Skip to content
Cloudflare Docs
Firewall
Cloudflare Docs
Firewall
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Firewall Rules language

The Cloudflare Firewall Rules language is a flexible and intuitive specification for building Firewall Rules expressions. Based on the widely known Wireshark display filters, the Firewall Rules language allows you to precisely target HTTP requests with a syntax and semantics familiar to security engineers.

When evaluating a firewall rule, Cloudflare compares values associated with an HTTP request to those defined in the firewall rule's expression. If the expression evaluates true, Cloudflare triggers the action for that rule.

The Firewall Rules language supports two kinds of expression—simple and compound.

Simple expressions

Simple expressions compare a value from an HTTP request to a value defined in the expression. For example, this simple expression matches Microsoft Exchange Autodiscover requests:

http.request.uri.path matches "/autodiscover\.(xml|src)$"

Simple expressions have the syntax

<field> <comparison-operator> <value>

where

Compound expressions

Compound expressions use logical operators such as and to combine two or more expressions into a single expression.

For example, this expression uses the and operator to target requests to www.example.com that are not on ports 80 or 443:

host eq www.example.com and not cf.edge.server_port in {80 443}

Compound expressions have the following general syntax:

<expression> <logical-operator> <expression>

Compound expressions allow you to generate sophisticated, highly targeted firewall rules.

Grouping symbols and functions

The Firewall Rules language includes support for grouping symbols and functions. Each of these expand the power and flexibility of the language: