Cloudflare OWASP Core Ruleset blocking legit requests
I was prompted to migrate to the managed WAF rulesets by the Security Center showing a "critical" issue for not using them. Doing so immediately blocked legitimate requests to my site, almost all requests (even without any query parameters) were being flagged by the same six rules. I turned the core ruleset off and requests started working again. What would cause a simple GET requests from a legit browser to be triggering these?
1 Reply
@R1CH I can't speak to your question, but I've seen POST requests get blocked by OWASP rules and there was no time to investigate the WHY because it was a production app and people could not work. Have you tried adjust the Paranoia and Anomaly Levels to see if that helps ?