/content/docs/firewall/cf-dashboard/rule-preview.mdx b/src/content/docs/firewall/cf-dashboard/rule-preview.mdx
@@ -36,6 +36,6 @@ In this screenshot, a rule that matches all User-Agents that contain the string
 
 **Rule Preview does not take into account other firewall rules** that you have already configured. In effect, Rule Preview tests a single firewall rule in isolation. Security events or any other rules with a higher priority that may have blocked or challenged a request are ignored.
 
-**You cannot test firewall rules that reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists)**.
+**You cannot test firewall rules that reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists)**.
 
 **Cloudflare does not store the entirety of requests, so only a limited number of fields are available to Rule Preview**. The table below lists the fields that Rule Preview supports (green cells), broken down by operator. Fields and operators that are not supported are not included in this table.
diff --git a/src/content/docs/firewall/cf-firewall-rules/index.mdx b/src/content/docs/firewall/cf-firewall-rules/index.mdx
@@ -16,6 +16,6 @@ Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HT
 
 <Render file="deprecation-notice" />
 
-In a firewall rule you define an [expression](/ruleset-engine/rules-language/expressions/) that tells Cloudflare what to look for in a request, and specify the appropriate [action](/firewall/cf-firewall-rules/actions/) to take when those conditions are met. Expressions can reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) - groups of IP addresses that you can reference collectively by name.
+In a firewall rule you define an [expression](/ruleset-engine/rules-language/expressions/) that tells Cloudflare what to look for in a request, and specify the appropriate [action](/firewall/cf-firewall-rules/actions/) to take when those conditions are met. Expressions can reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists) - groups of IP addresses that you can reference collectively by name.
 
 To write firewall rule expressions, use the [Rules language](/ruleset-engine/rules-language/), a powerful expression language inspired in the Wireshark Display Filter language.
diff --git a/src/content/docs/magic-firewall/about/list-types.mdx b/src/content/docs/magic-firewall/about/list-types.mdx
@@ -11,7 +11,7 @@ The threat intelligence feed categories are described in [Managed IP Lists](/waf
 
 ## IP lists
 
-Use [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/magic-firewall/how-to/add-rules/#use-an-ip-list) to check an example of how to use an IP list.
+Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/magic-firewall/how-to/add-rules/#use-an-ip-list) to check an example of how to use an IP list.
 
 ## Geo-blocking
 
diff --git a/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx b/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx
@@ -71,7 +71,7 @@ Rule 10 in the example ruleset below is acting as a catch-all to block all traff
 
 Follow the best practices for internal routers or firewall interface IP addresses on your MT prefixes below.
 
-1. Create [an IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), **Internal routers** for example, with your IP addresses.
+1. Create [an IP list](/waf/tools/lists/custom-lists/#ip-lists), **Internal routers** for example, with your IP addresses.
 2. Block ICMP if it is not needed.
 3. Permit GRE/ESP as needed if the devices have GRE/IPsec tunnels via the Internet.
 
@@ -101,7 +101,7 @@ Where possible, permit the required destination IP addresses and ports for web s
 
 The following is an example of suggested rules, but you should only make changes based on your specific requirements. For example, if you are not proxied by Cloudflare Layer 7 protection and you expect traffic sourced from the web towards your web servers:
 
-1. Create [an IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), **web servers** for example, to list IP addresses for your web servers.
+1. Create [an IP list](/waf/tools/lists/custom-lists/#ip-lists), **web servers** for example, to list IP addresses for your web servers.
 2. Permit traffic for the web server traffic inbound from the Internet.
 3. Permit traffic for the infrastructure or client traffic flows from the Internet, for example DNS and NTP.
 4. Block all other traffic destined for the web server IP addresses.
diff --git a/src/content/docs/magic-firewall/how-to/use-rules-list.mdx b/src/content/docs/magic-firewall/how-to/use-rules-list.mdx
@@ -8,7 +8,7 @@ head:
     content: Define an IP list
 ---
 
-[IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions.
+[IP lists](/waf/tools/lists/custom-lists/#ip-lists) are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions.
 
 IP lists are defined at the account level and can be used to match against `ip.src` and `ip.dst` fields. Currently, Magic Firewall only supports IPv4 addresses in these lists, not IPv6.
 
diff --git a/src/content/docs/rules/snippets/examples/maintenance.mdx b/src/content/docs/rules/snippets/examples/maintenance.mdx
@@ -12,30 +12,33 @@ title: Maintenance page
 description: Serve a custom maintenance page instead of fetching content from the origin server or cache. Ideal for downtime notifications, planned maintenance, or emergency messages.
 ---
 
+## Snippet code
+
 ```js
 // Define your customizable inputs
 const statusCode = 503;
 const title = "We'll Be Right Back!";
-const message = "Our site is currently undergoing scheduled maintenance. We’re working hard to bring you a better experience. Thank you for your patience and understanding.";
+const message =
+	"Our site is currently undergoing scheduled maintenance. We’re working hard to bring you a better experience. Thank you for your patience and understanding.";
 const estimatedTime = "1 hour";
 const contactEmail = "support@example.com";
 const contactPhone = "+1 234 567 89";
 
 export default {
-    async fetch(request) {
-        // Serve the maintenance page as a response
-        return new Response(generateMaintenancePage(), {
-            status: statusCode,
-            headers: {
-                "Content-Type": "text/html",
-                "Retry-After": "3600", // Suggest retry after 1 hour
-            },
-        });
-    },
+	async fetch(request) {
+		// Serve the maintenance page as a response
+		return new Response(generateMaintenancePage(), {
+			status: statusCode,
+			headers: {
+				"Content-Type": "text/html",
+				"Retry-After": "3600", // Suggest retry after 1 hour
+			},
+		});
+	},
 };
 
 function generateMaintenancePage() {
-    return `
+	return `
     <!DOCTYPE html>
     <html lang="en">
     <head>
@@ -105,3 +108,19 @@ function generateMaintenancePage() {
     `;
 }
 ```
+
+## Snippet rule
+
+Configure a custom filter expression:
+
+| Field             | Operator       | Value       |
+| ----------------- | -------------- | ----------- |
+| IP Source Address | is not in list | `admin_ips` |
+
+If you are using the Expression Editor, enter the following expression:
+
+```txt
+(not ip.src in $admin_ips)
+```
+
+The [IP list](/waf/tools/lists/custom-lists/#ip-lists) `admin_ips` was previously created and contains the list of IP addresses of the site administrators, which will be able to access the site during the maintenance period.
diff --git a/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx b/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx
@@ -1,7 +1,7 @@
 ---
 type: example
 summary: Define a delay to be used when incoming requests match a rule you
-  consider suspicious.
+  consider suspicious based on the bot score.
 goal:
   - Other
 operation:
@@ -11,9 +11,11 @@ products:
 pcx_content_type: example
 title: Slow down suspicious requests
 description: Define a delay to be used when incoming requests match a rule you
-  consider suspicious.
+  consider suspicious based on the bot score.
 ---
 
+## Snippet code
+
 ```js
 export default {
 	async fetch(request) {
@@ -30,3 +32,17 @@ export default {
 	},
 };
 ```
+
+## Snippet rule
+
+Configure a custom filter expression:
+
+| Field     | Operator  | Value |
+| --------- | --------- | ----- |
+| Bot Score | less than | `10`  |
+
+If you are using the Expression Editor, enter the following expression:
+
+```txt
+(cf.bot_management.score lt 10)
+```
diff --git a/src/content/docs/rules/snippets/how-it-works.mdx b/src/content/docs/rules/snippets/how-it-works.mdx
@@ -6,14 +6,13 @@ sidebar:
 head:
   - tag: title
     content: How it works
-
 ---
 
 Cloudflare Snippets are executed based on rules defined within your zone. Here is how the process works:
 
 ## Request evaluation
 
-For each incoming request, Cloudflare evaluates the expression of every Snippet Rule defined in the zone. The evaluation checks for a match based on various request properties (such as bot score, country of origin, cookies).
+For each incoming request, Cloudflare evaluates the expression of every Snippet Rule defined in the zone. The evaluation checks for a match based on various request properties (such as bot score, WAF attack score, country of origin, and cookies).
 
 ## Snippet execution
 
diff --git a/src/content/docs/rules/transform/response-header-modification/index.mdx b/src/content/docs/rules/transform/response-header-modification/index.mdx
@@ -55,7 +55,7 @@ You can create a response header transform rule [in the dashboard](/rules/transf
 
 - You cannot modify the value of certain headers such as `server`, `eh-cache-tag`, or `eh-cdn-cache-control`.
 
-- Currently you cannot reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) in expressions of Response Header Transform Rules.
+- Currently you cannot reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists) in expressions of Response Header Transform Rules.
 
 - The HTTP response header removal operation will remove all response headers with the provided name.
 
diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx
@@ -104,6 +104,7 @@ Cloudflare Business and Enterprise customer plans have access to the `matches` [
 Cloudflare has a few limits in place regarding regular expressions. One of those limits is that each rule supports a maximum of 64 regular expressions (regexes), regardless of your domain's plan.
 
 You can use the following strategies to reduce the number of regular expressions in a rule:
+
 - Use the [`contains`](/ruleset-engine/rules-language/operators/#comparison-operators) operator.
 - Use the [`wildcard`](/ruleset-engine/rules-language/operators/#wildcard-matching) / [`strict wildcard`](/ruleset-engine/rules-language/operators/#wildcard-matching) operators.
 - Use the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) and [`ends_with()`](/ruleset-engine/rules-language/functions/#ends_with) functions.
@@ -236,7 +237,7 @@ Lists allow you to create a group of items and refer to them collectively, by na
 
 To refer to a list in a rule expression, use `$<list_name>` and specify the `in` [operator](/ruleset-engine/rules-language/operators/). Only one value in the list has to match the left-hand side of the expression (before the `in` operator) for the simple expression to evaluate to `true`. If there is no match, the expression will evaluate to `false`.
 
-The following example expression filters requests from IP addresses that are in an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) named `office_network`:
+The following example expression filters requests from IP addresses that are in an [IP list](/waf/tools/lists/custom-lists/#ip-lists) named `office_network`:
 
 ```sql
 (ip.src in $office_network)
@@ -267,5 +268,3 @@ ip.src in {198.51.100.1 198.51.100.3..198.51.100.7 192.0.2.0/24 2001:0db8::/32}
 
 tcp.dstport in {8000..8009 8080..8089}
 ```
-
-
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
@@ -96,7 +96,7 @@ This section allows you to configure multiple security-related settings. The fol
 | [Client-side resource alerts](/page-shield/detection/configure-alerts/#rule-form)                                       | **Security** > **Page Shield** > **Settings**<br/>Account Home > **Notifications**                                  |
 | [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint)                                               | **Security** > **Page Shield** > **Settings**                                                                       |
 | [Data processing](/page-shield/reference/settings/#connection-target-details)                                           | **Security** > **Page Shield** > **Settings**                                                                       |
-| [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists)                                             | Account Home > **Manage Account** > **Configurations**                                                              |
+| [IP lists](/waf/tools/lists/custom-lists/#ip-lists)                                                                     | Account Home > **Manage Account** > **Configurations**                                                              |
 | [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations)                 | **Security** > **Settings**                                                                                         |
 | [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions)                                   | **Security** > **Settings**                                                                                         |
 | [Custom sensitive data deployment](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard)   | **Security** > **Sensitive Data**                                                                                   |
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
@@ -6,10 +6,10 @@ head:
     content: Allow traffic from IP addresses in allowlist only
 ---
 
-This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists)).
+This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)).
 
 1.  [Create an IP list](/waf/tools/lists/create-dashboard/) with the IP addresses for which you want to allow access.<br/>
-    For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists).
+    For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#ip-lists).
 
 2.  Create a custom rule skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example).
 
diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
@@ -34,7 +34,7 @@ A common use case is to limit the rate of requests performed by individual user
 
 Another use case when controlling access to resources is to exclude or include IP addresses or Autonomous System Numbers (ASNs) from a rate limiting rule.
 
-The following example rule allows up to 10 requests per minute from the same IP address doing a `GET` request for `/status`, as long as the visitor's IP address is not included in the `partner_ips` [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists).
+The following example rule allows up to 10 requests per minute from the same IP address doing a `GET` request for `/status`, as long as the visitor's IP address is not included in the `partner_ips` [IP list](/waf/tools/lists/custom-lists/#ip-lists).
 
 | Setting                  | Value                                                                                                        |
 | ------------------------ | ------------------------------------------------------------------------------------------------------------ |
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -231,4 +231,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali
 
 - If the rule expression [includes IP lists](/waf/tools/lists/use-in-expressions/), you must enable the **Also apply rate limiting to cached assets** parameter.
 
-- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
+- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [IP lists](/waf/tools/lists/custom-lists/#ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
diff --git a/src/content/docs/waf/tools/ip-access-rules/index.mdx b/src/content/docs/waf/tools/ip-access-rules/index.mdx
@@ -22,7 +22,7 @@ IP Access rules are commonly used to block or challenge suspected malicious traf
 
 Cloudflare recommends that you create [WAF custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):
 
-- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) in the custom rule expression.
+- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#ip-lists) in the custom rule expression.
 - For geoblocking, use fields such as _AS Num_, _Country_, and _Continent_ in the custom rule expression.
 
 ---
diff --git a/src/content/docs/waf/tools/lists/custom-lists.mdx b/src/content/docs/waf/tools/lists/custom-lists.mdx
