☁️ Cloudflare Web Application Firewall(WAF) Expressions
With these expressions (for WAF), you can effectively block all unnecessary requests to your server, enhancing its security and performance.
[!IMPORTANT]
Additionally, it is recommended to disable theBot Fight Mode
function found in theSecurity
tab.
The purpose of this feature is to detect and stop automated traffic from bots. However, it often blocks safe and legitimate bots, which is not our intention.
Warning
Please note that these expressions should not be used if you are utilizing WordPress or any similar content management system (CMS), as they may interfere with its normal functioning. We will have a separate post for LetsEncrypt and CMS Sites.
They are highly recommended for Node.js applications built on frameworks like Express.js (for example).
[!TIP]
Remember to check back here from time to time. These lists are frequently updated to stay effective against the latest threats.
What can this list block?
This list has been carefully crafted to improve the security of your origin server by blocking a wide range of pointless and potentially malicious requests. The following is a summary of what it can block:
-
Sensitive files and directories:
- Prevents access to critical files and directories, such as
.git
,.env
,.htaccess
, which often contain sensitive information that should never be publicly accessible. It also blocks access to other commonly used configuration files and keys, such as SSH keys and similar items.
- Prevents access to critical files and directories, such as
-
Common attack vectors:
- Blocks URLs containing patterns often used in attacks, helping to thwart attempts to exploit known application vulnerabilities.
-
Backup files:
- Protects against requests for access to backup files that could contain sensitive data. This includes common backup file extensions and patterns.
-
Outdated browsers:
- Identifies and blocks outdated browser versions that are often used by bots for automated attacks or unnecessary web crawling. Additionally, it can block DDoS attacks from botnets, which commonly use outdated user agents.
-
Unwanted bots:
- Blocks various unwanted, unnecessary web crawlers and known malicious bots by analyzing specific user-agent strings. This helps reduce unwanted bot traffic and alleviate server resource strain.
-
Specific IP addresses and ASNs:
- Blocks traffic from known malicious IP addresses and ASNs, helping to prevent attacks from sources flagged as malicious. The list also includes some IP addresses associated with botnets.
By using this collection, you may significantly increase the security of your website and reduce the quantity of unwanted traffic on your server.
What will this list never block?
- Known and safe search engine indexing bots such as
Google
,Bing
,DuckDuckGo
,Yandex
,Yahoo!
, and others. - Outgoing requests from Node.js applications using libraries like
node-fetch
,axios
,superagent
,request
, and similar. - Outgoing requests from tools like
curl
,wget
,Postman
,httpie
,Insomnia
, and similar. - Legitimate traffic from commonly used APIs and services that are essential for the proper functioning of your application.
- Webhooks and callbacks from trusted third-party services, ensuring seamless integration and communication.
- Requests for standard web files such as
robots.txt
,ads.txt
,sitemap.xml
,humans.txt
, and similar, which are essential for proper web indexing and advertising management.
How to use these expressions?
- Log in to your Cloudflare account.
- Select the domain where you want to add the expressions.
- Click on the
Security
tab and chooseWAF
from the dropdown list. - In the
Custom rules
tab, click theCreate rule
button. - Copy the expressions from the expressions.md file.
- Click
Edit expression
and paste the copied expressions. - Click the
Deploy
button to save the changes. Repeat the same process for the remaining parts of the expressions. Remember to select the appropriate Action from the file (Block or Interactive Challenge). - Done! The expressions are now active and will start blocking unwanted traffic to your origin server. Make sure to check if your website functions correctly. Visit this repository periodically to use the latest lists.
DDoS Mitigation (highly recommended)
It is also recommended to enable DDoS protection in the Security
tab. Then, navigate to DDoS
and click the Deploy a DDoS override
button.
Configuration
- Override name: DDoS L7 ruleset
- Ruleset action: Block
- Ruleset sensitivity: Default
Help
If you have any questions or need help with the expressions, feel free to drop in a comment.
» Last update: 05.10.2024 [DD.MM.YYYY]
Part 1 - Block unnecessary requests
Action: Block
(http.request.uri contains "/wp") or
(http.request.uri.path contains ".aspx") or
(http.request.uri.path contains ".bashrc") or
(http.request.uri.path contains ".bash_history") or
(http.request.uri.path contains ".docker") or
(http.request.uri.path contains ".DS_Store") or
(http.request.uri.path contains ".env") or
(http.request.uri.path contains ".git") or
(http.request.uri.path contains ".htaccess") or
(http.request.uri.path contains ".htpasswd") or
(http.request.uri.path contains ".idea") or
(http.request.uri.path contains ".kube") or
(http.request.uri.path contains ".mysql_history") or
(http.request.uri.path contains ".npmrc") or
(http.request.uri.path contains ".php") or
(http.request.uri.path contains ".sql") or
(http.request.uri.path contains ".ssh") or
(http.request.uri.path contains ".vs") or
(http.request.uri.path contains ".vscode") or
(http.request.uri.path contains "//") or
(http.request.uri.path contains "/administrator") or
(http.request.uri.path contains "/backup") or
(http.request.uri.path contains "/bkp") or
(http.request.uri.path contains "/cms") or
(http.request.uri.path contains "/config") or
(http.request.uri.path contains "/env") or
(http.request.uri.path contains "/install") or
(http.request.uri.path contains "/license") or
(http.request.uri.path contains "/login.action") or
(http.request.uri.path contains "/old") or
(http.request.uri.path contains "/phpmyadmin") or
(http.request.uri.path contains "/readme") or
(http.request.uri.path contains "/sito") or
(http.request.uri.path contains "/temp") or
(http.request.uri.path contains "/tmp") or
(http.request.uri.path contains "/user.action") or
(http.request.uri.path contains "/webdav") or
(http.request.uri.path contains "/wp-json") or
(http.request.uri.path contains "/wp1") or
(http.request.uri.path contains "/wp2") or
(http.request.uri.path contains "/~adm") or
(http.request.uri.path contains "/~sysadm") or
(http.request.uri.path contains "/~webmaster") or
(http.request.uri.path contains "authorized_keys") or
(http.request.uri.path contains "backup.") or
(http.request.uri.path contains "db.sql") or
(http.request.uri.path contains "dump.") or
(http.request.uri.path contains "dump.sql") or
(http.request.uri.path contains "id_rsa") or
(http.request.uri.path contains "phpinfo") or
(http.request.uri.path contains "server.key") or
(http.request.uri.path contains "sftp") or
(http.request.uri.path contains "web.config") or
(http.request.uri.path contains "wordpress") or
(http.request.uri.path contains "wp-admin") or
(http.request.uri.path contains "wp-content") or
(http.request.uri.path contains "wp-includes") or
(http.request.uri.path contains "~ftp") or
(http.request.uri.path contains "~tmp") or
(http.request.uri.path eq "/.cache") or
(http.request.uri.path eq "/admin") or
(http.request.uri.path eq "/config.json") or
(http.request.uri.path eq "/dbadmin") or
(http.request.uri.path eq "/git") or
(http.request.uri.path eq "/ssh") or
(http.request.uri.path eq "/test") or
(http.request.uri.path eq "/web") or
(http.request.uri.path eq "/website") or
(http.request.uri.path eq "/www-sql") or
(http.user_agent contains " " and http.host contains "cdn." and not http.host eq "blocklist.sefinek.net") or
(http.user_agent contains " " and not (http.host contains "api." or http.host contains "cdn." or http.host eq "blocklist.sefinek.net")) or
(http.user_agent eq "" and http.host contains "cdn." and not http.host eq "blocklist.sefinek.net" and not http.request.uri.path contains "/resources") or
(http.user_agent eq "" and not (http.host contains "api." or http.host contains "cdn." or http.host eq "blocklist.sefinek.net")) or
(lower(http.user_agent) contains "apache-httpclient") or
(lower(http.user_agent) contains "embeddedbrowser" and not http.host contains "api.") or
(lower(http.user_agent) contains "ipconfig") or
(lower(http.user_agent) contains "knights%20of%20degen") or
(lower(http.user_agent) contains "wlwmanifest") or
(lower(http.user_agent) contains "wp_is_mobile")
Part 2 - Deprecated browsers
Action: Interactive Challenge
(http.user_agent contains "/114.0" and not http.host contains "api.") or
(http.user_agent contains "Android 7" and not http.host contains "api." and not http.user_agent contains "Google-Read-Aloud;" and not http.user_agent contains "(compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)") or
(http.user_agent contains "Chrome/74" and not http.user_agent contains "Better Uptime Bot" and not http.host contains "api.") or
(http.user_agent contains "Windows NT 5" and not http.user_agent contains "(via ggpht.com GoogleImageProxy)" and not http.host contains "api.") or
(lower(http.user_agent) contains "android 8" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/17") or
(lower(http.user_agent) contains "chrome/33") or
(lower(http.user_agent) contains "chrome/34") or
(lower(http.user_agent) contains "chrome/35") or
(lower(http.user_agent) contains "chrome/36") or
(lower(http.user_agent) contains "chrome/37") or
(lower(http.user_agent) contains "chrome/39") or
(lower(http.user_agent) contains "chrome/41") or
(lower(http.user_agent) contains "chrome/42") or
(lower(http.user_agent) contains "chrome/44") or
(lower(http.user_agent) contains "chrome/49") or
(lower(http.user_agent) contains "chrome/52") or
(lower(http.user_agent) contains "chrome/58") or
(lower(http.user_agent) contains "chrome/60") or
(lower(http.user_agent) contains "chrome/64") or
(lower(http.user_agent) contains "chrome/65") or
(lower(http.user_agent) contains "chrome/69") or
(lower(http.user_agent) contains "chrome/71") or
(lower(http.user_agent) contains "chrome/77") or
(lower(http.user_agent) contains "chrome/78") or
(lower(http.user_agent) contains "chrome/79") or
(lower(http.user_agent) contains "chrome/80") or
(lower(http.user_agent) contains "chrome/81") or
(lower(http.user_agent) contains "chrome/83" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/84") or
(lower(http.user_agent) contains "chrome/85") or
(lower(http.user_agent) contains "chrome/87" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/88") or
(lower(http.user_agent) contains "chrome/89" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/91" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/92" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/93") or
(lower(http.user_agent) contains "chrome/94" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/95" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/96" and not http.host contains "api.") or
(lower(http.user_agent) contains "chrome/98") or
(lower(http.user_agent) contains "crios/121") or
(lower(http.user_agent) contains "edg/101") or
(lower(http.user_agent) contains "edg/96") or
(lower(http.user_agent) contains "firefox/52") or
(lower(http.user_agent) contains "firefox/57") or
(lower(http.user_agent) contains "firefox/76") or
(lower(http.user_agent) contains "firefox/77") or
(lower(http.user_agent) contains "firefox/79") or
(lower(http.user_agent) contains "firefox/83") or
(lower(http.user_agent) contains "html5plus" and not http.host contains "api.") or
(lower(http.user_agent) contains "mac os x 10_15_6") or
(lower(http.user_agent) contains "mac os x 10_9_2") or
(lower(http.user_agent) contains "netfront") or
(lower(http.user_agent) contains "symbianos")
Part 3 - Block unnecessary bots
Action: Block
(lower(http.user_agent) contains "barkrowler") or
(lower(http.user_agent) contains "blexbot") or
(lower(http.user_agent) contains "bomborabot") or
(lower(http.user_agent) contains "buck") or
(lower(http.user_agent) contains "bvbot") or
(lower(http.user_agent) contains "bytespider") or
(lower(http.user_agent) contains "ccbot") or
(lower(http.user_agent) contains "censysinspect") or
(lower(http.user_agent) contains "checkhost") or
(lower(http.user_agent) contains "cincraw") or
(lower(http.user_agent) contains "claudebot") or
(lower(http.user_agent) contains "clickagy") or
(lower(http.user_agent) contains "cocolyzebot") or
(lower(http.user_agent) contains "criteobot") or
(lower(http.user_agent) contains "df bot 1.0") or
(lower(http.user_agent) contains "domainstatsbot") or
(lower(http.user_agent) contains "domcopbot") or
(lower(http.user_agent) contains "dotbot") or
(lower(http.user_agent) contains "gulperbot") or
(lower(http.user_agent) contains "httrack") or
(lower(http.user_agent) contains "internet-structure") or
(lower(http.user_agent) contains "ioncrawl") or
(lower(http.user_agent) contains "keys-so-bot") or
(lower(http.user_agent) contains "magpie-crawler") or
(lower(http.user_agent) contains "megaindex") or
(lower(http.user_agent) contains "mj12bot") or
(lower(http.user_agent) contains "nimbostratus") or
(lower(http.user_agent) contains "omgili") or
(lower(http.user_agent) contains "onalyticabot") or
(lower(http.user_agent) contains "panscient.com") or
(lower(http.user_agent) contains "proximic") or
(lower(http.user_agent) contains "riddler") or
(lower(http.user_agent) contains "rogerbot") or
(lower(http.user_agent) contains "sbl-bot") or
(lower(http.user_agent) contains "semantic-visions") or
(lower(http.user_agent) contains "semanticbot") or
(lower(http.user_agent) contains "serpstatbot") or
(lower(http.user_agent) contains "sqlmap") or
(lower(http.user_agent) contains "trendictionbot") or
(lower(http.user_agent) contains "ttd-content") or
(lower(http.user_agent) contains "voluumdsp") or
(lower(http.user_agent) contains "wc-test-dev-bot") or
(lower(http.user_agent) contains "webtechbot") or
(lower(http.user_agent) contains "whatcms") or
(lower(http.user_agent) contains "zgrab")
Part 4 - Block bots, AS Num or IP
Action: Block
(ip.geoip.asnum eq 208323) or
(ip.geoip.asnum eq 210630) or
(ip.geoip.asnum eq 55960) or
(ip.geoip.asnum eq 60729) or
(ip.src eq 102.22.20.58) or
(ip.src eq 102.68.128.195) or
(ip.src eq 103.106.114.106) or
(ip.src eq 103.151.30.155) or
(ip.src eq 103.153.134.22) or
(ip.src eq 103.156.70.38) or
(ip.src eq 103.165.155.254) or
(ip.src eq 103.169.129.4) or
(ip.src eq 103.169.254.9) or
(ip.src eq 103.171.156.218) or
(ip.src eq 103.177.9.104) or
(ip.src eq 103.188.252.66) or
(ip.src eq 103.208.27.214) or
(ip.src eq 103.24.213.118) or
(ip.src eq 103.242.104.182) or
(ip.src eq 103.250.130.104) or
(ip.src eq 103.46.4.7) or
(ip.src eq 103.6.177.174) or
(ip.src eq 103.68.214.97) or
(ip.src eq 104.196.252.127) or
(ip.src eq 109.202.99.46) or
(ip.src eq 113.164.94.137) or
(ip.src eq 114.129.2.82) or
(ip.src eq 114.132.202.246) or
(ip.src eq 114.132.202.78) or
(ip.src eq 115.127.116.242) or
(ip.src eq 118.101.56.156) or
(ip.src eq 12.127.44.138) or
(ip.src eq 120.28.217.209) or
(ip.src eq 122.155.165.191) or
(ip.src eq 122.185.198.242) or
(ip.src eq 124.158.182.34) or
(ip.src eq 125.25.56.164) or
(ip.src eq 132.147.137.52) or
(ip.src eq 134.122.135.138) or
(ip.src eq 138.121.161.84) or
(ip.src eq 139.99.8.91) or
(ip.src eq 143.255.80.134) or
(ip.src eq 148.230.206.229) or
(ip.src eq 152.32.213.18) or
(ip.src eq 156.146.33.76) or
(ip.src eq 161.49.215.28) or
(ip.src eq 165.16.88.161) or
(ip.src eq 167.99.55.197) or
(ip.src eq 168.232.174.43) or
(ip.src eq 172.183.241.1) or
(ip.src eq 175.100.91.212) or
(ip.src eq 175.22.148.13) or
(ip.src eq 177.130.104.106) or
(ip.src eq 177.234.240.123) or
(ip.src eq 177.54.226.50) or
(ip.src eq 177.70.72.103) or
(ip.src eq 177.87.144.122) or
(ip.src eq 179.1.192.5) or
(ip.src eq 179.43.188.122) or
(ip.src eq 179.49.162.133) or
(ip.src eq 180.211.183.2) or
(ip.src eq 180.31.234.71) or
(ip.src eq 184.72.145.180) or
(ip.src eq 184.82.244.173) or
(ip.src eq 185.130.44.86) or
(ip.src eq 185.220.101.37) or
(ip.src eq 185.255.45.241) or
(ip.src eq 187.188.101.205) or
(ip.src eq 187.204.18.213) or
(ip.src eq 188.136.154.43) or
(ip.src eq 189.35.11.247) or
(ip.src eq 189.48.88.204) or
(ip.src eq 190.102.139.146) or
(ip.src eq 190.83.12.220) or
(ip.src eq 190.94.212.198) or
(ip.src eq 190.94.212.240) or
(ip.src eq 191.179.216.84) or
(ip.src eq 191.240.153.144) or
(ip.src eq 191.37.1.155) or
(ip.src eq 193.176.211.244) or
(ip.src eq 194.126.177.84) or
(ip.src eq 194.163.149.123) or
(ip.src eq 199.167.236.12) or
(ip.src eq 200.174.198.136) or
(ip.src eq 200.174.198.144) or
(ip.src eq 200.174.198.222) or
(ip.src eq 200.174.198.224) or
(ip.src eq 200.174.198.92) or
(ip.src eq 2001:bc8:182c:1005::1) or
(ip.src eq 201.131.239.233) or
(ip.src eq 201.77.128.158) or
(ip.src eq 201.77.96.149) or
(ip.src eq 202.47.181.150) or
(ip.src eq 202.47.88.2) or
(ip.src eq 202.62.84.210) or
(ip.src eq 205.185.125.235) or
(ip.src eq 209.209.28.22) or
(ip.src eq 212.174.79.169) or
(ip.src eq 213.232.87.230) or
(ip.src eq 213.232.87.232) or
(ip.src eq 213.232.87.234) or
(ip.src eq 216.87.69.230) or
(ip.src eq 216.9.224.141) or
(ip.src eq 217.182.194.108) or
(ip.src eq 24.172.34.114) or
(ip.src eq 2400:e920:0:8:250:56ff:fe94:474e) or
(ip.src eq 2a01:239:2d0:bc00::1) or
(ip.src eq 34.105.123.106) or
(ip.src eq 34.105.60.137) or
(ip.src eq 34.22.221.19) or
(ip.src eq 34.83.15.88) or
(ip.src eq 34.83.51.218) or
(ip.src eq 34.92.250.88) or
(ip.src eq 36.182.49.26) or
(ip.src eq 36.255.84.69) or
(ip.src eq 36.91.135.141) or
(ip.src eq 36.95.142.35) or
(ip.src eq 37.120.192.154) or
(ip.src eq 4.227.97.45) or
(ip.src eq 43.134.1.40) or
(ip.src eq 43.134.121.40) or
(ip.src eq 43.153.207.93) or
(ip.src eq 45.164.174.27) or
(ip.src eq 45.227.195.121) or
(ip.src eq 45.231.223.252) or
(ip.src eq 45.236.170.234) or
(ip.src eq 45.66.35.22) or
(ip.src eq 45.70.236.150) or
(ip.src eq 46.161.196.222) or
(ip.src eq 46.2.5.84) or
(ip.src eq 47.106.193.183) or
(ip.src eq 47.51.30.226) or
(ip.src eq 51.145.176.250) or
(ip.src eq 52.169.23.0) or
(ip.src eq 52.178.159.39) or
(ip.src eq 91.215.85.29) or
(ip.src eq 94.179.141.78)
Android 6
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Chrome/116
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36
Chrome/108
Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
Build/
AdGuard/4.5.17 (Linux; U; Android 14; SO-52C Build/65.2.B.2.152)
Catch-Rules
(starts_with(http.request.uri, "/images/")) or (starts_with(http.request.uri, "/css/")) or (starts_with(http.request.uri, "/js/")) or (starts_with(http.request.uri, "/fonts/")) or (starts_with(http.request.uri, "/video/")) or (starts_with(http.request.uri, "/music/"))
regex
grex "adbeat" "admantx" "ahrefs" "appinsights" "aspiegel" "awariobot" "awariosmartbot" "barkrowler" "blexbot" "bomborabot" "buck" "bvbot" "bytespider" "ccbot" "censysinspect" "checkhost" "cincraw" "claudebot" "clickagy" "cocolyzebot" "criteobot" "crawler" "curl" "df bot 1.0" "domainstatsbot" "domcopbot" "dotbot" "embed.ly" "facebookexternalhit" "friendlycrawler" "grapeshotcrawler" "gulperbot" "httrack" "ias_crawler" "internet-structure" "ioncrawl" "keys-so-bot" "linguee" "linkfluence" "magpie-crawler" "mediatoolkitbot" "megaindex" "mj12bot" "nimbostratus" "node" "omgili" "onalyticabot" "panscient.com" "petalbot" "postman" "proximic" "riddler" "rogerbot" "sbl-bot" "seekport" "semantic-visions" "semanticbot" "serpstatbot" "sogou" "sqlmap" "traackr" "trendictionbot" "ttd-content" "voluumdsp" "wc-test-dev-bot" "webtechbot" "wget" "whatcms" "zgrab"
regex
f(?:acebookexternalhit|riendlycrawler)|i(?:nternet\\-structure|oncrawl)|(?:semantic\\-vision|nimbostratu|whatcm)s|(?:grapeshot|magpie\\-|ias_)crawler|(?:(?:m(?:ediatoolkit|j12)|do(?:m(?:ainstats|cop)|t)|(?:awariosmar|serpsta)t|trendiction|onalytica|c(?:ocolyze|riteo|laude|c)|webtech|bombora|gulper|petal|roger|b(?:lex|v))bo|(?:wc\\-test\\-dev|sbl)\\-bo|c(?:ensysinspec|heckhos)|ttd\\-conten|(?:semantic|awario)bo|keys\\-so\\-bo|seekpor|adbea|wge)t|p(?:anscient\.com|roximic|ostman)|a(?:ppinsight|href)s|(?:lin(?:kfluenc|gue)|nod)e|df bot 1\.0|bytespider|(?:barkro|cra)wler|megaindex|voluumdsp|clickagy|embed\.ly|(?:aspiege|cur)l|cincraw|httrack|admantx|traackr|riddler|omgili|sqlmap|sogou|zgrab|buck