#Is /cdn-cgi/ the only path Cloudflare creates? I wanna block all probing paths with dot "."

6 messages · Page 1 of 1 (latest)

long forum
#

Hi there, I kinda on the fence whether it is a good idea to block all bots probing "." paths. Below is my WAF rule, I think I've thought of every case, but I've decided to double check and ask if Cloudflare creates any other endpoints? Or WAF rules do not evaluate against cloudflare's endpoints?

The rule allows /cdn-cgi/, astro files (js/css/images), images in public folder and some static files like robots.txt. My website is static, has no forms, CMS, db, no interactive elements.

(http.request.uri.path contains "."

    and http.request.uri.path ne "/robots.txt"
    and http.request.uri.path ne "/ads.txt"
    and http.request.uri.path ne "/rss.xml"
    and http.request.uri.path ne "/sitemap.xml"
    and http.request.uri.path ne "/favicon.ico"
  
    and not http.request.uri.path contains "/_astro/"
    and not http.request.uri.path contains "/cdn-cgi/"
  
    and not http.request.uri.path contains ".png"
    and not http.request.uri.path contains ".jpg"
    and not http.request.uri.path contains ".jpeg"
    and not http.request.uri.path contains ".webp"
    and not http.request.uri.path contains ".avif"
    and not http.request.uri.path contains ".svg"
    and not http.request.uri.path contains ".gif"
)

or (http.request.uri.path contains "api/")
or (http.request.uri.path contains "wp-")
verbal tartan
#

Uhhh, why not checking if it contains /. instead?

#

Since that’ll only match actual dot files

#

And you’ll need to only whitelist /.well-known/ then

long forum
verbal tartan
#

I mean, at that point why not have a full whitelist instead?