cloudflare · pedrosousa · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025
@@ -181,7 +181,7 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. Go to **Security** > **WAF** > **Custom rules**.
 2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`).
-3. Under **If incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
+3. Under **When incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
 
 | Field            | Operator   | Value                                                                 |
 | ---------------- | ---------- | --------------------------------------------------------------------- |

@@ -99,7 +99,7 @@ Do the following:
 2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
 3. [Enable mTLS](/ssl/client-certificates/enable-mtls/) by adding the correct host.
 4. In **SSL/TLS** > **Client Certificates**, select **Create mTLS Rule**.
-5. Under **If incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content.
+5. Under **When incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content.
 6. Set the rule to *Block* any requests made to your admin panel if the client certificate is not verified.
 7. Select **Deploy**. This creates a WAF custom rule that checks all requests to the admin section for a valid client certificate.
 

@@ -26,7 +26,7 @@ import { Render, Tabs, TabItem, Steps, DashButton } from "~/components";
 
    ![Custom rule creation page in the Cloudflare dashboard](~/assets/images/waf/custom-rules/firewall-custom-rule-create.png)
 
-5. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
 
 6. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting _Block_ tells Cloudflare to refuse requests that match the conditions you specified.
 
@@ -51,7 +51,7 @@ import { Render, Tabs, TabItem, Steps, DashButton } from "~/components";
 
    ![Custom rule creation page in the Cloudflare dashboard](~/assets/images/waf/custom-rules/firewall-custom-rule-create.png)
 
-4. Under **If incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
+4. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property. For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value** using the operator selected in **Operator**.
 
 5. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting _Block_ tells Cloudflare to refuse requests that match the conditions you specified.
 

@@ -88,7 +88,7 @@ Alternatively, create a custom rule like the one described in the next step usin
 
 [Create a custom rule](/waf/custom-rules/create-dashboard/) that blocks requests where Cloudflare detected personally identifiable information (PII) in the incoming request (as part of an LLM prompt), returning a custom JSON body:
 
-- **If incoming requests match**:
+- **When incoming requests match**:
 
   | Field            | Operator | Value |
   | ---------------- | -------- | ----- |
@@ -155,7 +155,7 @@ When enabled, Firewall for AI populates the following fields:
 
 The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an LLM prompt that tries to obtain PII of a specific [category](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/):
 
-- **If incoming requests match**:
+- **When incoming requests match**:
 
   | Field              | Operator | Value         |
   | ------------------ | -------- | ------------- |
@@ -170,7 +170,7 @@ The following example [custom rule](/waf/custom-rules/create-dashboard/) will bl
 
 The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an LLM prompt containing unsafe content of specific [categories](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/):
 
-- **If incoming requests match**:
+- **When incoming requests match**:
 
   | Field                       | Operator | Value                            |
   | --------------------------- | -------- | -------------------------------- |
@@ -185,7 +185,7 @@ The following example [custom rule](/waf/custom-rules/create-dashboard/) will bl
 
 The following example [custom rule](/waf/custom-rules/create-dashboard/) will block requests with an [injection score](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.injection_score/) below `20`. Using a low injection score value in the rule helps avoid false positives.
 
-- **If incoming requests match**:
+- **When incoming requests match**:
 
   | Field               | Operator  | Value |
   | ------------------- | --------- | ----- |

@@ -96,7 +96,7 @@ If you are an Enterprise customer, do the following:
 1. Reach out to your account team to get access to WAF attack score.
 
 2. [Create a custom rule](/waf/custom-rules/create-dashboard/) using the <GlossaryTooltip term="attack score">Attack Score</GlossaryTooltip> field:
-   - **If incoming requests match**:
+   - **When incoming requests match**:
 
      | Field            | Operator  | Value |
      | ---------------- | --------- | ----- |
@@ -118,7 +118,7 @@ Customers with access to [Bot Management](/bots/get-started/bot-management/) can
 
 [Create a custom rule](/waf/custom-rules/create-dashboard/) using the <GlossaryTooltip term="bot score">Bot Score</GlossaryTooltip> and <GlossaryTooltip term="verified bot">Verified Bot</GlossaryTooltip> fields:
 
-- **If incoming requests match**:
+- **When incoming requests match**:
 
   | Field        | Operator  | Value | Logic |
   | ------------ | --------- | ----- | ----- |

@@ -13,7 +13,7 @@ For more information on the current rule configuration restrictions, refer to [C
 
 ## Parameter reference
 
-### If incoming requests match
+### When incoming requests match
 
 - Data type: <Type text="String" />
 - Field name in the API: `expression` (rule field)
@@ -73,7 +73,7 @@ For important details about these characteristics, refer to [Notes about rate li
 
 Only available in the Cloudflare dashboard when you enable **Use custom counting expression**.
 
-Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **If incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
+Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **When incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
 
 The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response). When there are response fields in the counting expression, the counting will happen after the response is sent.
 

@@ -42,7 +42,7 @@ Consider the following configuration for a rate limiting rule:
 
 **_Rate limiting rule #1_**
 
-**If incoming requests match**:<br/>
+**When incoming requests match**:<br/>
 `http.request.uri.path eq "/form" and any(http.request.headers["content-type"][*] eq "application/x-www-form-urlencoded")`
 
 **Choose action**: _Block_
@@ -53,7 +53,7 @@ Consider the following configuration for a rate limiting rule:
 
 **Period**: _10 seconds_
 
-**With the same value of** (characteristics):
+**With the same characteristics**:
 
 - _Data center ID_ (included by default when creating the rule in the dashboard)
 - _IP_
@@ -81,7 +81,7 @@ Consider the following configuration for a rate limiting rule. The rule counting
 
 **_Rate limiting rule #2_**
 
-**If incoming requests match**:<br/>
+**When incoming requests match**:<br/>
 `http.request.uri.path eq "/form"`
 
 **Choose action**: _Block_
@@ -92,7 +92,7 @@ Consider the following configuration for a rate limiting rule. The rule counting
 
 **Period**: _10 seconds_
 
-**With the same value of** (characteristics):
+**With the same characteristics**:
 
 - _Data center ID_ (included by default when creating the rule in the dashboard)
 - _IP_
@@ -145,10 +145,10 @@ Consider the following configuration for a rate limiting rule. When there is a r
 
 **_Rate limiting rule #3_**
 
-**If incoming requests match**:<br />
+**When incoming requests match**:<br />
 `(http.request.uri.path eq "/graphql")`
 
-**With the same value of** (characteristics):
+**With the same characteristics**:
 
 - _Data center ID_ (included by default when creating the rule in the dashboard)
 - _Header value of_ > `x-api-key`

@@ -10,7 +10,7 @@ sidebar:
 
 Cloudflare may count Workers subrequests on the same zone as separate requests, which will cause a rate limiting rule to trigger sooner than expected. This behavior happens when the rate limiting rule is configured with [**Also apply rate limiting to cached assets**](/waf/rate-limiting-rules/parameters/#also-apply-rate-limiting-to-cached-assets) set to false.
 
-To prevent this behavior, you must exclude any Workers subrequests coming from the same zone from your rate limiting rule using the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field. For example, you could add the following sub-expression to your [rate limiting rule expression](/waf/rate-limiting-rules/parameters/#if-incoming-requests-match):
+To prevent this behavior, you must exclude any Workers subrequests coming from the same zone from your rate limiting rule using the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field. For example, you could add the following sub-expression to your [rate limiting rule expression](/waf/rate-limiting-rules/parameters/#when-incoming-requests-match):
 
 ```txt
 and (cf.worker.upstream_zone == "" or cf.worker.upstream_zone != "<YOUR_ZONE>")