This test sends a crafted query string to simulate an XSS attack, where referer is coming from a malicious domain, with a script payload to trigger an HTTP 403 blocked response code. By default, using the Cloudflare Managed list or OWASP Ruleset, Cloudflare's rules engine will block attacks. In this case I have a rule specifically looking for URI Query String as the field, with an operator of 'contains' and a value resembling script content. Additionally, this example shows an embedded preview of Cloudflare’s custom block page.
Test not yet run.
This test simulates repeated requests to this page to trigger HTTP 429 rate limited response code. It helps validate Cloudflare Rate Limiting Control. On the Cloudflare Dashboard, I have a Security Rule with the Field set to URI Path, the Operator set to Equals and the Value set to the path on this page /cf-app-security-test. I'm using IP as a counting characteristic, but other options can be leveraged. When the rate exceeds 5 requests in a period of 10 seconds, the WAF will implement a block. You will see status 200 (success) for the first 5 requests and status 429 (rate limited) for every other request. Once the rate is exceeded, the WAF will block additional requests for 60 seconds, but other options exist.
Test not yet run.
Coming soon: Test bot detection using fake user agents, automation headers, or rapid-fire scripts.
Coming soon: Observe how requests from flagged IPs or proxies are treated. Useful for testing threat intelligence integrations.