Umbraco custom cloud flare rules

[Rhan112]

Issue description

Could you please make custom rules available, specifically the skip WAF features and security checks for requests with given Source IPs. this is needed to fix the scan interference issue

[mclausen]

Hi @Rhan112,

Thank you for submitting 😃

Could you tell us more about the “scan interference issue” and why disabling WAF and security checks is problematic?

Kind regards,
@mclausen

[Rhan112]

Hi @mclausen, In the company I work for we run monthly scans against our websites (Hosted through Umbraco), The tool we use to run the scans is called AppCheck. One of the results we see from the scan is "Scan interface - 403 Forbidden Issue".
This error prevents from seeing any other risks within the websites.
I reached out to Umbraco about this and they mentioned they were able to put in a temporary custom rule which is the "skip WAF features and security checks for requests with given Source IPs." This managed to fix the issue we had. However as it was a temporary solution and the error popped up again after 30days. Therefore I am requesting to make this rule available.

Thanks,
Rhan

[mclausen]

Alright, thank you for elaborating :).

I might be a bit off here, but it sounds like "Scan interface - 403 Forbidden Issue" is very unique to AppCheck and that context.

I am not familiar with AppCheck, and I am unsure how it works, so I am assuming that the service just pings the website regularly, is this correct?

As I recall we are not activity-blocking anything from Cloudflare directly unless Cloudflare believes it's a DDOS attack, so I am also curious about other request+response details that you can provide, URLs, headers, etc. To help figure out the right solution.

[Rhan112]

My understanding is that we provide them with the domain names of our website and they scan it by crawling through the websites searching for vulnerabilities.

The sepecific details of the error is "This scan has experienced interference Allowing-AppCheck-Access-to-Your-Network-or-Applications) from either a WAF or IDS system, and will have an impact on the quality of the results found"
I have attached the Json file that I passed over to Umbraco support, hope this helps.

7c444215fc464367.json

[mclausen]

Hi @Rhan112,

I’ve got the full picture now.

From your experience, the rule being disabled after 30 days is likely due to our limited capacity for custom WAF rules, which are also manually maintained. It appears that your rule was rolled back during a general deployment to Cloudflare.

Currently, this isn’t a feature we officially support. However, I believe it’s a valid feature to consider for general availability.

We’ll need to investigate our options internally before we can commit to this feature, and we’ll get back to you with an update. In the meantime, I will move this issue to discussions.

Best regards,
@mclausen

[Rhan112]

Hi @mclausen ,
Yes that is correct thank you. Please keep me updated as this feature is important as it allows us to carry out more accurate scans and keep the business safe

Thanks,
Rhan

[Rhan112]

Hi, it has been 3 months since I submitted this request has there been any update on this?

Thanks,
Rhan

[mclausen]

Hi @Rhan112 ,
Thank you for reaching out again

We've been investigation enabling very generel WAF rules on custom hostnames, however for the first iteration we are unable to provide you with a detailed configuration story. Right now we're looking at allowing customers to enable / disable WAF for their specific hostname.

We don't have any ETA to give at this point, but the implementation is in active development.