Introduction

Cloudflare's Web Application Firewall (WAF) inspects incoming HTTP requests for common attack patterns including SQL injection, XSS, and command injection. While effective at blocking real attacks, the WAF can generate false positives when legitimate requests contain patterns that resemble SQL injection - such as API endpoints with query parameters containing SQL-like keywords, blog posts discussing database queries, or form fields containing special characters.

Symptoms

  • Cloudflare blocks requests with 403 Forbidden and Access denied page
  • Cloudflare error page shows Ray ID and reference to security rules
  • Request body contains SQL keywords like SELECT, UNION, DROP in legitimate content
  • Specific form submissions or API endpoints always fail while others work
  • curl -X POST with certain data returns 403 but the same data works when bypassing Cloudflare

Common Causes

  • WAF SQL injection rule matching on legitimate content (blog posts, documentation)
  • API endpoints with SQL query parameters in the request body
  • Form fields accepting free text that users enter with SQL-like content
  • WAF sensitivity set too high (Security Level: I'm Under Attack or High)
  • Custom WAF rules too broad, matching legitimate request patterns

Step-by-Step Fix

  1. 1.Identify which WAF rule is blocking the request:
  2. 2.- In Cloudflare dashboard: Security > Events
  3. 3.- Find the blocked request by Ray ID, IP, or URL
  4. 4.- Note the rule ID and rule description (e.g., SQL Injection - Pattern Match)
  5. 5.Check the specific rule that triggered:
  6. 6.```bash
  7. 7.# Cloudflare WAF managed rule IDs:
  8. 8.# SQL Injection rules are typically in the 1000-1999 range
  9. 9.# Check the event log for the specific rule ID
  10. 10.`
  11. 11.Create a WAF bypass rule for the specific endpoint:
  12. 12.- Go to Security > WAF > Custom Rules
  13. 13.- Create a new rule:
  14. 14.`
  15. 15.Field: URI Path
  16. 16.Operator: equals
  17. 17.Value: /api/submit-query
  18. 18.Action: Skip
  19. 19.Skip the following rules: SQL Injection
  20. 20.`
  21. 21.Alternatively, lower the WAF sensitivity:
  22. 22.- Go to Security > Settings
  23. 23.- Change Security Level from High to Medium
  24. 24.- This reduces the aggressiveness of the SQL injection rules
  25. 25.For API endpoints, use a WAF exception:
  26. 26.```bash
  27. 27.# Via API, create a WAF rule exception:
  28. 28.curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/rules" \
  29. 29.-H "Authorization: Bearer API_TOKEN" \
  30. 30.-H "Content-Type: application/json" \
  31. 31.--data '{
  32. 32."action": "allow",
  33. 33."expression": "(http.request.uri.path eq \"/api/data\" and http.request.method eq \"POST\")",
  34. 34."description": "Allow POST to /api/data"
  35. 35.}'
  36. 36.`
  37. 37.Test the fix:
  38. 38.```bash
  39. 39.curl -vX POST https://example.com/api/submit-query \
  40. 40.-H "Content-Type: application/json" \
  41. 41.-d '{"query": "SELECT * FROM users WHERE id = 1"}'
  42. 42.# Should return 200 instead of 403
  43. 43.`

Prevention

  • Test WAF rules against your application's normal traffic patterns before enabling
  • Create WAF exception rules for API endpoints that accept free-form input
  • Use specific rule targeting (by URI path) rather than global WAF rule changes
  • Monitor Cloudflare Security Events regularly to identify false positive patterns
  • Consider using Cloudflare API Shield for API-specific security rules instead of generic WAF