Skip to content

Wirefilter

Wirefilter is a powerful expression language used in our Web Application Firewall (WAF) to define complex rules and conditions for request filtering. It provides a flexible and intuitive way to create security rules based on various request attributes.

Overview

Wirefilter is a domain-specific language designed for: - HTTP request filtering - IP-based rules - Header-based conditions - Path and query string matching - Geographic location filtering

Basic Syntax

Operators

  • Comparison: eq, ne, gt, lt, ge, le
  • Logical: and, or, not
  • String: contains, starts_with, ends_with
  • List: in, not in

Examples

# Simple comparison
rule: (ip.src.country eq "US")

# Logical combinations
rule: (http.request.method eq "POST" and ip.src.country eq "FR")

# String matching
rule: (http.request.uri.path contains "/admin")

# List operations
rule: (ip.src in cidr("192.168.0.0/24"))

Supported Functions

Function Description Example
cidr() Check if IP is in CIDR range ip.src in cidr("192.168.0.0/24")
contains() Check if string contains substring http.request.uri.path contains "/admin"
starts_with() Check if string starts with prefix http.request.uri.path starts_with "/api"
ends_with() Check if string ends with suffix http.request.uri.path ends_with ".php"

Limitations

While Wirefilter is powerful, there are some limitations to be aware of:

  1. Function Support
  2. Not all Cloudflare Wirefilter functions are supported
  3. Some advanced functions may be unavailable

  4. Custom functions are not supported

  5. Field Differences

  6. Our implementation supports a subset of fields
  7. Some fields may have different names or behaviors

  8. Please refer to our WAF Rules documentation for supported fields

  9. Performance Considerations

  10. Complex rules may impact performance
  11. Avoid overly complex logical combinations
  12. Use specific conditions over broad matches

Best Practices

  1. Rule Organization
  2. Keep rules simple and focused
  3. Use meaningful names for rules

  4. Document complex rule logic

  5. Performance

  6. Use specific conditions when possible
  7. Avoid unnecessary complex expressions

  8. Test rules in staging before production

  9. Security

  10. Start with logging before blocking
  11. Use specific conditions over broad matches
  12. Regularly review and update rules

Additional Resources

Example Use Cases

# Block specific user agents
rule: (http.request.headers["user-agent"] contains "bad-bot")

# Protect admin paths
rule: (http.request.uri.path contains "/admin" and ip.src.country ne "US")

# Block specific HTTP methods
rule: (http.request.method eq "PUT" or http.request.method eq "DELETE")

# Geographic restrictions
rule: (ip.src.country in ["RU", "CN", "IR"])