diff --git a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
index a89c72497b6448..3f63d53d787382 100644
--- a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
+++ b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
@@ -4,10 +4,9 @@ type: overview
title: Build developer portals
sidebar:
order: 5
-
---
-import { GlossaryTooltip, Tabs, TabItem, Steps } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem, Steps } from "~/components";
Once your endpoints are saved, API Shield doubles as an API catalog. API Shield can build an interactive documentation portal with the knowledge it has of your APIs, or you can upload a new OpenAPI schema file to build a documentation portal ad-hoc.
@@ -29,23 +28,25 @@ To create a developer portal:
6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
7. Select **Deploy site**.
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Settings**
+ 2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
4. On **Create a developer portal**, select **Create site**.
- 4. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield.
+ 5. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield.
:::note
If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters.
Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas.
:::
- 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages.
- 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
- 7. Select **Deploy site**.
+ 6. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages.
+ 7. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
+ 8. Select **Deploy site**.
+
diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
index cd77b3450c2a34..7fdf94732f1e7a 100644
--- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
+++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
@@ -109,7 +109,7 @@ Cloudflare will only add authentication labels to endpoints with successful resp
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
- 4. Under **Endpoint labels**, select **Manage label**.
+ 4. Under **Endpoint labels**, select **Manage labels**.
5. Name the label and add an optional label description.
6. Apply the label to your selected endpoints.
7. Select **Create label**.
diff --git a/src/content/docs/api-shield/security/jwt-validation/index.mdx b/src/content/docs/api-shield/security/jwt-validation/index.mdx
index 7c92dda2e7fa3d..b0b395a7e5676a 100644
--- a/src/content/docs/api-shield/security/jwt-validation/index.mdx
+++ b/src/content/docs/api-shield/security/jwt-validation/index.mdx
@@ -36,7 +36,7 @@ A JWT validation configuration consists of creating a token validation configura
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
- 4. On **Token configurations**, select **Configure tokens**.
+ 4. On **Token configurations**, select **Configure tokens**. If you already have one or more tokens, select **<N> out of <M> configurations used** instead.
5. Add a name for your configuration.
6. Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name.
7. Copy and paste your JWT issuer's public key(s) (JWKS).
@@ -87,7 +87,7 @@ To automatically keep your JWKS up to date when your identity provider refreshes
:::note
-Token configuration rules will automatically apply to new endpoints added to Endpoint Management if those endpoints also match the rule.
+Token configuration rules will automatically apply to new endpoints added to Endpoint Management if those endpoints also match the rule.
:::
## Special cases
diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx
index de211b1fe3d0b0..de7da08702b566 100644
--- a/src/content/docs/api-shield/security/schema-validation/index.mdx
+++ b/src/content/docs/api-shield/security/schema-validation/index.mdx
@@ -28,7 +28,7 @@ If you are uploading a schema via the API or Terraform, you must parse the schem
:::note
-To view the contents in your learned schema, refer to [Export a schema](/api-shield/management-and-monitoring/#export-a-schema) in Endpoint Management.
+To view the contents in your learned schema, refer to [Export a schema](/api-shield/management-and-monitoring/#export-a-schema) in Endpoint Management.
:::
### Add validation by uploading a schema
@@ -48,7 +48,7 @@ To view the contents in your learned schema, refer to [Export a schema](/api-shi
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation**.
3. Select **Add validation**.
4. Upload a schema file.
5. Select **Add schema and endpoints**.
@@ -57,7 +57,7 @@ To view the contents in your learned schema, refer to [Export a schema](/api-shi
:::note
-Changes may take a few minutes to process depending on the number of added endpoints.
+Changes may take a few minutes to process depending on the number of added endpoints.
:::
### Add validation by applying a learned schema to a single endpoint
@@ -113,12 +113,12 @@ At this time, learned schemas will not overwrite customer-uploaded schemas. If a
:::note
-If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field.
+If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field.
:::
### Add validation by adding a fallthrough rule
-A fallthrough rule acts as a catch-all for requests that do not match endpoints in [Endpoint Management](/api-shield/management-and-monitoring/).
+A fallthrough rule acts as a catch-all for requests that do not match endpoints in [Endpoint Management](/api-shield/management-and-monitoring/).
By ensuring that all your endpoints in a schema are added to Endpoint Management, the fallthrough action can protect you against legacy or zombie endpoints that your team may be unaware of.
@@ -136,22 +136,25 @@ To set up a fallthrough action:
7. Name your rule and select your action.
8. Select **Save as draft** to deploy later, or **Deploy** to deploy now.
+
+ Your current fallthrough rules can be viewed in the custom rules list.
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Settings**.
- 3. Filter by **API abuse**.
- 4. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template.
+ 2. Go to **Security** > **Security rules**.
+ 3. Select **Templates**.
+ 4. Search for the template named `Mitigate API requests to unidentified endpoints` and select **Preview template**.
5. Give your rule a descriptive name.
6. Choose one or more hostnames from the dropdown menu and select your action.
7. Select **Save as draft** to deploy later, or **Deploy** to deploy now.
+
+ Your current fallthrough rules can be viewed in the security rules list.
-Your current fallthrough rules can be viewed in the custom rules list.
-
:::note
You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom rule for a more customized logic check. This detection will evaluate as `true` when a request does not match an endpoint in Endpoint Management, so it is important to check against your API's hostname or root path to ensure that you are not blocking any non-API traffic on your zone.
:::
@@ -208,13 +211,11 @@ To change the default action:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
- 3. Select **Schema Validation**.
- 4. Under the default `Log` action, select **Change**.
- 5. Choose a new action from the dropdown menu.
- 6. Observe the current action and accept the change by selecting **Change default action** in the popup window.
+ 2. Go to **Security** > **Settings** and filter by **API abuse**.
+ 3. Under **Schema validation** > **Configurations**, select the edit icon next to **Default action**.
+ 4. Choose a new action from the dropdown menu.
+ 5. Select **Save**.
- Alternatively, you can modify the global action via **Security** > **Settings** > **Schema Validation**.
@@ -241,11 +242,10 @@ To change the action on an individual endpoint:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
- 3. Select **Schema Validation** and filter the selected endpoint.
- 4. Select the ellipses on the endpoint's row.
- 5. Select **Change action**.
- 6. Choose a new action from the dropdown menu and select **Set action**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
+ 3. Search for the endpoint to change.
+ 4. Select the three dots on the endpoint's row > **Change action**.
+ 5. Choose a new action from the dropdown menu and select **Set action**.
@@ -268,10 +268,10 @@ To disable Schema Validation without changing actions:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation**.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. Turn **Schema Validation** off.
+ 5. Turn **Schema validation** off.
@@ -293,10 +293,10 @@ Your per-endpoint configurations will be saved when modifying the setting, so th
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. View your schemas on **Schema Validation** > **Active schemas**.
+ 5. View your schemas on **Schema validation** > **Active schemas**.
@@ -320,10 +320,10 @@ To delete currently uploaded or learned schemas:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. View your schemas on **Schema Validation** > **Active schemas**.
+ 5. View your schemas on **Schema validation** > **Active schemas**.
6. Select the ellipses to access the menu and download or delete the listed schema.
@@ -337,11 +337,11 @@ OpenAPI schemas generated by different tooling may not be specific enough to imp
## Limitations
-Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0.
+Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0.
Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items.
-There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team.
+There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team.
For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Shield, refer to [Plans](/api-shield/plans/).
@@ -456,4 +456,4 @@ Media-ranges can also be configured to enforce a `charset` parameter. For this,
## Availability
-Schema Validation is available for all customers. Refer to [Plans](/api-shield/plans/) for more information based on your plan type.
\ No newline at end of file
+Schema Validation is available for all customers. Refer to [Plans](/api-shield/plans/) for more information based on your plan type.
\ No newline at end of file
diff --git a/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx b/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
index db29491947444e..3cf702d879ea47 100644
--- a/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
+++ b/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
@@ -47,7 +47,7 @@ If your website does not have a `robots.txt` file, Cloudflare creates a new file
To implement a `robots.txt` file on your domain:
-
+
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **Bot traffic**.
- 4. Go to **Managed robots.txt**.
- 5. Turn **Managed robots.txt** on.
+ 4. Go to **Manage AI bot traffic with robots.txt**.
+ 5. Turn **Manage AI bot traffic with robots.txt** on.
-
+
## Availability
diff --git a/src/content/docs/bots/get-started/bot-management.mdx b/src/content/docs/bots/get-started/bot-management.mdx
index 90a44f32724ade..96ad45ea4ac8d8 100644
--- a/src/content/docs/bots/get-started/bot-management.mdx
+++ b/src/content/docs/bots/get-started/bot-management.mdx
@@ -23,7 +23,7 @@ This Enterprise product provides the most flexibility to customers by:
Bot Management is automatically enabled for Enterprise zones entitled with the add-on.
-
+
To enable a [Bot Management](https://dash.cloudflare.com/?to=/:account/:zone/security/bots) trial on Enterprise zones without the Bot Management add-on entitled:
@@ -37,9 +37,9 @@ Bot Management is automatically enabled for Enterprise zones entitled with the a
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **Bot traffic**.
-4. Go to **Bot Management**.
-5. Turn **Bot Management** on.
-6. Choose how your domain should respond to various types of traffic by selecting the associated edit icon.
+4. Go to **Bot management**.
+5. Turn **Bot management** on.
+6. Choose how your domain should respond to various types of traffic by selecting the associated edit icon.
- For more details on verified bots, refer to [Verified Bots](/bots/concepts/bot/#verified-bots).
- For more details on supported file types, refer to [Static resource protection](/bots/additional-configurations/static-resources/).
- For more details on invisible code injection, refer to [JavaScript detections](/bots/additional-configurations/javascript-detections/).
diff --git a/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
index bf9c39ab4d2404..01b18f3d9610d0 100644
--- a/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
+++ b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
@@ -24,7 +24,7 @@ To update the Challenge Passage (and the value of the `cf_clearance` cookie):
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and domain.
3. Go to **Security** > **Settings**.
-4. For **Challenge Passage**, set a duration.
+4. For **Challenge passage**, set a timeout duration.
### Limitations
diff --git a/src/content/docs/page-shield/get-started.mdx b/src/content/docs/page-shield/get-started.mdx
index 2e852df626ebc3..0bdb960dacb510 100644
--- a/src/content/docs/page-shield/get-started.mdx
+++ b/src/content/docs/page-shield/get-started.mdx
@@ -27,7 +27,7 @@ If you do not have access to Page Shield in the Cloudflare dashboard, check if y
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Client side abuse**.
-3. Next to **Continuous script monitoring**, set the toggle to **On**.
+3. Turn on **Continuous script monitoring**.
If you do not have access to resource monitoring in the Cloudflare dashboard, check if your user has one of the [necessary roles](/page-shield/reference/roles-and-permissions/).
diff --git a/src/content/docs/security-center/infrastructure/security-file.mdx b/src/content/docs/security-center/infrastructure/security-file.mdx
index 820c01cb6cbf75..a9bb7444ee988a 100644
--- a/src/content/docs/security-center/infrastructure/security-file.mdx
+++ b/src/content/docs/security-center/infrastructure/security-file.mdx
@@ -12,13 +12,14 @@ To manage your [security.txt](https://en.wikipedia.org/wiki/Security.txt) file v
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
-2. Go to **Security** > **Settings** > **Enable Security.txt**.
+2. Go to **Security** > **Settings**.
+3. Next to **Enable Security.txt**, select **Edit Security.txt**.
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
-2. Go to **Security** > **Settings** > **All settings** tab.
-3. Next to **Enable Security.txt**, select **Edit**.
+2. Go to **Security** > **Settings** and filter by **Web application exploits**.
+3. Under **Security.txt** > **Configurations**, select the edit icon.
@@ -27,7 +28,6 @@ From here, you can create and manage your `security.txt` file to provide the sec
Fill in the following information:
- **(Required) Contact**: You can enter one of the following to contact you about security issues:
-
- An email address: The email address must start with `mailto:` (for example, `mailto:help@example.com`).
- A phone number: The phone number must start with `tel:` (for example, `tel:+1 1234567890`).
- A URL link: The URL link must start with `https://` (for example, `https://example.com`).
@@ -47,15 +47,22 @@ Once you have entered the necessary information, select **Save**.
To edit your security.txt file:
- Old dashboard: Select **Security** > **Settings** > **Edit Security.txt**.
-- New security dashboard: In the **All settings** tab, select **Edit** next to **Enable Security.txt**.
+- New security dashboard:
+ 1. Go to **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the edit icon.
-To download your security.txt file, select **Security** > **Settings** > **Download Security.txt**.
+To download your security.txt file:
+
+- Old dashboard: Select **Security** > **Settings** > **Download Security.txt**.
+- New security dashboard:
+ 1. Go to **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the download icon.
To delete your security.txt file:
- Old dashboard:
- Select **Security** > **Settings** > **Delete Security.txt**.
- New security dashboard:
- 1. Select **Security** > **Settings** > **All settings** tab.
- 2. Next to **Enable Security.txt**, select **Edit**.
+ 1. Select **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the edit icon.
3. Select **Delete**.
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 9b938f09a7101c..62d7d970feaaa6 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -13,14 +13,17 @@ This page describes the settings available in **Security** > **Settings** for a
### Web application exploits module
-In the **Web application exploits** security module you can enable and configure the following managed rulesets and detections:
-
-- [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
-- [Cloudflare OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/)
-- [Leaked credentials detection](/waf/detections/leaked-credentials/)
-- [Malicious upload detection](/waf/detections/malicious-uploads/)
-- [Sensitive data detection ruleset](/waf/managed-rules/reference/sensitive-data-detection/)
-- [Firewall for AI](/waf/detections/firewall-for-ai/)
+In the **Web application exploits** security module you can manage the following settings:
+
+- Detections:
+ - [Leaked credentials detection](/waf/detections/leaked-credentials/)
+ - [Malicious uploads detection](/waf/detections/malicious-uploads/)
+ - [Sensitive data detection](/waf/managed-rules/reference/sensitive-data-detection/)
+ - [Cloudflare managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
+ - [OWASP Core](/waf/managed-rules/reference/owasp-core-ruleset/) ruleset
+ - [Firewall for AI](/waf/detections/firewall-for-ai/)
+- [Under Attack mode](/fundamentals/reference/under-attack-mode/) in Security Level
+- Managed [security.txt](/security-center/infrastructure/security-file/)
Refer to each linked page for details.
@@ -30,7 +33,9 @@ The web application exploits module includes features and settings from the [Clo
### DDoS attacks module
-The **DDoS protection** security module shows the multiple DDoS mitigation services provided by Cloudflare. You can create rules to override these mitigation tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription.
+The **DDoS protection** security module shows the multiple mitigation services against DDoS attacks provided by Cloudflare.
+
+You can create rules to override DDoS attack protection tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription.
To learn more about DDoS protection overrides, refer to the following resources:
@@ -41,15 +46,30 @@ To learn more about DDoS protection overrides, refer to the following resources:
You define overrides for the Network-layer DDoS attack protection managed ruleset at the account level in Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection**.
:::
+Additionally, you can manage the following settings:
+
+- [Block AI Bots](/bots/concepts/bot/#ai-bots)
+- [Bot Management](/bots/get-started/bot-management/) (depending on your Enterprise subscriptions)
+- [Browser Integrity Check](/waf/tools/browser-integrity-check/)
+- [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage)
+- [Cloudflare managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
+- [Firewall for AI](/waf/detections/firewall-for-ai/)
+- [Schema learning](/api-shield/management-and-monitoring/endpoint-management/schema-learning/)
+- [Schema validation](/api-shield/security/schema-validation/) (requires you to upload a schema or apply a learned schema)
+- [Under Attack mode](/fundamentals/reference/under-attack-mode/) (under Security Level)
+- SSL/TLS DDoS attack protection
+
### Bot traffic module
-In the **Bot traffic** security module you can perform the following tasks:
+In the **Bot traffic** security module you can manage the following settings:
-- Enable [Bot fight mode](/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan).
-- Enable [Super Bot fight mode](/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan).
-- Review information about [Bot Management](/bots/get-started/bot-management/) (always enabled if included in your Enterprise subscriptions).
-- Turn on [Block AI Bots](/bots/concepts/bot/#ai-bots).
-- Turn on [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/).
+- [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/)
+- [Block AI Bots](/bots/concepts/bot/#ai-bots)
+- [Bot fight mode](/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan)
+- [Super Bot fight mode](/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan)
+- [Bot Management](/bots/get-started/bot-management/) (depending on your Enterprise subscriptions)
+- AI bot traffic management with [robots.txt](/bots/additional-configurations/managed-robots-txt/)
+- API [sequence detection](/api-shield/security/sequence-analytics/) (requires you to configure a session identifier)
:::note
The bot traffic module includes features and settings from [Bots](/bots/) in the previous dashboard navigation structure.
@@ -57,12 +77,12 @@ The bot traffic module includes features and settings from [Bots](/bots/) in the
### API abuse module
-In the **API abuse** security module you can perform the following tasks:
+In the **API abuse** security module you can manage the following settings:
-- Review information about [Endpoint Discovery](/api-shield/security/api-discovery/) (always enabled if included in your Enterprise subscriptions).
-- Enable [Sequence Discovery](/api-shield/security/sequence-analytics/) (requires that you configure a session identifier).
-- Enable [Schema Validation](/api-shield/security/schema-validation/) (requires that you upload a schema or apply a learned schema).
-- Enable [JWT Validation](/api-shield/security/jwt-validation/) (requires that you add a [JWT configuration](/api-shield/security/jwt-validation/api/#token-configurations)).
+- [Developer portal](/api-shield/management-and-monitoring/developer-portal/) creation
+- [Endpoint discovery](/api-shield/security/api-discovery/) (always enabled if included in your Enterprise subscriptions; requires you to configure a [session identifier](/api-shield/management-and-monitoring/session-identifiers/))
+- [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/)
+- [JWT validation](/api-shield/security/jwt-validation/) (requires you to add a [JWT configuration](/api-shield/security/jwt-validation/api/#token-configurations))
:::note
The API abuse module includes features and settings from [API Shield](/api-shield/) in the previous dashboard navigation structure.
@@ -70,12 +90,11 @@ The API abuse module includes features and settings from [API Shield](/api-shiel
### Client-side abuse module
-In the **Client-side abuse** security module you can perform the following tasks:
+In the **Client-side abuse** security module you can manage the following settings:
-- Turn [continuous script monitoring](/page-shield/how-it-works/) on or off (previously you turned [Page Shield](/page-shield/) on or off).
-- Create a [client-side resource alert](/page-shield/alerts/) (also known as a Page Shield alert).
-- Set the [reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on).
-- Adjust the [data logged in client-side abuse reports](/page-shield/reference/settings/#connection-target-details) (only the hostname or the full URI).
+- [Continuous script monitoring](/page-shield/how-it-works/) (previously [Page Shield](/page-shield/)):
+ - [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on)
+ - [Data logged in client-side abuse reports](/page-shield/reference/settings/#connection-target-details) (only the hostname or the full URI)
:::note
The client-side abuse module includes features and settings from [Page Shield](/page-shield/) in the previous dashboard navigation structure.
@@ -83,33 +102,60 @@ The client-side abuse module includes features and settings from [Page Shield](/
## All settings
-This section allows you to configure multiple security-related settings. The following table links to additional information about each setting:
-
-| Setting | Location in previous dashboard navigation |
-| ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/) | **Security** > **Settings** > **Labels** |
-| [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/#rule-form) | **Security** > **API Shield** > **Settings** |
-| [Schemas default action](/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** > **API Shield** > **Schema Validation** |
-| [Uploaded schemas](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
-| [Learned schemas](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
-| [Token configuration](/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** > **API Shield** > **Settings** |
-| [Client-side resource alerts](/page-shield/alerts/configure/) | **Security** > **Page Shield** > **Settings**
Account Home > **Notifications** |
-| [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) | **Security** > **Page Shield** > **Settings** |
-| [Data processing](/page-shield/reference/settings/#connection-target-details) | **Security** > **Page Shield** > **Settings** |
-| [IP lists](/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** > **Configurations** |
-| [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** |
-| [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** |
-| [Custom sensitive data deployment](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) | **Security** > **Sensitive Data** |
-| [Block definitely automated traffic](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Block likely bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Managed `robots.txt`](/bots/additional-configurations/managed-robots-txt/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Allow verified bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Static resource protection](/bots/additional-configurations/static-resources/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Optimize for WordPress](/bots/troubleshooting/wordpress-loopback-issue/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [JavaScript detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Auto-update machine learning model](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** |
-| [Enable Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** |
-| [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) | **Security** > **Settings** |
-| [Browser Integrity Check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** |
-| [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** |
-| [Security Level](/waf/tools/security-level/) | **Security** > **Settings** |
+The following table links to additional information about each available setting:
+
+| Setting | Location in previous dashboard navigation |
+| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| [Block AI Bots](/bots/concepts/bot/#ai-bots) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| [Bot Management](/bots/get-started/bot-management/): | **Security** > **Bots** |
+| — [JS detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| — [Auto-update machine learning](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** |
+| [Browser integrity check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** |
+| Challenge Passage: [Timeout](/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) | **Security** > **Settings** |
+| [Client certificates](/ssl/client-certificates/) | **SSL** > **Client Certificates** |
+| [Cloudflare managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | **Security** > **WAF** > **Managed rules** tab |
+| [Continuous script monitoring](/page-shield/how-it-works/): | **Security** > **Page Shield** |
+| — [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) | **Security** > **Page Shield** > **Settings** |
+| — [Data processing](/page-shield/reference/settings/#connection-target-details) | **Security** > **Page Shield** > **Settings** |
+| — [Alerts](/page-shield/alerts/configure/) | **Security** > **Page Shield** > **Settings**
Account Home > **Notifications** |
+| [Create a developer portal](/api-shield/management-and-monitoring/developer-portal/) | **Security** > **API Shield** > **Settings** |
+| [Custom fallthrough rules](/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) | **Security** > **API Shield** > **Settings** |
+| [Endpoint discovery](/api-shield/security/api-discovery/): | **API Shield** > **Discovery** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/) | **Security** > **Settings** > **Labels** |
+| [Firewall for AI](/waf/detections/firewall-for-ai/) | _N/A_ |
+| [HTTP DDoS attack protection](/ddos-protection/managed-rulesets/http/): | **Security** > **DDoS** |
+| — [Configure overrides](/ddos-protection/managed-rulesets/http/http-overrides/configure-dashboard/) | **Security** > **DDoS** |
+| [IP access rules](/waf/tools/ip-access-rules/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
+| [IP lists](/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** > **Configurations** |
+| [JWT validation](/api-shield/security/jwt-validation/): | **Security** > **API Shield** > **Settings** |
+| — [JWT validation rules](/api-shield/security/jwt-validation/#add-a-jwt-validation-rule) | **Security** > **API Shield** > **API Rules** |
+| — [Token configurations](/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** > **API Shield** > **Settings** |
+| [Leaked credentials detection](/waf/detections/leaked-credentials/): | **Security** > **Settings** |
+| — [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** |
+| [Malicious uploads detection](/waf/detections/malicious-uploads/): | **Security** > **Settings** |
+| — [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** |
+| [Manage AI bot traffic with robots.txt](/bots/additional-configurations/managed-robots-txt/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| [mTLS rules](/api-shield/security/mtls/configure/) | **SSL/TLS** > **Client Certificates** |
+| [Network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/) | Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection** |
+| [OWASP Core](/waf/managed-rules/reference/owasp-core-ruleset/) ruleset | **Security** > **WAF** > **Managed rules** tab |
+| Rate limit authentication requests | **Security** > **WAF** > **Rate limiting rules** tab |
+| [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** |
+| [Schema learning](/api-shield/security/schema-validation/): | **Security** > **API Shield** > **Schema Validation** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Schema validation](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
+| — [Endpoints](/api-shield/management-and-monitoring/endpoint-management/) | **Security** > **API Shield** |
+| — [Active schemas](/api-shield/security/schema-validation/#view-active-schemas) | **Security** > **API Shield** > **Schema Validation** |
+| — [Default action](/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** > **API Shield** > **Schema Validation** |
+| [Security Level: Under Attack mode](/fundamentals/reference/under-attack-mode/) | **Security** > **Settings** |
+| [Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** |
+| [Sensitive data detection](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) ruleset | **Security** > **Sensitive Data** |
+| [Sequence detection](/api-shield/security/sequence-analytics/): | **Security** > **API Shield** > **API Rules** |
+| — [Endpoints](/api-shield/management-and-monitoring/endpoint-management/) | **Security** > **API Shield** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [SSL/TLS DDoS attack protection](/ddos-protection/managed-rulesets/) | **Security** > **DDoS** |
+| [Token configurations](/api-shield/security/jwt-validation/) | **Security** > **API Shield** > **Settings** |
+| [User agent blocking](/waf/tools/user-agent-blocking/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
+| [Zone lockdown](/waf/tools/zone-lockdown/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
diff --git a/src/content/docs/security/web-assets.mdx b/src/content/docs/security/web-assets.mdx
index 6af76ea8e2a5ce..de809fe4d9ca21 100644
--- a/src/content/docs/security/web-assets.mdx
+++ b/src/content/docs/security/web-assets.mdx
@@ -43,7 +43,7 @@ Use **Sequences** to discover how users interact with your API, by tracking the
Once you configure [session identifiers](/api-shield/management-and-monitoring/session-identifiers/), the **Sequences** tab will start grouping and highlighting important user journeys (sequences) across your API.
-To configure session identifiers, go to **Security** > **Settings** > **All settings** tab and select **Edit** next to **Session identifiers**.
+To configure session identifiers, go to **Security** > **Settings** and select **Configure session identifiers** next to **Session identifiers**.
For more information on how Cloudflare identifies API sequences and how you can configure API sequence rules, refer to the following resources:
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index 8deeb82fb25001..c8e08f56636bf9 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -10,4 +10,5 @@ This example custom rule blocks requests based on country code using the [`ip.sr
## Other resources
+- [Use case: Block traffic by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/)
- [Use case: Block traffic from specific countries](/waf/custom-rules/use-cases/block-traffic-from-specific-countries/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx b/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx
new file mode 100644
index 00000000000000..e1212a4e387d53
--- /dev/null
+++ b/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx
@@ -0,0 +1,14 @@
+---
+pcx_content_type: configuration
+title: Block traffic by geographical location
+---
+
+This example custom rule blocks requests by autonomous system number (ASN), continent, or country of origin.
+
+- **Expression**: `(ip.src.asnum eq 131279) or (ip.src.continent eq "AS") or (ip.src.country eq "KP")`
+- **Action**: _Block_
+
+## Other resources
+
+- [Use case: Block traffic from specific countries](/waf/custom-rules/use-cases/block-traffic-from-specific-countries/)
+- [Use case: Allow traffic from specific countries only](/waf/custom-rules/use-cases/allow-traffic-from-specific-countries/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index cf10fde23e9125..a87da4d2ea36b9 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -5,9 +5,10 @@ title: Block traffic from specific countries
This example custom rule blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
-- **Expression**: `(ip.src.country in {"KN" "SY"})`
+- **Expression**: `(ip.src.country in {"KP" "SY"})`
- **Action**: _Block_
## Other resources
+- [Use case: Block traffic by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/)
- [Use case: Allow traffic from specific countries only](/waf/custom-rules/use-cases/allow-traffic-from-specific-countries/)
diff --git a/src/content/docs/waf/detections/firewall-for-ai.mdx b/src/content/docs/waf/detections/firewall-for-ai.mdx
index 67a8e49d7268b7..52e950ea47cffe 100644
--- a/src/content/docs/waf/detections/firewall-for-ai.mdx
+++ b/src/content/docs/waf/detections/firewall-for-ai.mdx
@@ -32,7 +32,7 @@ Firewall for AI is only available in the new [application security dashboard](/s
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Firewall for AI**, set the toggle to **On**.
+3. Turn on **Firewall for AI**.
diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
index 24378dcf6f4c1d..b04d5a579a89be 100644
--- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
@@ -117,7 +117,7 @@ To check for leaked credentials in a way that is not covered by the default conf
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Under **Leaked Credential Detection** > **Configurations**, select the edit icon.
+3. Under **Leaked credential detection** > **Configurations**, select the edit icon.
4. Select **Add custom username and password location**.
5. In **Username location** and **Password location** (optional), enter expressions for obtaining the username and the password from the HTTP request. For example, you could use the following expressions:
diff --git a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
index 3a29accd0d000c..628613e39b2ea1 100644
--- a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
@@ -26,7 +26,7 @@ WAF content scanning is available to customers on an Enterprise plan with a paid
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Malicious uploads detection**, set the toggle to **On**.
+3. Turn on **Malicious uploads detection**.
diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx
index a64979f443cf94..385f2a3311e944 100644
--- a/src/content/docs/waf/get-started.mdx
+++ b/src/content/docs/waf/get-started.mdx
@@ -37,7 +37,7 @@ The [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Web application exploits**.
-3. Next to **Cloudflare managed ruleset**, set the toggle to **On**.
+3. Turn on **Cloudflare managed ruleset**.
@@ -122,7 +122,7 @@ The Cloudflare OWASP Core Ruleset is prone to false positives and offers only ma
1. Go to your domain > **Security** > **Settings** and filter by **Web application exploits**.
-2. Next to **OWASP Core**, set the toggle to **On**.
+2. Turn on **OWASP Core**.
This will deploy the Cloudflare OWASP Core Ruleset with the default configuration: paranoia level = _PL1_ and score threshold = _Medium - 40 and higher_.
diff --git a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
index 70b2d0eca58f14..2471f45c6da593 100644
--- a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
+++ b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
@@ -35,7 +35,7 @@ This operation deploys the managed ruleset for the current zone, creating a new
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to the managed ruleset you want to deploy, set the toggle to **On**.
+3. Turn on the managed ruleset you want to deploy.
diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
index 06d0fe24e86cc3..b0b1127204effc 100644
--- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
+++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
@@ -48,7 +48,7 @@ To enable Cloudflare Sensitive Data Detection:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Sensitive data detection**, set the toggle to **On**.
+3. Turn on **Sensitive data detection**.
To adjust the scope of the managed ruleset or turn off specific rules:
diff --git a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
index ade2f71246cca0..049e865719d43d 100644
--- a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
@@ -14,7 +14,7 @@ The examples below include sample rate limiting rule configurations.
## Example 1
-The following rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
@@ -30,7 +30,7 @@ Rule characteristics:
## Example 2
-The following rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
@@ -47,7 +47,7 @@ Rule characteristics:
## Example 3
-The following rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and `User-Agent` values.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and `User-Agent` values.
diff --git a/src/content/docs/waf/tools/browser-integrity-check.mdx b/src/content/docs/waf/tools/browser-integrity-check.mdx
index fe0774d7aa71b4..4a96a4f9daea6e 100644
--- a/src/content/docs/waf/tools/browser-integrity-check.mdx
+++ b/src/content/docs/waf/tools/browser-integrity-check.mdx
@@ -21,14 +21,14 @@ To disable BIC globally for your zone:
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and zone.
3. Go to **Security** > **Settings**.
-4. For **Browser Integrity Check**, switch the toggle to **Off**.
+4. Turn off **Browser Integrity Check**.
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and zone.
-3. Go to **Security** > **Settings**.
-4. Next to **Browser integrity check**, switch the toggle to **Off**.
+3. Go to **Security** > **Settings** and filter by **DDoS attacks**.
+4. Turn off **Browser integrity check**.
diff --git a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
index b6945849b33bd0..9b92f8cb3ed992 100644
--- a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
+++ b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
@@ -40,7 +40,7 @@ The feature is available in all Cloudflare plans, and is turned on by default on
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
2. Go to **Security** > **Settings**.
-3. For **Replace insecure JavaScript libraries**, set the toggle to **On** or **Off**.
+3. Turn **Replace insecure JavaScript libraries** on or off.
diff --git a/src/content/partials/waf/leaked-credentials-detection-enable.mdx b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
index 9c8e7ac04ea73c..39113d332cb19f 100644
--- a/src/content/partials/waf/leaked-credentials-detection-enable.mdx
+++ b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
@@ -16,7 +16,7 @@ On Free plans, the leaked credentials detection is enabled by default, and no ac
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Leaked Credential Detection**, set the toggle to **On**.
+3. Turn on **Leaked credential detection**.