cloudflare · pedrosousa · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025
@@ -12,7 +12,7 @@ description: Page Shield tracks resources (such as scripts) loaded by your
 
 import { GlossaryTooltip } from "~/components";
 
-Page Shield helps manage resources loaded by your website visitors, including scripts, their connections, and cookies. It can trigger alert notifications when resources change or are considered malicious.
+Page Shield helps manage resources loaded by your website visitors, including scripts, their connections, and [cookies](https://www.cloudflare.com/learning/privacy/what-are-cookies/). It can trigger alert notifications when resources change or are considered malicious.
 
 Enabling Page Shield adds a <GlossaryTooltip term="content security policy (CSP)" link="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</GlossaryTooltip> deployed with a [report-only directive](/page-shield/reference/csp-header/) to collect information from the browser. This allows Cloudflare to provide you with a list of all scripts running on your application and the connections they make to third-party endpoints. Page Shield also monitors ingress and egress traffic for cookies, either set by origin servers or by the visitor's browser.
 

@@ -3,18 +3,15 @@ title: Phases list
 pcx_content_type: reference
 sidebar:
   order: 1
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 The following tables list the [phases](/ruleset-engine/about/phases/) of Cloudflare products powered by the Ruleset Engine, in the order those phases are executed. Some products such as the Cloudflare Web Application Firewall have more than one associated phase.
 
 ## Network layer
 
-Network-layer phases apply to packets received on the Cloudflare global network.
-
-
+[Network-layer](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) phases apply to packets received on the Cloudflare global network.
 
 | Phase name       | Used in product/feature                                                                          |
 | ---------------- | ------------------------------------------------------------------------------------------------ |
@@ -23,58 +20,51 @@ Network-layer phases apply to packets received on the Cloudflare global network.
 | `mt_managed`     | [Magic Firewall managed rulesets](/magic-firewall/how-to/enable-managed-rulesets/)               |
 | `mt_ids_managed` | [Magic Firewall Intrusion Detection System (IDS)](/magic-firewall/about/ids/)                    |
 
-
-
 ## Application layer
 
-Application-layer phases apply to requests received on the Cloudflare global network.
+[Application-layer](https://www.cloudflare.com/learning/ddos/what-is-layer-7/) phases apply to requests received on the Cloudflare global network.
 
 ### Request phases
 
 The phases execute in the order they appear in the table.
 
-
-
-| Phase name                          | Used in product/feature                                                                                |
-| ----------------------------------- | ------------------------------------------------------------------------------------------------------ |
-| `http_request_sanitize`             | [URL normalization](/rules/normalization/)                                                             |
-| `http_request_dynamic_redirect`     | [Single Redirects](/rules/url-forwarding/single-redirects/)                                            |
-| `http_request_transform`            | [Rewrite URL Rules](/rules/transform/url-rewrite/)                                                     |
-| *N/A* (internal phase)              | [Waiting Room Rules](/waiting-room/additional-options/waiting-room-rules/)                             |
-| `http_config_settings`              | [Configuration Rules](/rules/configuration-rules/)                                                     |
-| `http_request_origin`               | [Origin Rules](/rules/origin-rules/)                                                                   |
-| `ddos_l7`\*                         | [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/)                                 |
-| `http_request_api_gateway`          | [API Gateway](/api-shield/api-gateway/)                                                                |
-| `http_request_firewall_custom`      | [Custom rules (Web Application Firewall)](/waf/custom-rules/)                                          |
-| `http_ratelimit`                    | [Rate limiting rules (WAF)](/waf/rate-limiting-rules/)                                                 |
-| *N/A* (internal phase)              | [API Shield](/api-shield/)                                                                             |
-| `http_request_firewall_managed`     | [WAF Managed Rules](/waf/managed-rules/)                                                               |
-| `http_request_sbfm`                 | [Super Bot Fight Mode](/bots/get-started/pro/)                                                         |
-| *N/A* (internal phase)              | [Cloudflare Access](/cloudflare-one/policies/access/)                                                  |
-| `http_request_redirect`             | [Bulk Redirects](/rules/url-forwarding/bulk-redirects/)                                                |
-| *N/A* (internal phase)              | [Managed Transforms](/rules/transform/managed-transforms/)                                             |
-| `http_request_late_transform`       | [HTTP Request Header Modification Rules](/rules/transform/request-header-modification/)                |
-| `http_request_cache_settings`       | [Cache Rules](/cache/how-to/cache-rules/)                                                              |
-| `http_request_snippets`             | [Snippets](/rules/snippets/)                                                                           |
-| `http_request_cloud_connector`      | [Cloud Connector](/rules/cloud-connector/)                                                             |
-
-
-\* *This phase is for configuration purposes only — the corresponding rules will not be executed at this stage in the request handling process.*
+| Phase name                      | Used in product/feature                                                                 |
+| ------------------------------- | --------------------------------------------------------------------------------------- |
+| `http_request_sanitize`         | [URL normalization](/rules/normalization/)                                              |
+| `http_request_dynamic_redirect` | [Single Redirects](/rules/url-forwarding/single-redirects/)                             |
+| `http_request_transform`        | [Rewrite URL Rules](/rules/transform/url-rewrite/)                                      |
+| _N/A_ (internal phase)          | [Waiting Room Rules](/waiting-room/additional-options/waiting-room-rules/)              |
+| `http_config_settings`          | [Configuration Rules](/rules/configuration-rules/)                                      |
+| `http_request_origin`           | [Origin Rules](/rules/origin-rules/)                                                    |
+| `ddos_l7`\*                     | [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/)                  |
+| `http_request_api_gateway`      | [API Gateway](/api-shield/api-gateway/)                                                 |
+| `http_request_firewall_custom`  | [Custom rules (Web Application Firewall)](/waf/custom-rules/)                           |
+| `http_ratelimit`                | [Rate limiting rules (WAF)](/waf/rate-limiting-rules/)                                  |
+| _N/A_ (internal phase)          | [API Shield](/api-shield/)                                                              |
+| `http_request_firewall_managed` | [WAF Managed Rules](/waf/managed-rules/)                                                |
+| `http_request_sbfm`             | [Super Bot Fight Mode](/bots/get-started/pro/)                                          |
+| _N/A_ (internal phase)          | [Cloudflare Access](/cloudflare-one/policies/access/)                                   |
+| `http_request_redirect`         | [Bulk Redirects](/rules/url-forwarding/bulk-redirects/)                                 |
+| _N/A_ (internal phase)          | [Managed Transforms](/rules/transform/managed-transforms/)                              |
+| `http_request_late_transform`   | [HTTP Request Header Modification Rules](/rules/transform/request-header-modification/) |
+| `http_request_cache_settings`   | [Cache Rules](/cache/how-to/cache-rules/)                                               |
+| `http_request_snippets`         | [Snippets](/rules/snippets/)                                                            |
+| `http_request_cloud_connector`  | [Cloud Connector](/rules/cloud-connector/)                                              |
+
+\* _This phase is for configuration purposes only — the corresponding rules will not be executed at this stage in the request handling process._
 
 <Render file="bfm-change-notice" product="bots" />
 
 ### Response phases
 
 The phases execute in the order they appear in the table.
 
-
-
-| Phase name                        | Used in product/feature                                                                              |
-| --------------------------------- | ---------------------------------------------------------------------------------------------------- |
-| `http_custom_errors`              | [Custom Error Responses](/rules/custom-error-responses/)                                             |
-| *N/A* (internal phase)            | [Managed Transforms](/rules/transform/managed-transforms/)                                           |
-| `http_response_headers_transform` | [HTTP Response Header Modification Rules](/rules/transform/response-header-modification/)            |
-| `http_ratelimit`                  | [Rate limiting rules](/waf/rate-limiting-rules/) (when they use response information)                |
-| `http_response_compression`       | [Compression Rules](/rules/compression-rules/)                                                       |
-| `http_response_firewall_managed`  | [Cloudflare Sensitive Data Detection](/waf/managed-rules/) (Data Loss Prevention)                    |
-| `http_log_custom_fields`          | [Logpush custom fields](/logs/reference/custom-fields/)                                              |
+| Phase name                        | Used in product/feature                                                                   |
+| --------------------------------- | ----------------------------------------------------------------------------------------- |
+| `http_custom_errors`              | [Custom Error Responses](/rules/custom-error-responses/)                                  |
+| _N/A_ (internal phase)            | [Managed Transforms](/rules/transform/managed-transforms/)                                |
+| `http_response_headers_transform` | [HTTP Response Header Modification Rules](/rules/transform/response-header-modification/) |
+| `http_ratelimit`                  | [Rate limiting rules](/waf/rate-limiting-rules/) (when they use response information)     |
+| `http_response_compression`       | [Compression Rules](/rules/compression-rules/)                                            |
+| `http_response_firewall_managed`  | [Cloudflare Sensitive Data Detection](/waf/managed-rules/) (Data Loss Prevention)         |
+| `http_log_custom_fields`          | [Logpush custom fields](/logs/reference/custom-fields/)                                   |
@@ -12,7 +12,7 @@ Security Analytics displays information about all incoming HTTP requests for you
 Use the Security Analytics dashboard to:
 
 - View the traffic distribution for your domain.
-- Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server).
+- Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/)).
 - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters.
 - Learn more about Cloudflare's security scores (<GlossaryTooltip term="attack score" link="/waf/detections/attack-score/">attack score</GlossaryTooltip>, [bot score](/bots/concepts/bot-score/), [malicious uploads](/waf/detections/malicious-uploads/), and [leaked credentials](/waf/detections/leaked-credentials/) results) with real data.
 - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic.

@@ -17,5 +17,5 @@ The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fi
 
 - [Use case: Challenge bad bots](/waf/custom-rules/use-cases/challenge-bad-bots/)
 - [Cloudflare bot solutions](/bots/)
-- [Troubleshooting: Bing’s Site Scan blocked by a WAF managed rule](/waf/troubleshooting/blocked-bing-site-scans/)
+- [Troubleshooting: Bing's Site Scan blocked by a WAF managed rule](/waf/troubleshooting/blocked-bing-site-scans/)
 - [Learning Center: What is a web crawler?](https://www.cloudflare.com/learning/bots/what-is-a-web-crawler/)
@@ -57,7 +57,7 @@ When a request is definitely automated (score of 1) or likely automated (scores
 
 #### Exempt API traffic
 
-Since Bot Management detects automated users, you need to explicitly allow your **good** automated traffic⁠ — this includes your APIs and partner APIs.
+Since Bot Management detects automated users, you need to explicitly allow your **good** automated traffic⁠ — this includes your [APIs](https://www.cloudflare.com/learning/security/api/what-is-an-api/) and partner APIs.
 
 This example offers the same protection as the browser-only rule, but allows automated traffic to your API.
 

@@ -24,13 +24,17 @@ This feature is available to Enterprise customers. Business plans have access to
 
 The Cloudflare WAF provides the following attack score fields:
 
-| Score                  | Data type | Minimum plan required | Attack vector               | Field                                                                                         |
-| ---------------------- | --------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------- |
-| WAF Attack Score       | Number    | Enterprise            | N/A (global score)          | [`cf.waf.score`](/ruleset-engine/rules-language/fields/reference/cf.waf.score/)            |
-| WAF SQLi Attack Score  | Number    | Enterprise            | SQL injection (SQLi)        | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/)   |
-| WAF XSS Attack Score   | Number    | Enterprise            | Cross-site scripting (XSS)  | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/)     |
-| WAF RCE Attack Score   | Number    | Enterprise            | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/)     |
-| WAF Attack Score Class | String    | Business              | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/) |
+| Score                  | Data type | Minimum plan required | Attack vector                    | Field                                                                                       |
+| ---------------------- | --------- | --------------------- | -------------------------------- | ------------------------------------------------------------------------------------------- |
+| WAF Attack Score       | Number    | Enterprise            | N/A (global score)               | [`cf.waf.score`](/ruleset-engine/rules-language/fields/reference/cf.waf.score/)             |
+| WAF SQLi Attack Score  | Number    | Enterprise            | [SQL injection][1] (SQLi)        | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/)   |
+| WAF XSS Attack Score   | Number    | Enterprise            | [Cross-site scripting][2] (XSS)  | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/)     |
+| WAF RCE Attack Score   | Number    | Enterprise            | [Remote code execution][3] (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/)     |
+| WAF Attack Score Class | String    | Business              | N/A (global classification)      | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/) |
+
+[1]: https://www.cloudflare.com/learning/security/threats/sql-injection/
+[2]: https://www.cloudflare.com/learning/security/threats/cross-site-scripting/
+[3]: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
 
 You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/). Attack score fields of data type `Number` vary between `1` and `99` with the following meaning:
 

@@ -76,7 +76,7 @@ For additional examples, refer to [Mitigation examples](/waf/detections/leaked-c
 
 ### Handle detected leaked credentials at the origin server
 
-Additionally, you may want to handle leaked credentials detected by Cloudflare at your origin server.
+Additionally, you may want to handle leaked credentials detected by Cloudflare at your [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
 
 1. Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header).
 

@@ -7,7 +7,7 @@ sidebar:
     label: Leaked credentials
 ---
 
-The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for previously leaked credentials (usernames and passwords) previously leaked from data breaches.
+The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for previously leaked credentials (usernames and passwords) previously leaked from [data breaches](https://www.cloudflare.com/learning/security/what-is-a-data-breach/).
 
 :::note
 If you are currently using [Exposed Credentials Check](/waf/managed-rules/check-for-exposed-credentials/) (a previous implementation) and want to upgrade to leaked credentials detection, refer to our [upgrade guide](/waf/managed-rules/check-for-exposed-credentials/upgrade-to-leaked-credentials-detection/).
@@ -26,7 +26,7 @@ In addition, leaked credentials detection provides a [managed transform](/rules/
 One common approach used in web applications when detecting the use of stolen credentials is to warn end users about the situation and ask them to update their password. You can do this based on the managed header received at your origin server.
 
 :::note
-Cloudflare may detect leaked credentials either because an attacker is performing a credential stuffing attack or because a legitimate end user is reusing a previously leaked password.
+Cloudflare may detect leaked credentials either because an attacker is performing a [credential stuffing](https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/) attack or because a legitimate end user is reusing a previously leaked password.
 :::
 
 ## Availability