From 12531cf6387507b3d89611bf924567e3d11e4107 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:41:38 +0100 Subject: [PATCH 1/6] [WAF] Add exposed credentials managed ruleset API example --- .../reference/exposed-credentials-check.mdx | 120 +++++++++++++++++- 1 file changed, 117 insertions(+), 3 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index 904f7edd0431f9c..04ece3b413cff26 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -5,7 +5,7 @@ sidebar: order: 4 --- -import { Render } from "~/components"; +import { Render, RuleID } from "~/components"; The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials. @@ -39,14 +39,124 @@ You can configure the following settings of the Cloudflare Exposed Credentials C - **Set the action to perform.** When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: _Managed Challenge_, _Block_, _JS Challenge_, _Log_, and _Interactive Challenge_. To remove the action override, set the ruleset action to _Default_. - **Override the action performed by individual rules.** The available actions are: _Exposed-Credential-Check Header_, _Managed Challenge_, _Block_, _JS Challenge_, _Log_, and _Interactive Challenge_. For more information, refer to [Available actions](/waf/managed-rules/check-for-exposed-credentials/#available-actions). - **Disable specific rules.** -- **Customize the filter expression.** With a custom expression, the Cloudflare Managed Ruleset applies only to a subset of the incoming requests. +- **Customize the filter expression.** With a custom expression, the Cloudflare Exposed Credentials Check Managed Ruleset applies only to a subset of the incoming requests. - **Configure [payload logging](/waf/managed-rules/payload-logging/configure/)**. For details on configuring a managed ruleset in the dashboard, refer to [Configure a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-managed-ruleset). ## Configure via API -To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the entry point ruleset for the `http_request_firewall_managed` phase. For more information on deploying a managed ruleset, refer to [Deploy a managed ruleset](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/). +To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the entry point ruleset for the `http_request_firewall_managed` phase. + +### Example + +This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to the `http_request_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests. + +1. Search for an existing [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_request_firewall_managed` phase using the [List zone rulesets](/api/operations/listZoneRulesets) operation and take note of the ruleset ID. This ruleset, if it exists, has the following properties: `"kind": "zone"` and `"phase": "http_request_firewall_managed"`. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " + ``` + + ```json output {5,9,12} + { + "result": [ + // ... + { + "id": "", + "name": "default", + "description": "", + "source": "firewall_managed", + "kind": "zone", + "version": "5", + "last_updated": "2024-07-22T16:04:19.788697Z", + "phase": "http_request_firewall_managed" + } + // ... + ], + "success": true, + "errors": [], + "messages": [] + } + ``` + +2. If the entry point ruleset does not exist (the previous command returned a `404 Not Found` status code), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "My ruleset", + "description": "Entry point ruleset for WAF managed rulesets", + "kind": "zone", + "phase": "http_request_firewall_managed", + "rules": [ + { + "action": "execute", + "action_parameters": { + "id": "c2e184081120413c86c3ab7e14069605" + }, + "expression": "true", + "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset" + } + ] + }' + ``` + + If the entry point ruleset already exists, add a rule to this ruleset (with ID `{ruleset_id}`) using the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation. This rule executes the Cloudflare Exposed Credentials Check Managed Ruleset (with ID ) for all incoming requests in the zone. + + ```bash + curl --request PUT \ + "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "action": "execute", + "action_parameters": { + "id": "c2e184081120413c86c3ab7e14069605" + }, + "expression": "true", + "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset" + }' + ``` + + ```json output + { + "result": { + "id": "", + "name": "Zone-level phase entry point", + "description": "", + "kind": "zone", + "version": "3", + "rules": [ + // ... any existing rules + { + "id": "", + "version": "1", + "action": "execute", + "action_parameters": { + "id": "c2e184081120413c86c3ab7e14069605", + "version": "latest" + }, + "expression": "true", + "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset", + "last_updated": "2024-03-18T18:08:14.003361Z", + "ref": "", + "enabled": true + } + ], + "last_updated": "2024-03-18T18:08:14.003361Z", + "phase": "http_request_firewall_managed" + }, + "success": true, + "errors": [], + "messages": [] + } + ``` + +### Next steps To configure the Exposed Credentials Check Managed Ruleset via API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations: @@ -62,3 +172,7 @@ Besides activating the Exposed Credentials Check Managed Ruleset, you can also c For more information, refer to [Create a custom rule checking for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/configure-api/#create-a-custom-rule-checking-for-exposed-credentials). ::: + +### More resources + +For more information on working with managed rulesets via API, refer to [Work with managed rulesets](/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation. From 7b5c0476e56148433582c82a9bcab785c29ba187 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:49:02 +0100 Subject: [PATCH 2/6] [WAF] Add sensitive data detection API example --- .../reference/sensitive-data-detection.mdx | 118 +++++++++++++++++- 1 file changed, 115 insertions(+), 3 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx index c06835c32302d03..e72c40e50e5d733 100644 --- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx +++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx @@ -42,9 +42,117 @@ For details on configuring a managed ruleset in the dashboard, refer to [Configu ## Configure via API -To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase. For more information on deploying a managed ruleset, refer to [Deploy a managed ruleset](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/). - -The ruleset ID is the following: . +To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase. + +### Example + +This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the `http_response_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests. + +1. Search for an existing [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase using the [List zone rulesets](/api/operations/listZoneRulesets) operation and take note of the ruleset ID. This ruleset, if it exists, has the following properties: `"kind": "zone"` and `"phase": "http_response_firewall_managed"`. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " + ``` + + ```json output {5,9,12} + { + "result": [ + // ... + { + "id": "", + "name": "default", + "description": "", + "source": "firewall_managed", + "kind": "zone", + "version": "5", + "last_updated": "2024-07-22T16:04:19.788697Z", + "phase": "http_response_firewall_managed" + } + // ... + ], + "success": true, + "errors": [], + "messages": [] + } + ``` + +2. If the entry point ruleset does not exist (the previous command returned a `404 Not Found` status code), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "My ruleset", + "description": "Entry point ruleset for WAF managed rulesets (response)", + "kind": "zone", + "phase": "http_response_firewall_managed", + "rules": [ + { + "action": "execute", + "action_parameters": { + "id": "e22d83c647c64a3eae91b71b499d988e" + }, + "expression": "true", + "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset" + } + ] + }' + ``` + + If the entry point ruleset already exists, add a rule to this ruleset (with ID `{ruleset_id}`) using the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation. This rule executes the Cloudflare Sensitive Data Detection managed ruleset (with ID ) for all incoming requests in the zone. + + ```bash + curl --request PUT \ + "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "action": "execute", + "action_parameters": { + "id": "e22d83c647c64a3eae91b71b499d988e" + }, + "expression": "true", + "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset" + }' + ``` + + ```json output + { + "result": { + "id": "", + "name": "Zone-level phase entry point", + "description": "", + "kind": "zone", + "version": "3", + "rules": [ + // ... any existing rules + { + "id": "", + "version": "1", + "action": "execute", + "action_parameters": { + "id": "e22d83c647c64a3eae91b71b499d988e", + "version": "latest" + }, + "expression": "true", + "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset", + "last_updated": "2024-03-18T18:08:14.003361Z", + "ref": "", + "enabled": true + } + ], + "last_updated": "2024-03-18T18:08:14.003361Z", + "phase": "http_response_firewall_managed" + }, + "success": true, + "errors": [], + "messages": [] + } + ``` + +### Next steps To configure Cloudflare Sensitive Data Detection using the API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations: @@ -53,6 +161,10 @@ To configure Cloudflare Sensitive Data Detection using the API, create [override For examples of creating overrides using the API, refer to [Override a managed ruleset](/ruleset-engine/managed-rulesets/override-managed-ruleset/). +### More resources + +For more information on working with managed rulesets via API, refer to [Work with managed rulesets](/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation. + ## Review detected leaks To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following: From 7e8f4473841e3baeddba4189c7c7de70c02a677b Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:05:18 +0100 Subject: [PATCH 3/6] Remove incorrect 404 reference --- .../waf/managed-rules/reference/exposed-credentials-check.mdx | 2 +- .../waf/managed-rules/reference/sensitive-data-detection.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index 04ece3b413cff26..0d1431fb4ba76d6 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -81,7 +81,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to } ``` -2. If the entry point ruleset does not exist (the previous command returned a `404 Not Found` status code), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. +2. If the entry point ruleset does not exist, create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx index e72c40e50e5d733..0b0420dde74663d 100644 --- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx +++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx @@ -77,7 +77,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to } ``` -2. If the entry point ruleset does not exist (the previous command returned a `404 Not Found` status code), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. +2. If the entry point ruleset does not exist, create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ From 9af54e1bbd3dde58e298f8ba32a88de44f85e4d5 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 8 Oct 2024 18:22:59 +0100 Subject: [PATCH 4/6] Update API examples to use the same workflow (check entry point, add rule) --- .../reference/exposed-credentials-check.mdx | 88 +++++++++--------- .../reference/sensitive-data-detection.mdx | 90 +++++++++---------- 2 files changed, 87 insertions(+), 91 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index 0d1431fb4ba76d6..010cdfeb138df9b 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -52,64 +52,38 @@ To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given z This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to the `http_request_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests. -1. Search for an existing [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_request_firewall_managed` phase using the [List zone rulesets](/api/operations/listZoneRulesets) operation and take note of the ruleset ID. This ruleset, if it exists, has the following properties: `"kind": "zone"` and `"phase": "http_request_firewall_managed"`. +1. Invoke the [Get a zone entry point ruleset](/api/operations/getZoneEntrypointRuleset) operation to obtain the definition of the entry point ruleset for the `http_request_firewall_managed` phase. You will need the [zone ID](/fundamentals/setup/find-account-and-zone-ids/) for this task. ```bash - curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint" \ --header "Authorization: Bearer " ``` - ```json output {5,9,12} + ```json output {4} { - "result": [ - // ... - { - "id": "", - "name": "default", - "description": "", - "source": "firewall_managed", - "kind": "zone", - "version": "5", - "last_updated": "2024-07-22T16:04:19.788697Z", - "phase": "http_request_firewall_managed" - } - // ... - ], + "result": { + "description": "Zone-level phase entry point", + "id": "", + "kind": "zone", + "last_updated": "2024-03-16T15:40:08.202335Z", + "name": "zone", + "phase": "http_request_firewall_managed", + "rules": [ + // ... + ], + "source": "firewall_managed", + "version": "10" + }, "success": true, "errors": [], "messages": [] } ``` -2. If the entry point ruleset does not exist, create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. - - ```bash - curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ - --header "Authorization: Bearer " \ - --header "Content-Type: application/json" \ - --data '{ - "name": "My ruleset", - "description": "Entry point ruleset for WAF managed rulesets", - "kind": "zone", - "phase": "http_request_firewall_managed", - "rules": [ - { - "action": "execute", - "action_parameters": { - "id": "c2e184081120413c86c3ab7e14069605" - }, - "expression": "true", - "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset" - } - ] - }' - ``` - - If the entry point ruleset already exists, add a rule to this ruleset (with ID `{ruleset_id}`) using the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation. This rule executes the Cloudflare Exposed Credentials Check Managed Ruleset (with ID ) for all incoming requests in the zone. +2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/) (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. ```bash - curl --request PUT \ - "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -129,7 +103,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to "name": "Zone-level phase entry point", "description": "", "kind": "zone", - "version": "3", + "version": "11", "rules": [ // ... any existing rules { @@ -156,6 +130,30 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to } ``` +3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/) (with ID ) for all incoming requests in the zone. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "My ruleset", + "description": "Entry point ruleset for WAF managed rulesets", + "kind": "zone", + "phase": "http_request_firewall_managed", + "rules": [ + { + "action": "execute", + "action_parameters": { + "id": "c2e184081120413c86c3ab7e14069605" + }, + "expression": "true", + "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset" + } + ] + }' + ``` + ### Next steps To configure the Exposed Credentials Check Managed Ruleset via API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations: diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx index 0b0420dde74663d..c55a2e23267f9bd 100644 --- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx +++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx @@ -48,64 +48,38 @@ To enable Cloudflare Sensitive Data Detection for a given zone using the API, cr This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the `http_response_firewall_managed` phase of a given zone (`{zone_id}`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests. -1. Search for an existing [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase using the [List zone rulesets](/api/operations/listZoneRulesets) operation and take note of the ruleset ID. This ruleset, if it exists, has the following properties: `"kind": "zone"` and `"phase": "http_response_firewall_managed"`. +1. Invoke the [Get a zone entry point ruleset](/api/operations/getZoneEntrypointRuleset) operation to obtain the definition of the entry point ruleset for the `http_response_firewall_managed` phase. You will need the [zone ID](/fundamentals/setup/find-account-and-zone-ids/) for this task. ```bash - curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_response_firewall_managed/entrypoint" \ --header "Authorization: Bearer " ``` - ```json output {5,9,12} + ```json output {4} { - "result": [ - // ... - { - "id": "", - "name": "default", - "description": "", - "source": "firewall_managed", - "kind": "zone", - "version": "5", - "last_updated": "2024-07-22T16:04:19.788697Z", - "phase": "http_response_firewall_managed" - } - // ... - ], + "result": { + "description": "Zone-level phase entry point (response)", + "id": "", + "kind": "zone", + "last_updated": "2024-03-16T15:40:08.202335Z", + "name": "zone", + "phase": "http_response_firewall_managed", + "rules": [ + // ... + ], + "source": "firewall_managed", + "version": "10" + }, "success": true, "errors": [], "messages": [] } ``` -2. If the entry point ruleset does not exist, create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) (with ID ) for all incoming requests in the zone. - - ```bash - curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ - --header "Authorization: Bearer " \ - --header "Content-Type: application/json" \ - --data '{ - "name": "My ruleset", - "description": "Entry point ruleset for WAF managed rulesets (response)", - "kind": "zone", - "phase": "http_response_firewall_managed", - "rules": [ - { - "action": "execute", - "action_parameters": { - "id": "e22d83c647c64a3eae91b71b499d988e" - }, - "expression": "true", - "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset" - } - ] - }' - ``` - - If the entry point ruleset already exists, add a rule to this ruleset (with ID `{ruleset_id}`) using the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation. This rule executes the Cloudflare Sensitive Data Detection managed ruleset (with ID ) for all incoming requests in the zone. +2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/) (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. ```bash - curl --request PUT \ - "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ @@ -122,10 +96,10 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to { "result": { "id": "", - "name": "Zone-level phase entry point", + "name": "Zone-level phase entry point (response)", "description": "", "kind": "zone", - "version": "3", + "version": "11", "rules": [ // ... any existing rules { @@ -152,6 +126,30 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to } ``` +3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/) (with ID ) for all incoming requests in the zone. + + ```bash + curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ + --header "Authorization: Bearer " \ + --header "Content-Type: application/json" \ + --data '{ + "name": "My ruleset", + "description": "Entry point ruleset for WAF managed rulesets (response)", + "kind": "zone", + "phase": "http_response_firewall_managed", + "rules": [ + { + "action": "execute", + "action_parameters": { + "id": "e22d83c647c64a3eae91b71b499d988e" + }, + "expression": "true", + "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset" + } + ] + }' + ``` + ### Next steps To configure Cloudflare Sensitive Data Detection using the API, create [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations: From 7819c95fb8bc51d46a62b43d94bb86cdaf2c5f51 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Tue, 8 Oct 2024 18:46:54 +0100 Subject: [PATCH 5/6] Add link --- .../waf/managed-rules/reference/exposed-credentials-check.mdx | 2 +- .../waf/managed-rules/reference/sensitive-data-detection.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index 010cdfeb138df9b..1b851a315db1289 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -46,7 +46,7 @@ For details on configuring a managed ruleset in the dashboard, refer to [Configu ## Configure via API -To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the entry point ruleset for the `http_request_firewall_managed` phase. +To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with `execute` action in the [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_request_firewall_managed` phase. ### Example diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx index c55a2e23267f9bd..26e2b7c30f8906c 100644 --- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx +++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx @@ -42,7 +42,7 @@ For details on configuring a managed ruleset in the dashboard, refer to [Configu ## Configure via API -To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the entry point ruleset for the `http_response_firewall_managed` phase. +To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with `execute` action in the [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase. ### Example From d31a9ff9e95299695eaf0cfb7824de8fa390ab38 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:13:58 +0100 Subject: [PATCH 6/6] Remove links to the same page --- .../waf/managed-rules/reference/exposed-credentials-check.mdx | 4 ++-- .../waf/managed-rules/reference/sensitive-data-detection.mdx | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index 1b851a315db1289..f52235bf0350b5b 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -80,7 +80,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to } ``` -2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/) (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. +2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Exposed Credentials Check Managed Ruleset (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ @@ -130,7 +130,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to } ``` -3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/) (with ID ) for all incoming requests in the zone. +3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the Cloudflare Exposed Credentials Check Managed Ruleset (with ID ) for all incoming requests in the zone. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \ diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx index 26e2b7c30f8906c..93c1a22831cba9b 100644 --- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx +++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx @@ -76,7 +76,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to } ``` -2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/) (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. +2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](/api/operations/createZoneRulesetRule) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with ID ). By default, the rule will be added at the end of the list of rules already in the ruleset. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \ @@ -126,7 +126,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to } ``` -3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the [Cloudflare Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/) (with ID ) for all incoming requests in the zone. +3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](/api/operations/createZoneRuleset) operation. Include a single rule in the `rules` array that executes the Cloudflare Sensitive Data Detection managed ruleset (with ID ) for all incoming requests in the zone. ```bash curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \