From 7ec06ad905fd3b5b95e9ae0920fb67432c64439c Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 6 Jun 2025 15:17:05 +0100
Subject: [PATCH 01/11] Add new custom rules use case (block by geo info)
---
.../allow-traffic-from-specific-countries.mdx | 1 +
.../use-cases/block-by-geographical-location.mdx | 14 ++++++++++++++
.../block-traffic-from-specific-countries.mdx | 3 ++-
3 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index 3a712a5b7e9186e..062781ae65ea003 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -10,4 +10,5 @@ This example blocks requests based on country code using the [`ip.src.country`](
## Other resources
+- [Use case: Block traffic by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/)
- [Use case: Block traffic from specific countries](/waf/custom-rules/use-cases/block-traffic-from-specific-countries/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx b/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx
new file mode 100644
index 000000000000000..e1212a4e387d538
--- /dev/null
+++ b/src/content/docs/waf/custom-rules/use-cases/block-by-geographical-location.mdx
@@ -0,0 +1,14 @@
+---
+pcx_content_type: configuration
+title: Block traffic by geographical location
+---
+
+This example custom rule blocks requests by autonomous system number (ASN), continent, or country of origin.
+
+- **Expression**: `(ip.src.asnum eq 131279) or (ip.src.continent eq "AS") or (ip.src.country eq "KP")`
+- **Action**: _Block_
+
+## Other resources
+
+- [Use case: Block traffic from specific countries](/waf/custom-rules/use-cases/block-traffic-from-specific-countries/)
+- [Use case: Allow traffic from specific countries only](/waf/custom-rules/use-cases/allow-traffic-from-specific-countries/)
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index f0c7fa25d16450a..f205a15b8a8c5e3 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -5,9 +5,10 @@ title: Block traffic from specific countries
This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
-- **Expression**: `(ip.src.country in {"KN" "SY"})`
+- **Expression**: `(ip.src.country in {"KP" "SY"})`
- **Action**: _Block_
## Other resources
+- [Use case: Block traffic by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/)
- [Use case: Allow traffic from specific countries only](/waf/custom-rules/use-cases/allow-traffic-from-specific-countries/)
From 43aec0a20f401d89c0d0343631835a808cf83076 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 6 Jun 2025 15:17:27 +0100
Subject: [PATCH 02/11] Update Security settings
---
src/content/docs/security/settings.mdx | 148 ++++++++++++++++---------
1 file changed, 97 insertions(+), 51 deletions(-)
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 5184f825f29b742..7517c2974d66ecd 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -13,14 +13,22 @@ This page describes the settings available in **Security** > **Settings** for a
### Web application exploits module
-In the **Web application exploits** security module you can enable and configure the following managed rulesets and detections:
-
-- [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
-- [Cloudflare OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/)
-- [Leaked credentials detection](/waf/detections/leaked-credentials/)
-- [Malicious upload detection](/waf/detections/malicious-uploads/)
-- [Sensitive data detection ruleset](/waf/managed-rules/reference/sensitive-data-detection/)
-- [Firewall for AI](/waf/detections/firewall-for-ai/)
+In the **Web application exploits** security module you can perform the following actions:
+
+- Create custom rules that [block requests by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/)
+- Manage [Browser Integrity Check](/waf/tools/browser-integrity-check/) (BIC)
+- Configure [challenge passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage)
+- Turn on the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
+- Turn on [Firewall for AI](/waf/detections/firewall-for-ai/)
+- Create [IP access rules](/waf/tools/ip-access-rules/) (or custom rules performing the same task)
+- Turn on and configure [leaked credentials detection](/waf/detections/leaked-credentials/)
+- Turn on and configure [malicious uploads detection](/waf/detections/malicious-uploads/)
+- Turn on the [OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/)
+- Create rules that [rate limit authentication requests](/waf/rate-limiting-rules/use-cases/#example-1)
+- Turn on [Under Attack mode](/fundamentals/reference/under-attack-mode/) in Security Level
+- Turn on the [Sensitive Data Detection ruleset](/waf/managed-rules/reference/sensitive-data-detection/)
+- Create [user agent blocking rules](/waf/tools/user-agent-blocking/) (or custom rules performing the same task)
+- Create [zone lockdown rules](/waf/tools/zone-lockdown/) (or custom rules performing the same task)
Refer to each linked page for details.
@@ -34,8 +42,8 @@ The **DDoS protection** security module shows the multiple DDoS mitigation servi
To learn more about DDoS protection overrides, refer to the following resources:
-- [HTTP DDoS attack protection overrides](/ddos-protection/managed-rulesets/http/override-expressions/)
-- [Network-layer DDoS attack protection overrides](/ddos-protection/managed-rulesets/network/override-expressions/)
+- Configure [HTTP DDoS attack protection](/ddos-protection/managed-rulesets/http/) overrides
+- Enable [Under Attack mode](/fundamentals/reference/under-attack-mode/) in Security Level
:::note
You define overrides for the Network-layer DDoS attack protection managed ruleset at the account level in Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection**.
@@ -45,11 +53,12 @@ You define overrides for the Network-layer DDoS attack protection managed rulese
In the **Bot traffic** security module you can perform the following tasks:
-- Enable [Bot fight mode](/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan).
-- Enable [Super Bot fight mode](/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan).
-- Review information about [Bot Management](/bots/get-started/bot-management/) (always enabled if included in your Enterprise subscriptions).
-- Turn on [Block AI Bots](/bots/concepts/bot/#ai-bots).
-- Turn on [AI Labyrinth](/bots/get-started/bot-fight-mode/#enable-ai-labyrinth).
+- Turn on [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/)
+- Turn on [Block AI Bots](/bots/concepts/bot/#ai-bots)
+- Turn on [Bot fight mode](/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan)
+- Turn on [Super Bot fight mode](/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan)
+- Configure [Bot Management](/bots/get-started/bot-management/) (depending on your Enterprise subscriptions)
+- Turn on managed [robots.txt](/bots/additional-configurations/managed-robots-txt/)
:::note
The bot traffic module includes features and settings from [Bots](/bots/) in the previous dashboard navigation structure.
@@ -59,10 +68,18 @@ The bot traffic module includes features and settings from [Bots](/bots/) in the
In the **API abuse** security module you can perform the following tasks:
-- Review information about [Endpoint Discovery](/api-shield/security/api-discovery/) (always enabled if included in your Enterprise subscriptions).
-- Enable [Sequence Discovery](/api-shield/security/sequence-analytics/) (requires that you configure a session identifier).
-- Enable [Schema Validation](/api-shield/security/schema-validation/) (requires that you upload a schema or apply a learned schema).
-- Enable [JWT Validation](/api-shield/security/jwt-validation/) (requires that you add a [JWT configuration](/api-shield/security/jwt-validation/configure/#token-configurations)).
+- Review information and stats about [API Sequence detection](/api-shield/security/sequence-analytics/) (requires that you configure a session identifier)
+- Manage client certificates for [mTLS authentication](/api-shield/security/mtls/configure/)
+- Create a [developer portal](/api-shield/management-and-monitoring/developer-portal/)
+- Create [custom fallthrough rules](/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) for endpoints outside your Endpoint Management list
+- Turn on and configure [endpoint discovery](/api-shield/security/api-discovery/) (depending on your Enterprise subscriptions)
+- Turn on and configure [JWT validation](/api-shield/security/jwt-validation/) (requires that you add a [JWT configuration](/api-shield/security/jwt-validation/configure/#token-configurations))
+- Manage endpoint [labels](/api-shield/management-and-monitoring/endpoint-labels/)
+- Turn on and configure [schema discovery](/api-shield/management-and-monitoring/endpoint-management/schema-learning/)
+- Turn on and configure [schema validation](/api-shield/security/schema-validation/) (requires that you upload a schema or apply a learned schema)
+- Configure [session identifiers](/api-shield/management-and-monitoring/session-identifiers/)
+- Define [token configurations](/api-shield/security/jwt-validation/configure/) for JWT validation rules
+- Review information and stats about [volumetric abuse detection](/api-shield/security/volumetric-abuse-detection/) (requires that you configure a session identifier)
:::note
The API abuse module includes features and settings from [API Shield](/api-shield/) in the previous dashboard navigation structure.
@@ -72,10 +89,10 @@ The API abuse module includes features and settings from [API Shield](/api-shiel
In the **Client-side abuse** security module you can perform the following tasks:
-- Turn [continuous script monitoring](/page-shield/how-it-works/) on or off (previously you turned [Page Shield](/page-shield/) on or off).
-- Create a [client-side resource alert](/page-shield/alerts/) (also known as a Page Shield alert).
-- Set the [reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on).
-- Adjust the [data logged in client-side abuse reports](/page-shield/reference/settings/#connection-target-details) (only the hostname or the full URI).
+- Turn on and configure [continuous script monitoring](/page-shield/how-it-works/) (previously you turned on [Page Shield](/page-shield/))
+- Set the [reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on)
+- Adjust the [data logged in client-side abuse reports](/page-shield/reference/settings/#connection-target-details) (only the hostname or the full URI)
+- Create [client-side resource alerts](/page-shield/alerts/) (also known as a Page Shield alerts)
:::note
The client-side abuse module includes features and settings from [Page Shield](/page-shield/) in the previous dashboard navigation structure.
@@ -85,31 +102,60 @@ The client-side abuse module includes features and settings from [Page Shield](/
This section allows you to configure multiple security-related settings. The following table links to additional information about each setting:
-| Setting | Location in previous dashboard navigation |
-| ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/) | **Security** > **Settings** > **Labels** |
-| [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/#rule-form) | **Security** > **API Shield** > **Settings** |
-| [Schemas default action](/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** > **API Shield** > **Schema Validation** |
-| [Uploaded schemas](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
-| [Learned schemas](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
-| [Token configuration](/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** > **API Shield** > **Settings** |
-| [Client-side resource alerts](/page-shield/alerts/configure/) | **Security** > **Page Shield** > **Settings**
Account Home > **Notifications** |
-| [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) | **Security** > **Page Shield** > **Settings** |
-| [Data processing](/page-shield/reference/settings/#connection-target-details) | **Security** > **Page Shield** > **Settings** |
-| [IP lists](/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** > **Configurations** |
-| [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** |
-| [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** |
-| [Custom sensitive data deployment](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) | **Security** > **Sensitive Data** |
-| [Block definitely automated traffic](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Block likely bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Managed `robots.txt`](/bots/additional-configurations/managed-robots-txt/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Allow verified bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Static resource protection](/bots/additional-configurations/static-resources/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Optimize for WordPress](/bots/troubleshooting/wordpress-loopback-issue/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [JavaScript detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
-| [Auto-update machine learning model](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** |
-| [Enable Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** |
-| [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage) | **Security** > **Settings** |
-| [Browser Integrity Check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** |
-| [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** |
-| [Security Level](/waf/tools/security-level/) | **Security** > **Settings** |
+| Setting | Location in previous dashboard navigation |
+| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [API Sequence detection](/api-shield/security/sequence-analytics/) | **Security** > **API Shield** > **API Rules** |
+| [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| [Block AI Bots](/bots/concepts/bot/#ai-bots) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| Block requests by geographical location | **Security** > **WAF** > **Custom rules** tab |
+| [Bot Management](/bots/get-started/bot-management/): | |
+| — Bot traffic custom rules | **Security** > **WAF** > **Custom rules** tab |
+| — [JS detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| — [Auto-update machine learning](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** |
+| [Browser integrity check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** |
+| Challenge Passage: [Timeout](/cloudflare-challenges/challenge-types/challenge-pages/#customize-the-challenge-passage) | **Security** > **Settings** |
+| [Client certificates](/ssl/client-certificates/) | **SSL** > **Client Certificates** |
+| [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | **Security** > **WAF** > **Managed rules** tab |
+| [Continuous script monitoring](/page-shield/how-it-works/): | **Security** > **Page Shield** |
+| — [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) | **Security** > **Page Shield** > **Settings** |
+| — [Data processing](/page-shield/reference/settings/#connection-target-details) | **Security** > **Page Shield** > **Settings** |
+| — [Alerts](/page-shield/alerts/configure/) | **Security** > **Page Shield** > **Settings**
Account Home > **Notifications** |
+| [Create a developer portal](/api-shield/management-and-monitoring/developer-portal/) | **Security** > **API Shield** > **Settings** |
+| [Custom fallthrough rules](/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) | **Security** > **API Shield** > **Settings** |
+| [Endpoint discovery](/api-shield/security/api-discovery/): | **API Shield** > **Discovery** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Firewall for AI](/waf/detections/firewall-for-ai/) | N/A |
+| [HTTP DDoS attack protection](/ddos-protection/managed-rulesets/http/): | **Security** > **DDoS** |
+| — [Configure overrides](/ddos-protection/managed-rulesets/http/configure-dashboard/) | **Security** > **DDoS** |
+| [IP access rules](/waf/tools/ip-access-rules/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
+| [IP lists](/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** > **Configurations** |
+| [JWT validation](/api-shield/security/jwt-validation/): | **Security** > **API Shield** > **Settings** |
+| — [JWT validation rules](/api-shield/security/jwt-validation/#add-a-jwt-validation-rule) | **Security** > **API Shield** > **API Rules** |
+| — [Token configurations](/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** > **API Shield** > **Settings** |
+| [Labels](/api-shield/management-and-monitoring/endpoint-labels/) | **Security** > **Settings** > **Labels** |
+| [Leaked credentials detection](/waf/detections/leaked-credentials/): | **Security** > **Settings** |
+| — [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** |
+| [Malicious upload detection](/waf/detections/malicious-uploads/): | **Security** > **Settings** |
+| — [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** |
+| [mTLS rules](/api-shield/security/mtls/configure/) | **SSL/TLS** > **Client Certificates** |
+| [Network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/) | Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection** |
+| [OWASP Core Ruleset](/waf/managed-rules/reference/owasp-core-ruleset/) | **Security** > **WAF** > **Managed rules** tab |
+| Rate limit authentication requests | **Security** > **WAF** > **Rate limiting rules** tab |
+| [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** |
+| [Robots.txt](/bots/additional-configurations/managed-robots-txt/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
+| [Schema learning](/api-shield/security/schema-validation/): | **Security** > **API Shield** > **Schema Validation** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Schema validation](/api-shield/security/schema-validation/) | **Security** > **API Shield** > **Schema Validation** |
+| — [Active schemas](/api-shield/security/schema-validation/#view-active-schemas) | **Security** > **API Shield** > **Schema Validation** |
+| — [Default action](/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** > **API Shield** > **Schema Validation** |
+| [Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** |
+| [Security Level](/waf/tools/security-level/): | **Security** > **Settings** |
+| [— Under Attack mode](/fundamentals/reference/under-attack-mode/) | **Security** > **Settings** |
+| [Sensitive data detection ruleset](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) | **Security** > **Sensitive Data** |
+| [SSL/TLS DDoS attack protection](/ddos-protection/managed-rulesets/) | **Security** > **DDoS** |
+| [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Token configurations](/api-shield/security/jwt-validation/configure/) | **Security** > **API Shield** > **Settings** |
+| [User agent blocking](/waf/tools/user-agent-blocking/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
+| [Volumetric abuse detection for endpoints](/api-shield/security/volumetric-abuse-detection/): | **Security** > **API Shield** > **Endpoint Management** |
+| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
+| [Zone lockdown](/waf/tools/zone-lockdown/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
From 32b578059cdb314e29b183e2587ea5eb904f5719 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 6 Jun 2025 16:43:11 +0100
Subject: [PATCH 03/11] Rate limiting rules: Add links
---
src/content/docs/waf/rate-limiting-rules/use-cases.mdx | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
index ade2f71246cca01..049e865719d43df 100644
--- a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
@@ -14,7 +14,7 @@ The examples below include sample rate limiting rule configurations.
## Example 1
-The following rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
@@ -30,7 +30,7 @@ Rule characteristics:
## Example 2
-The following rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
@@ -47,7 +47,7 @@ Rule characteristics:
## Example 3
-The following rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and `User-Agent` values.
+The following [rate limiting rule](/waf/rate-limiting-rules/create-zone-dashboard/) performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and `User-Agent` values.
From a4a8c5ac2b7bac8613206b0224972eac25f156c6 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 6 Jun 2025 17:34:04 +0100
Subject: [PATCH 04/11] Add location in old dash
---
src/content/docs/security/settings.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 7517c2974d66ecd..4888c2db4f385a1 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -108,7 +108,7 @@ This section allows you to configure multiple security-related settings. The fol
| [AI Labyrinth](/bots/additional-configurations/ai-labyrinth/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
| [Block AI Bots](/bots/concepts/bot/#ai-bots) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
| Block requests by geographical location | **Security** > **WAF** > **Custom rules** tab |
-| [Bot Management](/bots/get-started/bot-management/): | |
+| [Bot Management](/bots/get-started/bot-management/): | **Security** > **Bots** |
| — Bot traffic custom rules | **Security** > **WAF** > **Custom rules** tab |
| — [JS detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** |
| — [Auto-update machine learning](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** |
@@ -124,7 +124,7 @@ This section allows you to configure multiple security-related settings. The fol
| [Custom fallthrough rules](/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) | **Security** > **API Shield** > **Settings** |
| [Endpoint discovery](/api-shield/security/api-discovery/): | **API Shield** > **Discovery** |
| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
-| [Firewall for AI](/waf/detections/firewall-for-ai/) | N/A |
+| [Firewall for AI](/waf/detections/firewall-for-ai/) | _N/A_ |
| [HTTP DDoS attack protection](/ddos-protection/managed-rulesets/http/): | **Security** > **DDoS** |
| — [Configure overrides](/ddos-protection/managed-rulesets/http/configure-dashboard/) | **Security** > **DDoS** |
| [IP access rules](/waf/tools/ip-access-rules/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
From b3f6e7a9191db5ec3cc48c823b520839778c0495 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 11 Jul 2025 14:54:34 +0100
Subject: [PATCH 05/11] Update security.txt instructions
---
.../infrastructure/security-file.mdx | 23 ++++++++++++-------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/content/docs/security-center/infrastructure/security-file.mdx b/src/content/docs/security-center/infrastructure/security-file.mdx
index 820c01cb6cbf75a..a9bb7444ee988ac 100644
--- a/src/content/docs/security-center/infrastructure/security-file.mdx
+++ b/src/content/docs/security-center/infrastructure/security-file.mdx
@@ -12,13 +12,14 @@ To manage your [security.txt](https://en.wikipedia.org/wiki/Security.txt) file v
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
-2. Go to **Security** > **Settings** > **Enable Security.txt**.
+2. Go to **Security** > **Settings**.
+3. Next to **Enable Security.txt**, select **Edit Security.txt**.
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), select your account and domain.
-2. Go to **Security** > **Settings** > **All settings** tab.
-3. Next to **Enable Security.txt**, select **Edit**.
+2. Go to **Security** > **Settings** and filter by **Web application exploits**.
+3. Under **Security.txt** > **Configurations**, select the edit icon.
@@ -27,7 +28,6 @@ From here, you can create and manage your `security.txt` file to provide the sec
Fill in the following information:
- **(Required) Contact**: You can enter one of the following to contact you about security issues:
-
- An email address: The email address must start with `mailto:` (for example, `mailto:help@example.com`).
- A phone number: The phone number must start with `tel:` (for example, `tel:+1 1234567890`).
- A URL link: The URL link must start with `https://` (for example, `https://example.com`).
@@ -47,15 +47,22 @@ Once you have entered the necessary information, select **Save**.
To edit your security.txt file:
- Old dashboard: Select **Security** > **Settings** > **Edit Security.txt**.
-- New security dashboard: In the **All settings** tab, select **Edit** next to **Enable Security.txt**.
+- New security dashboard:
+ 1. Go to **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the edit icon.
-To download your security.txt file, select **Security** > **Settings** > **Download Security.txt**.
+To download your security.txt file:
+
+- Old dashboard: Select **Security** > **Settings** > **Download Security.txt**.
+- New security dashboard:
+ 1. Go to **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the download icon.
To delete your security.txt file:
- Old dashboard:
- Select **Security** > **Settings** > **Delete Security.txt**.
- New security dashboard:
- 1. Select **Security** > **Settings** > **All settings** tab.
- 2. Next to **Enable Security.txt**, select **Edit**.
+ 1. Select **Security** > **Settings** and filter by **Web application exploits**.
+ 2. Under **Security.txt** > **Configurations**, select the edit icon.
3. Select **Delete**.
From 418ba5f2c0e92b59e5d846eb1c78c9892e141b67 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 11 Jul 2025 14:55:05 +0100
Subject: [PATCH 06/11] Update Web application exploits module
---
src/content/docs/security/settings.mdx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 925e6731d200abc..9bb8644e6b2d3e5 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -13,17 +13,17 @@ This page describes the settings available in **Security** > **Settings** for a
### Web application exploits module
-In the **Web application exploits** security module you can perform the following actions:
+In the **Web application exploits** security module you can manage the following settings:
-- Manage detections:
+- Detections:
- [Leaked credentials detection](/waf/detections/leaked-credentials/)
- [Malicious uploads detection](/waf/detections/malicious-uploads/)
- [Sensitive data detection](/waf/managed-rules/reference/sensitive-data-detection/)
- [Cloudflare managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
- [OWASP Core](/waf/managed-rules/reference/owasp-core-ruleset/) ruleset
- [Firewall for AI](/waf/detections/firewall-for-ai/)
-- Turn on [Under Attack mode](/fundamentals/reference/under-attack-mode/) in Security Level
-- Create and manage your [security.txt](/security-center/infrastructure/security-file/) file
+- [Under Attack mode](/fundamentals/reference/under-attack-mode/) in Security Level
+- Managed [security.txt](/security-center/infrastructure/security-file/)
Refer to each linked page for details.
From 7771411d5ca52a99aa981f930999f61bdf8c232f Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 11 Jul 2025 14:58:25 +0100
Subject: [PATCH 07/11] Fix broken link
---
src/content/docs/security/settings.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 9bb8644e6b2d3e5..dff0e15ffadea1d 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -156,6 +156,6 @@ The following table links to additional information about each available setting
| — [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
| [Session identifiers](/api-shield/management-and-monitoring/session-identifiers/) | **Security** > **API Shield** > **Settings** |
| [SSL/TLS DDoS attack protection](/ddos-protection/managed-rulesets/) | **Security** > **DDoS** |
-| [Token configurations](/api-shield/security/jwt-validation/configure/) | **Security** > **API Shield** > **Settings** |
+| [Token configurations](/api-shield/security/jwt-validation/) | **Security** > **API Shield** > **Settings** |
| [User agent blocking](/waf/tools/user-agent-blocking/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
| [Zone lockdown](/waf/tools/zone-lockdown/) | **Security** > **WAF** > **Tools** tab
**Security** > **WAF** > **Custom rules** tab |
From d17ac10843db8c7fed604a16e5dd8064b5b771c2 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 11 Jul 2025 17:02:28 +0100
Subject: [PATCH 08/11] Update settings in other tiles
---
.../developer-portal.mdx | 15 +++++----
.../endpoint-labels.mdx | 2 +-
.../security/jwt-validation/index.mdx | 4 +--
.../security/schema-validation/index.mdx | 33 +++++++++----------
.../managed-robots-txt.mdx | 10 +++---
.../docs/bots/get-started/bot-management.mdx | 8 ++---
.../challenge-pages/challenge-passage.mdx | 2 +-
src/content/docs/page-shield/get-started.mdx | 2 +-
src/content/docs/security/web-assets.mdx | 2 +-
.../docs/waf/detections/firewall-for-ai.mdx | 2 +-
.../leaked-credentials/get-started.mdx | 2 +-
.../malicious-uploads/get-started.mdx | 2 +-
src/content/docs/waf/get-started.mdx | 4 +--
.../managed-rules/deploy-zone-dashboard.mdx | 2 +-
.../reference/sensitive-data-detection.mdx | 2 +-
.../waf/tools/browser-integrity-check.mdx | 6 ++--
.../tools/replace-insecure-js-libraries.mdx | 2 +-
.../leaked-credentials-detection-enable.mdx | 2 +-
18 files changed, 50 insertions(+), 52 deletions(-)
diff --git a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
index a89c72497b64489..3f63d53d7873822 100644
--- a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
+++ b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx
@@ -4,10 +4,9 @@ type: overview
title: Build developer portals
sidebar:
order: 5
-
---
-import { GlossaryTooltip, Tabs, TabItem, Steps } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem, Steps } from "~/components";
Once your endpoints are saved, API Shield doubles as an API catalog. API Shield can build an interactive documentation portal with the knowledge it has of your APIs, or you can upload a new OpenAPI schema file to build a documentation portal ad-hoc.
@@ -29,23 +28,25 @@ To create a developer portal:
6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
7. Select **Deploy site**.
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Settings**
+ 2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
4. On **Create a developer portal**, select **Create site**.
- 4. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield.
+ 5. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield.
:::note
If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters.
Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas.
:::
- 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages.
- 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
- 7. Select **Deploy site**.
+ 6. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages.
+ 7. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content.
+ 8. Select **Deploy site**.
+
diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
index cd77b3450c2a345..7fdf94732f1e7a8 100644
--- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
+++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx
@@ -109,7 +109,7 @@ Cloudflare will only add authentication labels to endpoints with successful resp
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
- 4. Under **Endpoint labels**, select **Manage label**.
+ 4. Under **Endpoint labels**, select **Manage labels**.
5. Name the label and add an optional label description.
6. Apply the label to your selected endpoints.
7. Select **Create label**.
diff --git a/src/content/docs/api-shield/security/jwt-validation/index.mdx b/src/content/docs/api-shield/security/jwt-validation/index.mdx
index 7c92dda2e7fa3d7..b0b395a7e5676a2 100644
--- a/src/content/docs/api-shield/security/jwt-validation/index.mdx
+++ b/src/content/docs/api-shield/security/jwt-validation/index.mdx
@@ -36,7 +36,7 @@ A JWT validation configuration consists of creating a token validation configura
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
- 4. On **Token configurations**, select **Configure tokens**.
+ 4. On **Token configurations**, select **Configure tokens**. If you already have one or more tokens, select **<N> out of <M> configurations used** instead.
5. Add a name for your configuration.
6. Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name.
7. Copy and paste your JWT issuer's public key(s) (JWKS).
@@ -87,7 +87,7 @@ To automatically keep your JWKS up to date when your identity provider refreshes
:::note
-Token configuration rules will automatically apply to new endpoints added to Endpoint Management if those endpoints also match the rule.
+Token configuration rules will automatically apply to new endpoints added to Endpoint Management if those endpoints also match the rule.
:::
## Special cases
diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx
index de211b1fe3d0b06..effdeb75efb03d7 100644
--- a/src/content/docs/api-shield/security/schema-validation/index.mdx
+++ b/src/content/docs/api-shield/security/schema-validation/index.mdx
@@ -142,7 +142,7 @@ To set up a fallthrough action:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **API abuse**.
- 4. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template.
+ 4. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template. If you have already created fallthrough rules, select **<N> fallthrough rules** instead.
5. Give your rule a descriptive name.
6. Choose one or more hostnames from the dropdown menu and select your action.
7. Select **Save as draft** to deploy later, or **Deploy** to deploy now.
@@ -208,13 +208,11 @@ To change the default action:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
- 3. Select **Schema Validation**.
- 4. Under the default `Log` action, select **Change**.
- 5. Choose a new action from the dropdown menu.
- 6. Observe the current action and accept the change by selecting **Change default action** in the popup window.
+ 2. Go to **Security** > **Settings** and filter by **API abuse**.
+ 3. Under **Schema validation** > **Configurations**, select the edit icon next to **Default action**.
+ 4. Choose a new action from the dropdown menu.
+ 5. Select **Save**.
- Alternatively, you can modify the global action via **Security** > **Settings** > **Schema Validation**.
@@ -241,11 +239,10 @@ To change the action on an individual endpoint:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
- 3. Select **Schema Validation** and filter the selected endpoint.
- 4. Select the ellipses on the endpoint's row.
- 5. Select **Change action**.
- 6. Choose a new action from the dropdown menu and select **Set action**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
+ 3. Search for the endpoint to change.
+ 4. Select the three dots on the endpoint's row > **Change action**.
+ 5. Choose a new action from the drop-down menu and select **Set action**.
@@ -268,10 +265,10 @@ To disable Schema Validation without changing actions:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation**.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. Turn **Schema Validation** off.
+ 5. Turn **Schema validation** off.
@@ -293,10 +290,10 @@ Your per-endpoint configurations will be saved when modifying the setting, so th
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. View your schemas on **Schema Validation** > **Active schemas**.
+ 5. View your schemas on **Schema validation** > **Active schemas**.
@@ -320,10 +317,10 @@ To delete currently uploaded or learned schemas:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation** tab.
3. Select **Schema settings**.
4. Filter by **API abuse**.
- 5. View your schemas on **Schema Validation** > **Active schemas**.
+ 5. View your schemas on **Schema validation** > **Active schemas**.
6. Select the ellipses to access the menu and download or delete the listed schema.
diff --git a/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx b/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
index db29491947444e3..3cf702d879ea473 100644
--- a/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
+++ b/src/content/docs/bots/additional-configurations/managed-robots-txt.mdx
@@ -47,7 +47,7 @@ If your website does not have a `robots.txt` file, Cloudflare creates a new file
To implement a `robots.txt` file on your domain:
-
+
-
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **Bot traffic**.
- 4. Go to **Managed robots.txt**.
- 5. Turn **Managed robots.txt** on.
+ 4. Go to **Manage AI bot traffic with robots.txt**.
+ 5. Turn **Manage AI bot traffic with robots.txt** on.
-
+
## Availability
diff --git a/src/content/docs/bots/get-started/bot-management.mdx b/src/content/docs/bots/get-started/bot-management.mdx
index 90a44f32724ade9..96ad45ea4ac8d84 100644
--- a/src/content/docs/bots/get-started/bot-management.mdx
+++ b/src/content/docs/bots/get-started/bot-management.mdx
@@ -23,7 +23,7 @@ This Enterprise product provides the most flexibility to customers by:
Bot Management is automatically enabled for Enterprise zones entitled with the add-on.
-
+
To enable a [Bot Management](https://dash.cloudflare.com/?to=/:account/:zone/security/bots) trial on Enterprise zones without the Bot Management add-on entitled:
@@ -37,9 +37,9 @@ Bot Management is automatically enabled for Enterprise zones entitled with the a
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
2. Go to **Security** > **Settings**.
3. Filter by **Bot traffic**.
-4. Go to **Bot Management**.
-5. Turn **Bot Management** on.
-6. Choose how your domain should respond to various types of traffic by selecting the associated edit icon.
+4. Go to **Bot management**.
+5. Turn **Bot management** on.
+6. Choose how your domain should respond to various types of traffic by selecting the associated edit icon.
- For more details on verified bots, refer to [Verified Bots](/bots/concepts/bot/#verified-bots).
- For more details on supported file types, refer to [Static resource protection](/bots/additional-configurations/static-resources/).
- For more details on invisible code injection, refer to [JavaScript detections](/bots/additional-configurations/javascript-detections/).
diff --git a/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
index bf9c39ab4d24040..01b18f3d9610d0e 100644
--- a/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
+++ b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx
@@ -24,7 +24,7 @@ To update the Challenge Passage (and the value of the `cf_clearance` cookie):
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and domain.
3. Go to **Security** > **Settings**.
-4. For **Challenge Passage**, set a duration.
+4. For **Challenge passage**, set a timeout duration.
### Limitations
diff --git a/src/content/docs/page-shield/get-started.mdx b/src/content/docs/page-shield/get-started.mdx
index 2e852df626ebc33..0bdb960dacb5109 100644
--- a/src/content/docs/page-shield/get-started.mdx
+++ b/src/content/docs/page-shield/get-started.mdx
@@ -27,7 +27,7 @@ If you do not have access to Page Shield in the Cloudflare dashboard, check if y
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Client side abuse**.
-3. Next to **Continuous script monitoring**, set the toggle to **On**.
+3. Turn on **Continuous script monitoring**.
If you do not have access to resource monitoring in the Cloudflare dashboard, check if your user has one of the [necessary roles](/page-shield/reference/roles-and-permissions/).
diff --git a/src/content/docs/security/web-assets.mdx b/src/content/docs/security/web-assets.mdx
index 6af76ea8e2a5ce6..de809fe4d9ca219 100644
--- a/src/content/docs/security/web-assets.mdx
+++ b/src/content/docs/security/web-assets.mdx
@@ -43,7 +43,7 @@ Use **Sequences** to discover how users interact with your API, by tracking the
Once you configure [session identifiers](/api-shield/management-and-monitoring/session-identifiers/), the **Sequences** tab will start grouping and highlighting important user journeys (sequences) across your API.
-To configure session identifiers, go to **Security** > **Settings** > **All settings** tab and select **Edit** next to **Session identifiers**.
+To configure session identifiers, go to **Security** > **Settings** and select **Configure session identifiers** next to **Session identifiers**.
For more information on how Cloudflare identifies API sequences and how you can configure API sequence rules, refer to the following resources:
diff --git a/src/content/docs/waf/detections/firewall-for-ai.mdx b/src/content/docs/waf/detections/firewall-for-ai.mdx
index 67a8e49d7268b7d..52e950ea47cffe4 100644
--- a/src/content/docs/waf/detections/firewall-for-ai.mdx
+++ b/src/content/docs/waf/detections/firewall-for-ai.mdx
@@ -32,7 +32,7 @@ Firewall for AI is only available in the new [application security dashboard](/s
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Firewall for AI**, set the toggle to **On**.
+3. Turn on **Firewall for AI**.
diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
index 24378dcf6f4c1da..b04d5a579a89bef 100644
--- a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx
@@ -117,7 +117,7 @@ To check for leaked credentials in a way that is not covered by the default conf
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Under **Leaked Credential Detection** > **Configurations**, select the edit icon.
+3. Under **Leaked credential detection** > **Configurations**, select the edit icon.
4. Select **Add custom username and password location**.
5. In **Username location** and **Password location** (optional), enter expressions for obtaining the username and the password from the HTTP request. For example, you could use the following expressions:
diff --git a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
index 3a29accd0d000c9..628613e39b2ea18 100644
--- a/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx
@@ -26,7 +26,7 @@ WAF content scanning is available to customers on an Enterprise plan with a paid
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Malicious uploads detection**, set the toggle to **On**.
+3. Turn on **Malicious uploads detection**.
diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx
index a64979f443cf94a..385f2a3311e9440 100644
--- a/src/content/docs/waf/get-started.mdx
+++ b/src/content/docs/waf/get-started.mdx
@@ -37,7 +37,7 @@ The [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Web application exploits**.
-3. Next to **Cloudflare managed ruleset**, set the toggle to **On**.
+3. Turn on **Cloudflare managed ruleset**.
@@ -122,7 +122,7 @@ The Cloudflare OWASP Core Ruleset is prone to false positives and offers only ma
1. Go to your domain > **Security** > **Settings** and filter by **Web application exploits**.
-2. Next to **OWASP Core**, set the toggle to **On**.
+2. Turn on **OWASP Core**.
This will deploy the Cloudflare OWASP Core Ruleset with the default configuration: paranoia level = _PL1_ and score threshold = _Medium - 40 and higher_.
diff --git a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
index 70b2d0eca58f14d..2471f45c6da5931 100644
--- a/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
+++ b/src/content/docs/waf/managed-rules/deploy-zone-dashboard.mdx
@@ -35,7 +35,7 @@ This operation deploys the managed ruleset for the current zone, creating a new
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to the managed ruleset you want to deploy, set the toggle to **On**.
+3. Turn on the managed ruleset you want to deploy.
diff --git a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
index 06d0fe24e86cc3a..b0b1127204effc6 100644
--- a/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
+++ b/src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx
@@ -48,7 +48,7 @@ To enable Cloudflare Sensitive Data Detection:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Sensitive data detection**, set the toggle to **On**.
+3. Turn on **Sensitive data detection**.
To adjust the scope of the managed ruleset or turn off specific rules:
diff --git a/src/content/docs/waf/tools/browser-integrity-check.mdx b/src/content/docs/waf/tools/browser-integrity-check.mdx
index fe0774d7aa71b46..4a96a4f9daea6e8 100644
--- a/src/content/docs/waf/tools/browser-integrity-check.mdx
+++ b/src/content/docs/waf/tools/browser-integrity-check.mdx
@@ -21,14 +21,14 @@ To disable BIC globally for your zone:
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and zone.
3. Go to **Security** > **Settings**.
-4. For **Browser Integrity Check**, switch the toggle to **Off**.
+4. Turn off **Browser Integrity Check**.
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
2. Select your account and zone.
-3. Go to **Security** > **Settings**.
-4. Next to **Browser integrity check**, switch the toggle to **Off**.
+3. Go to **Security** > **Settings** and filter by **DDoS attacks**.
+4. Turn off **Browser integrity check**.
diff --git a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
index b6945849b33bd07..9b92f8cb3ed9925 100644
--- a/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
+++ b/src/content/docs/waf/tools/replace-insecure-js-libraries.mdx
@@ -40,7 +40,7 @@ The feature is available in all Cloudflare plans, and is turned on by default on
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone.
2. Go to **Security** > **Settings**.
-3. For **Replace insecure JavaScript libraries**, set the toggle to **On** or **Off**.
+3. Turn **Replace insecure JavaScript libraries** on or off.
diff --git a/src/content/partials/waf/leaked-credentials-detection-enable.mdx b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
index 9c8e7ac04ea73cd..39113d332cb19fd 100644
--- a/src/content/partials/waf/leaked-credentials-detection-enable.mdx
+++ b/src/content/partials/waf/leaked-credentials-detection-enable.mdx
@@ -16,7 +16,7 @@ On Free plans, the leaked credentials detection is enabled by default, and no ac
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com), and select your account and domain.
2. Go to **Security** > **Settings** and filter by **Detections**.
-3. Next to **Leaked Credential Detection**, set the toggle to **On**.
+3. Turn on **Leaked credential detection**.
From ab2928b62fb49ab8a32ccdf98a1218b7476c5a21 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 14 Jul 2025 10:06:36 +0100
Subject: [PATCH 09/11] Update fallthrough rules instructions (new nav)
---
.../security/schema-validation/index.mdx | 29 ++++++++++---------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx
index effdeb75efb03d7..409b7c302f32bcf 100644
--- a/src/content/docs/api-shield/security/schema-validation/index.mdx
+++ b/src/content/docs/api-shield/security/schema-validation/index.mdx
@@ -28,7 +28,7 @@ If you are uploading a schema via the API or Terraform, you must parse the schem
:::note
-To view the contents in your learned schema, refer to [Export a schema](/api-shield/management-and-monitoring/#export-a-schema) in Endpoint Management.
+To view the contents in your learned schema, refer to [Export a schema](/api-shield/management-and-monitoring/#export-a-schema) in Endpoint Management.
:::
### Add validation by uploading a schema
@@ -48,7 +48,7 @@ To view the contents in your learned schema, refer to [Export a schema](/api-shi
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Web assets** > **Schema Validation**.
+ 2. Go to **Security** > **Web assets** > **Schema validation**.
3. Select **Add validation**.
4. Upload a schema file.
5. Select **Add schema and endpoints**.
@@ -57,7 +57,7 @@ To view the contents in your learned schema, refer to [Export a schema](/api-shi
:::note
-Changes may take a few minutes to process depending on the number of added endpoints.
+Changes may take a few minutes to process depending on the number of added endpoints.
:::
### Add validation by applying a learned schema to a single endpoint
@@ -113,12 +113,12 @@ At this time, learned schemas will not overwrite customer-uploaded schemas. If a
:::note
-If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field.
+If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field.
:::
### Add validation by adding a fallthrough rule
-A fallthrough rule acts as a catch-all for requests that do not match endpoints in [Endpoint Management](/api-shield/management-and-monitoring/).
+A fallthrough rule acts as a catch-all for requests that do not match endpoints in [Endpoint Management](/api-shield/management-and-monitoring/).
By ensuring that all your endpoints in a schema are added to Endpoint Management, the fallthrough action can protect you against legacy or zombie endpoints that your team may be unaware of.
@@ -136,22 +136,25 @@ To set up a fallthrough action:
7. Name your rule and select your action.
8. Select **Save as draft** to deploy later, or **Deploy** to deploy now.
+
+ Your current fallthrough rules can be viewed in the custom rules list.
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
- 2. Go to **Security** > **Settings**.
- 3. Filter by **API abuse**.
- 4. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template. If you have already created fallthrough rules, select **<N> fallthrough rules** instead.
+ 2. Go to **Security** > **Security rules**.
+ 3. Select **Templates**.
+ 4. Search for the template named `Mitigate API requests to unidentified endpoints` and select **Preview template**.
5. Give your rule a descriptive name.
6. Choose one or more hostnames from the dropdown menu and select your action.
7. Select **Save as draft** to deploy later, or **Deploy** to deploy now.
+
+ Your current fallthrough rules can be viewed in the security rules list.
-Your current fallthrough rules can be viewed in the custom rules list.
-
:::note
You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom rule for a more customized logic check. This detection will evaluate as `true` when a request does not match an endpoint in Endpoint Management, so it is important to check against your API's hostname or root path to ensure that you are not blocking any non-API traffic on your zone.
:::
@@ -334,11 +337,11 @@ OpenAPI schemas generated by different tooling may not be specific enough to imp
## Limitations
-Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0.
+Schema Validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis.org/oas/v3.0.3). OpenAPI 3.1 is not supported yet, and we do not plan to expand support for OpenAPI 2.0.
Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items.
-There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team.
+There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team.
For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Shield, refer to [Plans](/api-shield/plans/).
@@ -453,4 +456,4 @@ Media-ranges can also be configured to enforce a `charset` parameter. For this,
## Availability
-Schema Validation is available for all customers. Refer to [Plans](/api-shield/plans/) for more information based on your plan type.
\ No newline at end of file
+Schema Validation is available for all customers. Refer to [Plans](/api-shield/plans/) for more information based on your plan type.
\ No newline at end of file
From 8c27fa16a87d8f1b942ffede9f742fc60ddb6bcf Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 14 Jul 2025 10:07:30 +0100
Subject: [PATCH 10/11] Keep word consistent
---
.../docs/api-shield/security/schema-validation/index.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx
index 409b7c302f32bcf..de7da08702b5660 100644
--- a/src/content/docs/api-shield/security/schema-validation/index.mdx
+++ b/src/content/docs/api-shield/security/schema-validation/index.mdx
@@ -245,7 +245,7 @@ To change the action on an individual endpoint:
2. Go to **Security** > **Web assets** > **Schema validation** tab.
3. Search for the endpoint to change.
4. Select the three dots on the endpoint's row > **Change action**.
- 5. Choose a new action from the drop-down menu and select **Set action**.
+ 5. Choose a new action from the dropdown menu and select **Set action**.
From f58634466f92f11c907fdd5778ec8866f0a5dc4b Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 14 Jul 2025 12:19:51 +0100
Subject: [PATCH 11/11] Apply suggestions from PCX review
Co-authored-by: Jun Lee
---
src/content/docs/security/settings.mdx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx
index 3274fe6e325deec..62d7d970feaaa61 100644
--- a/src/content/docs/security/settings.mdx
+++ b/src/content/docs/security/settings.mdx
@@ -55,7 +55,7 @@ Additionally, you can manage the following settings:
- [Cloudflare managed ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)
- [Firewall for AI](/waf/detections/firewall-for-ai/)
- [Schema learning](/api-shield/management-and-monitoring/endpoint-management/schema-learning/)
-- [Schema validation](/api-shield/security/schema-validation/) (requires that you upload a schema or apply a learned schema)
+- [Schema validation](/api-shield/security/schema-validation/) (requires you to upload a schema or apply a learned schema)
- [Under Attack mode](/fundamentals/reference/under-attack-mode/) (under Security Level)
- SSL/TLS DDoS attack protection
@@ -69,7 +69,7 @@ In the **Bot traffic** security module you can manage the following settings:
- [Super Bot fight mode](/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan)
- [Bot Management](/bots/get-started/bot-management/) (depending on your Enterprise subscriptions)
- AI bot traffic management with [robots.txt](/bots/additional-configurations/managed-robots-txt/)
-- API [sequence detection](/api-shield/security/sequence-analytics/) (requires that you configure a session identifier)
+- API [sequence detection](/api-shield/security/sequence-analytics/) (requires you to configure a session identifier)
:::note
The bot traffic module includes features and settings from [Bots](/bots/) in the previous dashboard navigation structure.
@@ -80,9 +80,9 @@ The bot traffic module includes features and settings from [Bots](/bots/) in the
In the **API abuse** security module you can manage the following settings:
- [Developer portal](/api-shield/management-and-monitoring/developer-portal/) creation
-- [Endpoint discovery](/api-shield/security/api-discovery/) (always enabled if included in your Enterprise subscriptions; requires that you configure a [session identifier](/api-shield/management-and-monitoring/session-identifiers/))
+- [Endpoint discovery](/api-shield/security/api-discovery/) (always enabled if included in your Enterprise subscriptions; requires you to configure a [session identifier](/api-shield/management-and-monitoring/session-identifiers/))
- [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/)
-- [JWT validation](/api-shield/security/jwt-validation/) (requires that you add a [JWT configuration](/api-shield/security/jwt-validation/api/#token-configurations))
+- [JWT validation](/api-shield/security/jwt-validation/) (requires you to add a [JWT configuration](/api-shield/security/jwt-validation/api/#token-configurations))
:::note
The API abuse module includes features and settings from [API Shield](/api-shield/) in the previous dashboard navigation structure.