Cloudflare Integration

Prev Next
Updates (July 2025 to September 2025)
  • July 2025 — Cloudflare has deprecated its Firewall Rules and Filters APIs. As a result, Traceable has updated the Cloudflare integration to accommodate the new ruleset-based configuration. For more information, see Add New Cloudflare Integration.

Cloudflare WAF (Web Application Firewall) helps protect your applications and APIs from cybersecurity threats. Traceable integrates with Cloudflare’s WAF to block IP addresses and threat actors. As part of the integration, Traceable identifies the IP address that has violated a rule, such as rate limiting. Upon identification, Traceable sends these IP addresses to Cloudflare’s WAF, where you can view and edit them.

The following is a high-level diagram of Traceable’s integration with Cloudflare:

Traceable Cloudflare Integration Diagram

Traceable Cloudflare Integration Diagram


Integration Overview

This section provides high-level information on integrating Cloudflare WAF with your environment and managing threats.

  1. Installation — Traceable provides you with the option to choose between agent-based or agentless deployment. To integrate Cloudflare WAF in your Traceable account, you must deploy an agent. For more information, see Installation.

  2. Integration Setup — After deploying the agent, you can retrieve the credentials and configure the Cloudflare integration. To do so, you must complete the following steps:

    1. Prerequisites — Log in to your Cloudflare account and fetch the required credentials for configuring the integration. For more information, see Before you Begin.

    2. Fetch the Ruleset ID — Create a new ruleset for your Cloudflare account and use its ID for configuring the integration. For more information, see Fetch the Ruleset ID.

    3. Add the Cloudflare Integration — Once you have the credentials from the above steps, you can navigate to the Traceable platform and configure the integration. For more information, see Add a New Cloudflare Integration.

  3. Threat Management — After setting up the integration, you can set up rules to allow, block, or monitor IP addresses according to your requirements. Traceable supports the following rules for the Cloudflare integration:

    1. Malicious Source Rules — You can set up Malicious Source rules to block unwanted IPs based on IP ranges. For more information, see Custom Policy.

    2. Threat Actors’ Status Change — On the Threat Actors page, Traceable displays the IP addresses that pose a threat, where you can change the status of an actor to deny or suspend it. For more information, see Threat Actors.

    3. Custom Signature Rules — You can set up Custom Signature rules to block incoming requests from a specific URL by matching the corresponding endpoints. For more information, see Custom Policy.

      Note

      Cloudflare only supports Custom Signature rules based on headers or parameters, where the corresponding keys are matched using the equals (=) operator.


Before you begin

Make a note of the following before you proceed with the integration:

  • Make sure you have the Authorization Email Address associated with your Cloudflare account.

  • Make sure you have the Domain name, for example, dc-traceable.com, from your Cloudflare account. This Domain name is used as the Zone while configuring the integration in the Traceable platform.

  • Make sure you have the Zone ID associated with the above Domain from your Cloudflare account. For more information, see Copy your Zone ID.

  • Make sure you have the API token associated with your Cloudflare account, along with the permissions specified below. For more information, see Create API token.

    Note

    If you wish to use an existing token, make sure you add the below permissions to the token.

    Permission Category

    Attribute

    Access Type

    Account

    Account WAF

    Edit

    Account

    Account Rulesets

    Edit

    Account

    Rule Policies

    Edit

    Account

    Account Filter Lists

    Edit

    Zone

    Zone WAF

    Edit

    Zone

    Firewall Services

    Edit

    The above permissions allow Traceable to communicate the IP addresses to Cloudflare and add or modify them in the future.


Setting up the Integration

To set up the Cloudflare integration in Traceable, complete the following steps:

  1. Fetch the Ruleset ID

  2. Add New Cloudflare Integration

Step 1 — Fetch the Ruleset ID

A ruleset in Cloudflare defines how and what traffic is to be allowed or filtered. Each ruleset is assigned a unique identifier known as the Ruleset ID. To integrate Cloudflare with your Traceable account, you must create a ruleset and fetch its ID. This ID is required while configuring the integration in the Traceable platform.

To create a ruleset, use the below API:

curl --location 'https://api.cloudflare.com/client/v4/zones/{zoneId}/rulesets' //Replace the <zoneId> placeholder with the value you retrieved from your Cloudflare account.
--header 'Content-Type: application/json' 
--header 'Authorization: Bearer <Bearer Token>' //Replace the <Bearer Token> placeholder with the value from the Authorization tab of your API tool
--data '{
      "kind": "zone",
      "name": "Traceable Ruleset",
      "phase": "http_request_firewall_custom",
      "description": "My ruleset to execute managed rulesets"
}'

The above API request returns the following response:

{
    "result": [
        
        {
            "description": "My ruleset to execute managed rulesets",
            "id": "10ff1234e82a4a0e91234fc9875e1b13",
            "kind": "zone",
            "last_updated": "2025-06-20T12:54:00.558586Z",
            "name": "Traceable Ruleset",
            "phase": "http_request_firewall_custom",
            "source": "firewall_custom",
            "version": "5"
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}

From the above response, copy the value corresponding to the id field. This is required while configuring the Cloudflare integration in Traceable.


Step 2 — Add New Cloudflare Integration

To configure a new Cloudflare integration, navigate to the Integrations page from the bottom left corner of your Traceable account, and do one of the following:

  • Search for Cloudflare in the search bar.

  • Navigate to WAF → Cloudflare.

Cloudflare Integration Widget

Cloudflare Integration Widget

In the Cloudflare widget, click Configure, and in the Add New Cloudflare Integration window, complete the following steps:

Add New Cloudflare Integration

Add New Cloudflare Integration

  1. Specify the Integration Name, for example, TraceableCloudflareIntegration.

  2. (Optional) Specify a Description for the integration.

  3. Select the Environment for which you wish to configure the integration, for example, fintech-app.

  4. Select the Target(s). Based on your selection, you can create the corresponding rules in Protection.

  5. Specify the Zone (Domain name) that you fetched from your Cloudflare account. For more information, see Before you begin.

  6. Specify the Authorization Email where the above Zone is available. For more information, see Before you begin.

  7. Specify the Ruleset ID you fetched in Step 1 above.

  8. Specify the API Token associated with the above Cloudflare account. For more information, see Before you begin.

  9. Click Test Connection. Upon validation, Traceable allows you to Save the integration.


Custom Signature Rules Support Matrix

Cloudflare supports the creation of custom signature rules based on various request attributes. You can use logical operators like AND and OR to combine multiple conditions and build advanced rule logic.

Note

Cloudflare supports all Traceable operations, including regular expression matching using the http.request.attribute matches regex_operation. However, regex-based matching is available only on Cloudflare Business and Enterprise plans.

The following are supported rule attributes and operators:

Attribute

Supported Operations

Description

Supported/Not Supported

Request URL

[not] http.request.full_uri eq / contains / matches

Matches the full request URL string.

Fully supported

Header Name

[not] any(http.request.headers.names[*] eq / contains / matches)

Matches the names of headers in the HTTP request.

Fully supported

Header Value

[not] any(http.request.headers.values[*] eq / contains / matches)any(...[*][*]) for arrays

Matches the values of headers in the HTTP request.

Supports nested arrays; may be too granular for initial use.

HTTP Method

[not] http.request.method eq / contains / matches

Matches the HTTP method used in the request, such as GET or POST.

Fully supported

HTTP User-Agent

[not] http.user_agent eq / contains / matches

Matches the user-agent string in the request header.

Fully supported

HTTP Host

[not] http.host eq / contains / matches

Matches the host portion of the request URL.

Fully supported

HTTP Body

[not] http.request.body.raw eq / contains / matches

Matches the raw body content of the HTTP request.

Available only with WAF Advanced or Enterprise Application Security Core plans.

Specific Header Match

any(http.request.headers["header-name"][*] == "value")

Matches a specific header name with its value.

No support for dynamic name–value pair comparison.

Parameter Name + Value

any(http.request.uri.args["param"][*] == "value")any(http.request.body.form["param"][*] == "value")

Matches a specific parameter and its corresponding value in the URI or request body.

Fully supported

Parameter Name

any(http.request.uri.args.names[*] == "param")any(http.request.body.form.names == "param")

Matches parameter names in query strings or form data.

Fully supported

Parameter Value

any(http.request.uri.args.values[*] == "value")any(http.request.body.form.values == "value")

Matches parameter values in query strings or form data.

Fully supported

Regex Matching

http.request.<attribute>.matches("regex")

Matches the specified attribute using a regular expression.

Supported only in Business and Enterprise plans. Applies to most string-based attributes.