Create allow rules
1 min read
Based on your application’s traffic, you should create WAF custom rules that explicitly skip remaining custom rules (or other security features) for expected automated or likely automated traffic.
Cloudflare recommends being as specific as possible when analyzing traffic and creating rules, usually including a combination of user-agent values, IP addresses or ASNs, and JA3 fingerprints.
| Expression | Action |
|---|---|
(http.user_agent contains "App_Name 2.0") and (cf.bot_management.ja3_hash eq df669e7ea913f1ac0c0cce9a201a2ec1) and (ip.src in $mobile_app_ips) | Skip > All remaining custom rules |
If you only use a specific characteristic for your skip rules (such as the user-agent), it could be discovered by malicious bots and expose your application to automated abuse.