diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
index 5c765f0f7cdbf18..9734d2e9b33c2b0 100644
--- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
@@ -181,7 +181,7 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. Go to **Security** > **WAF** > **Custom rules**.
2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`).
-3. Under **If incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
+3. Under **When incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
| Field | Operator | Value |
| ---------------- | ---------- | --------------------------------------------------------------------- |
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
index 62ab3b818217ac4..0b11dc73de28a05 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
@@ -99,7 +99,7 @@ Do the following:
2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
3. [Enable mTLS](/ssl/client-certificates/enable-mtls/) by adding the correct host.
4. In **SSL/TLS** > **Client Certificates**, select **Create mTLS Rule**.
-5. Under **If incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content.
+5. Under **When incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content.
6. Set the rule to *Block* any requests made to your admin panel if the client certificate is not verified.
7. Select **Deploy**. This creates a WAF custom rule that checks all requests to the admin section for a valid client certificate.
diff --git a/src/content/docs/waf/custom-rules/create-dashboard.mdx b/src/content/docs/waf/custom-rules/create-dashboard.mdx
index 2fc2ec8be0b0764..26f14e6af3abca5 100644
--- a/src/content/docs/waf/custom-rules/create-dashboard.mdx
+++ b/src/content/docs/waf/custom-rules/create-dashboard.mdx
@@ -26,7 +26,7 @@ import { Render, Tabs, TabItem, Steps, DashButton } from "~/components";
-5. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
6. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting _Block_ tells Cloudflare to refuse requests that match the conditions you specified.
@@ -51,7 +51,7 @@ import { Render, Tabs, TabItem, Steps, DashButton } from "~/components";
-4. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+4. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
5. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting _Block_ tells Cloudflare to refuse requests that match the conditions you specified.
diff --git a/src/content/docs/waf/detections/firewall-for-ai.mdx b/src/content/docs/waf/detections/firewall-for-ai.mdx
index ece956cdc624333..871d8bf7180c37f 100644
--- a/src/content/docs/waf/detections/firewall-for-ai.mdx
+++ b/src/content/docs/waf/detections/firewall-for-ai.mdx
@@ -88,7 +88,7 @@ Alternatively, create a custom rule like the one described in the next step usin
[Create a custom rule](/waf/custom-rules/create-dashboard/) that blocks requests where Cloudflare detected personally identifiable information (PII) in the incoming request (as part of an LLM prompt), returning a custom JSON body:
-- **If incoming requests match**:
+- **When incoming requests match**:
| Field | Operator | Value |
| ---------------- | -------- | ----- |
@@ -155,7 +155,7 @@ When enabled, Firewall for AI populates the following fields:
The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an LLM prompt that tries to obtain PII of a specific [category](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/):
-- **If incoming requests match**:
+- **When incoming requests match**:
| Field | Operator | Value |
| ------------------ | -------- | ------------- |
@@ -170,7 +170,7 @@ The following example [custom rule](/waf/custom-rules/create-dashboard/) will bl
The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an LLM prompt containing unsafe content of specific [categories](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/):
-- **If incoming requests match**:
+- **When incoming requests match**:
| Field | Operator | Value |
| --------------------------- | -------- | -------------------------------- |
@@ -185,7 +185,7 @@ The following example [custom rule](/waf/custom-rules/create-dashboard/) will bl
The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an [injection score](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.injection_score/) below `20`. Using a low injection score value in the rule helps avoid false positives.
-- **If incoming requests match**:
+- **When incoming requests match**:
| Field | Operator | Value |
| ------------------- | --------- | ----- |
diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx
index 3e45441013ffffc..5e688023330af1e 100644
--- a/src/content/docs/waf/get-started.mdx
+++ b/src/content/docs/waf/get-started.mdx
@@ -96,7 +96,7 @@ If you are an Enterprise customer, do the following:
1. Reach out to your account team to get access to WAF attack score.
2. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the Attack Score field:
- - **If incoming requests match**:
+ - **When incoming requests match**:
| Field | Operator | Value |
| ---------------- | --------- | ----- |
@@ -118,7 +118,7 @@ Customers with access to [Bot Management](/bots/get-started/bot-management/) can
[Create a custom rule](/waf/custom-rules/create-dashboard/) using the Bot Score and Verified Bot fields:
-- **If incoming requests match**:
+- **When incoming requests match**:
| Field | Operator | Value | Logic |
| ------------ | --------- | ----- | ----- |
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
index 1f0ce38e449407a..f510eb40f367f70 100644
--- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -13,7 +13,7 @@ For more information on the current rule configuration restrictions, refer to [C
## Parameter reference
-### If incoming requests match
+### When incoming requests match
- Data type:
- Field name in the API: `expression` (rule field)
@@ -73,7 +73,7 @@ For important details about these characteristics, refer to [Notes about rate li
Only available in the Cloudflare dashboard when you enable **Use custom counting expression**.
-Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **If incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
+Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **When incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response). When there are response fields in the counting expression, the counting will happen after the response is sent.
diff --git a/src/content/docs/waf/rate-limiting-rules/request-rate.mdx b/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
index 7ad34e369ddeeae..81df6ff9dc52eb6 100644
--- a/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/request-rate.mdx
@@ -42,7 +42,7 @@ Consider the following configuration for a rate limiting rule:
**_Rate limiting rule #1_**
-**If incoming requests match**:
+**When incoming requests match**:
`http.request.uri.path eq "/form" and any(http.request.headers["content-type"][*] eq "application/x-www-form-urlencoded")`
**Choose action**: _Block_
@@ -53,7 +53,7 @@ Consider the following configuration for a rate limiting rule:
**Period**: _10 seconds_
-**With the same value of** (characteristics):
+**With the same characteristics**:
- _Data center ID_ (included by default when creating the rule in the dashboard)
- _IP_
@@ -81,7 +81,7 @@ Consider the following configuration for a rate limiting rule. The rule counting
**_Rate limiting rule #2_**
-**If incoming requests match**:
+**When incoming requests match**:
`http.request.uri.path eq "/form"`
**Choose action**: _Block_
@@ -92,7 +92,7 @@ Consider the following configuration for a rate limiting rule. The rule counting
**Period**: _10 seconds_
-**With the same value of** (characteristics):
+**With the same characteristics**:
- _Data center ID_ (included by default when creating the rule in the dashboard)
- _IP_
@@ -145,10 +145,10 @@ Consider the following configuration for a rate limiting rule. When there is a r
**_Rate limiting rule #3_**
-**If incoming requests match**:
+**When incoming requests match**:
`(http.request.uri.path eq "/graphql")`
-**With the same value of** (characteristics):
+**With the same characteristics**:
- _Data center ID_ (included by default when creating the rule in the dashboard)
- _Header value of_ > `x-api-key`
diff --git a/src/content/docs/waf/rate-limiting-rules/troubleshooting.mdx b/src/content/docs/waf/rate-limiting-rules/troubleshooting.mdx
index f4ef631731816b8..cf3706a914a8d68 100644
--- a/src/content/docs/waf/rate-limiting-rules/troubleshooting.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/troubleshooting.mdx
@@ -10,7 +10,7 @@ sidebar:
Cloudflare may count Workers subrequests on the same zone as separate requests, which will cause a rate limiting rule to trigger sooner than expected. This behavior happens when the rate limiting rule is configured with [**Also apply rate limiting to cached assets**](/waf/rate-limiting-rules/parameters/#also-apply-rate-limiting-to-cached-assets) set to false.
-To prevent this behavior, you must exclude any Workers subrequests coming from the same zone from your rate limiting rule using the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field. For example, you could add the following sub-expression to your [rate limiting rule expression](/waf/rate-limiting-rules/parameters/#if-incoming-requests-match):
+To prevent this behavior, you must exclude any Workers subrequests coming from the same zone from your rate limiting rule using the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field. For example, you could add the following sub-expression to your [rate limiting rule expression](/waf/rate-limiting-rules/parameters/#when-incoming-requests-match):
```txt
and (cf.worker.upstream_zone == "" or cf.worker.upstream_zone != "")