Cloudflare Integration

Updates (July 2025 to September 2025)

July 2025 — Cloudflare has deprecated its Firewall Rules and Filters APIs. As a result, Traceable has updated the Cloudflare integration to accommodate the new ruleset-based configuration. For more information, see Add New Cloudflare Integration.

Cloudflare WAF (Web Application Firewall) helps protect your applications and APIs from cybersecurity threats. Traceable integrates with Cloudflare’s WAF to block IP addresses and threat actors. As part of the integration, Traceable identifies the IP address that has violated a rule, such as rate limiting. Upon identification, Traceable sends these IP addresses to Cloudflare’s WAF, where you can view and edit them.

The following is a high-level diagram of Traceable’s integration with Cloudflare:

Traceable Cloudflare Integration Diagram

Integration Overview

This section provides high-level information on integrating Cloudflare WAF with your environment and managing threats.

Installation — Traceable provides you with the option to choose between agent-based or agentless deployment. To integrate Cloudflare WAF in your Traceable account, you must deploy an agent. For more information, see Installation.
Integration Setup — After deploying the agent, you can retrieve the credentials and configure the Cloudflare integration. To do so, you must complete the following steps:
1. Prerequisites — Log in to your Cloudflare account and fetch the required credentials for configuring the integration. For more information, see Before you Begin.
2. Fetch the Ruleset ID — Create a new ruleset for your Cloudflare account and use its ID for configuring the integration. For more information, see Fetch the Ruleset ID.
3. Add the Cloudflare Integration — Once you have the credentials from the above steps, you can navigate to the Traceable platform and configure the integration. For more information, see Add a New Cloudflare Integration.
Threat Management — After setting up the integration, you can set up rules to allow, block, or monitor IP addresses according to your requirements. Traceable supports the following rules for the Cloudflare integration:
1. Malicious Source Rules — You can set up Malicious Source rules to block unwanted IPs based on IP ranges. For more information, see Custom Policy.
2. Threat Actors’ Status Change — On the Threat Actors page, Traceable displays the IP addresses that pose a threat, where you can change the status of an actor to deny or suspend it. For more information, see Threat Actors.
3. Custom Signature Rules — You can set up Custom Signature rules to block incoming requests from a specific URL by matching the corresponding endpoints. For more information, see Custom Policy.
  Note
  Cloudflare only supports Custom Signature rules based on headers or parameters, where the corresponding keys are matched using the equals (=) operator.

Before you begin

Make a note of the following before you proceed with the integration:

Make sure you have the Authorization Email Address associated with your Cloudflare account.
Make sure you have the Domain name, for example, dc-traceable.com, from your Cloudflare account. This Domain name is used as the Zone while configuring the integration in the Traceable platform.
Make sure you have the Zone ID associated with the above Domain from your Cloudflare account. For more information, see Copy your Zone ID.
Make sure you have the API token associated with your Cloudflare account, along with the permissions specified below. For more information, see Create API token.

Note
If you wish to use an existing token, make sure you add the below permissions to the token.
Permission Category
Attribute
Access Type
Account
Account WAF
Edit
Account
Account Rulesets
Edit
Account
Rule Policies
Edit
Account
Account Filter Lists
Edit
Zone
Zone WAF
Edit
Zone
Firewall Services
Edit
The above permissions allow Traceable to communicate the IP addresses to Cloudflare and add or modify them in the future.

Permission Category	Attribute	Access Type
Account	Account WAF	Edit
Account	Account Rulesets	Edit
Account	Rule Policies	Edit
Account	Account Filter Lists	Edit
Zone	Zone WAF	Edit
Zone	Firewall Services	Edit

Setting up the Integration

To set up the Cloudflare integration in Traceable, complete the following steps:

Step 1 — Fetch the Ruleset ID

A ruleset in Cloudflare defines how and what traffic is to be allowed or filtered. Each ruleset is assigned a unique identifier known as the Ruleset ID. To integrate Cloudflare with your Traceable account, you must create a ruleset and fetch its ID. This ID is required while configuring the integration in the Traceable platform.

To create a ruleset, use the below API:

curl --location 'https://api.cloudflare.com/client/v4/zones/{zoneId}/rulesets' //Replace the <zoneId> placeholder with the value you retrieved from your Cloudflare account.
--header 'Content-Type: application/json' 
--header 'Authorization: Bearer <Bearer Token>' //Replace the <Bearer Token> placeholder with the value from the Authorization tab of your API tool
--data '{
      "kind": "zone",
      "name": "Traceable Ruleset",
      "phase": "http_request_firewall_custom",
      "description": "My ruleset to execute managed rulesets"
}'

The above API request returns the following response:

{
    "result": [
        
        {
            "description": "My ruleset to execute managed rulesets",
            "id": "10ff1234e82a4a0e91234fc9875e1b13",
            "kind": "zone",
            "last_updated": "2025-06-20T12:54:00.558586Z",
            "name": "Traceable Ruleset",
            "phase": "http_request_firewall_custom",
            "source": "firewall_custom",
            "version": "5"
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}

From the above response, copy the value corresponding to the id field. This is required while configuring the Cloudflare integration in Traceable.

Step 2 — Add New Cloudflare Integration

To configure a new Cloudflare integration, navigate to the Integrations page from the bottom left corner of your Traceable account, and do one of the following:

Search for Cloudflare in the search bar.
Navigate to WAF → Cloudflare.

In the Cloudflare widget, click Configure, and in the Add New Cloudflare Integration window, complete the following steps:

Specify the Integration Name, for example, TraceableCloudflareIntegration.
(Optional) Specify a Description for the integration.
Select the Environment for which you wish to configure the integration, for example, fintech-app.
Select the Target(s). Based on your selection, you can create the corresponding rules in Protection.
Specify the Zone (Domain name) that you fetched from your Cloudflare account. For more information, see Before you begin.
Specify the Authorization Email where the above Zone is available. For more information, see Before you begin.
Specify the Ruleset ID you fetched in Step 1 above.
Specify the API Token associated with the above Cloudflare account. For more information, see Before you begin.
Click Test Connection. Upon validation, Traceable allows you to Save the integration.

Custom Signature Rules Support Matrix

Cloudflare supports the creation of custom signature rules based on various request attributes. You can use logical operators like AND and OR to combine multiple conditions and build advanced rule logic.

Note
Cloudflare supports all Traceable operations, including regular expression matching using the http.request.attribute matches regex_operation. However, regex-based matching is available only on Cloudflare Business and Enterprise plans.

The following are supported rule attributes and operators:

Attribute	Supported Operations	Description	Supported/Not Supported
Request URL	`[not] http.request.full_uri eq / contains / matches`	Matches the full request URL string.	Fully supported
Header Name	`[not] any(http.request.headers.names[*] eq / contains / matches)`	Matches the names of headers in the HTTP request.	Fully supported
Header Value	`[not] any(http.request.headers.values[] eq / contains / matches)any(...[][*])` for arrays	Matches the values of headers in the HTTP request.	Supports nested arrays; may be too granular for initial use.
HTTP Method	`[not] http.request.method eq / contains / matches`	Matches the HTTP method used in the request, such as GET or POST.	Fully supported
HTTP User-Agent	`[not] http.user_agent eq / contains / matches`	Matches the user-agent string in the request header.	Fully supported
HTTP Host	`[not] http.host eq / contains / matches`	Matches the host portion of the request URL.	Fully supported
HTTP Body	`[not] http.request.body.raw eq / contains / matches`	Matches the raw body content of the HTTP request.	Available only with WAF Advanced or Enterprise Application Security Core plans.
Specific Header Match	`any(http.request.headers["header-name"][*] == "value")`	Matches a specific header name with its value.	No support for dynamic name–value pair comparison.
Parameter Name + Value	`any(http.request.uri.args["param"][] == "value")any(http.request.body.form["param"][] == "value")`	Matches a specific parameter and its corresponding value in the URI or request body.	Fully supported
Parameter Name	`any(http.request.uri.args.names[*] == "param")any(http.request.body.form.names == "param")`	Matches parameter names in query strings or form data.	Fully supported
Parameter Value	`any(http.request.uri.args.values[*] == "value")any(http.request.body.form.values == "value")`	Matches parameter values in query strings or form data.	Fully supported
Regex Matching	`http.request.<attribute>.matches("regex")`	Matches the specified attribute using a regular expression.	Supported only in Business and Enterprise plans. Applies to most string-based attributes.