Cloudflare WAF blocks malicious URL, response has no X-Frame-Options
We use Cloudflare WAF in front of a SaaS application, and a 3rd party DAST tool to scan for vulnerabilities. The DAST tool requested a URL with malicious characters in the path, and Cloudflare WAF correctly blocked the URL.
The Cloudflare response was an HTTP 500 with body saying
The request was rejected because the URL contained a potentially malicious String "%0a", but the response omitted an X-Frame-Options header, which our DAST tool flagged as a potentially exploitable embedding vulnerability.
I see ways to set custom headers for Cloudflare pages, but not for Cloudflare WAF responses. Is there a way to add X-Frame-Options: DENY to this (and other) Cloudflare WAF error pages?0 Replies