Cloudflare Sensitive Data Detection

The Cloudflare Sensitive Data Detection managed ruleset helps identify data leaks generated by your origin servers. Its rules run on the body of the response looking for patterns of common sensitive data, including:

Personally identifiable information ↗ (PII) — For example, passport numbers.
Financial information — For example, credit card numbers.
Secrets — For example, API keys.

Turning on Cloudflare Sensitive Data Detection will not introduce additional latency, since the detection occurs outside the response path. For this reason, rules are always deployed with the Log action (you cannot block a response that was already sent), providing you with visibility on the sensitive data leaving your origin servers.

Additional remarks

When turned on, Cloudflare Sensitive Data Detection will check all responses sent to visitors (according to your custom filter expression, if defined), including responses from cache and responses handled by Workers.

The detection will handle text, HTML, JSON, and XML content in the response up to 1 MB.

Currently, Cloudflare Sensitive Data Detection does not support matched payload logging.

Deploy the Cloudflare Sensitive Data Detection ruleset

In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings
(Optional) Filter by Web application exploits.
Turn on Sensitive data detection to deploy the ruleset.

Configure in the dashboard

You can configure (or override) the Cloudflare Sensitive Data Detection ruleset at several levels:

More specific configurations (rule and tag level) have greater priority than less specific configurations (ruleset level). Refer to Override a managed ruleset in the Ruleset Engine documentation for more information.

Ruleset-level configuration

You can configure (or override) the following Cloudflare Sensitive Data Detection setting in the Cloudflare dashboard:

Scope: When you define a custom filter expression for the scope, the Cloudflare Sensitive Data Detection ruleset applies only to a subset of the incoming requests. By default, a managed ruleset deployed in the dashboard applies to all incoming traffic.

Once you have deployed the Cloudflare Sensitive Data Detection ruleset, do the following to configure it in the dashboard:

In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings
(Optional) Filter by Web application exploits.
For Sensitive data detection, select Configured ruleset: <SCOPE> to edit the ruleset scope.
Decide if you want to apply the managed ruleset to all incoming requests (global scope) or to a subset.
If you selected Custom filter expression, define the filter expression that will determine which requests the Cloudflare Sensitive Data Detection ruleset will apply to.
Select Next, and then select Save.

Tag-level configuration

You can configure (or override) the following setting in the dashboard for rules tagged with at least one of the selected tags:

Rule status: Sets the rule status for all the rules with the selected tags.

Once you have deployed the Cloudflare Sensitive Data Detection ruleset, do the following to configure rules with specific tags in the dashboard:

In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings
(Optional) Filter by Web application exploits.
For Sensitive data detection, select Configured ruleset: <SCOPE>, and then select Next.
Select Browse rules.

Select one or more tags under the search input to filter the rules with those tags, and then select the checkbox in the top left corner of the table to select all the rules shown in the current page.
If not all the rules are displayed in the current page, extend your selection to all rules with the selected tags across all pages by selecting Select all <NUMBER> rules.
Update one or more settings for the selected rules using the buttons displayed in the top right corner of the table (for example, Set status).
Select Next.
A dialog appears asking you if any new rules with the selected tags should be configured with the field values you selected.
- Select Include new rules if you want to apply your configurations to any new rules with the select tags.
- Select Only selected rules to apply your configurations to the selected rules only.
Select Save.

Rule-level configuration

You can configure (or override) the following setting in the dashboard for the selected rules:

Rule status: Sets the status (enabled or disabled) of a single rule or, if you select multiple rules, for the selected rules.

Once you have deployed the Cloudflare Sensitive Data Detection ruleset, do the following to configure individual ruleset rules in the dashboard:

In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings
(Optional) Filter by Web application exploits.
For Sensitive data detection, select Configured ruleset: <SCOPE>, and then select Next.
Select Browse rules.

Search for rules using the available filters.
In the results list, change the values for each rule as desired, using the displayed drop-down lists and toggles. For example, change the status of a rule using the Status toggle next to the rule.

To configure multiple rules with the same value, select the checkboxes for all the rules you want to configure. If not all the rules are displayed in the current page, you can extend your selection to all rules across all pages by selecting Select all <NUMBER> rules. Then, use the buttons displayed in the top right corner of the table — for example, Set status — to update one or more fields for the selected rules.
Select Next, and then select Save.

Configure via API

To deploy the Cloudflare Sensitive Data Detection ruleset for a given zone using the API, create a rule with execute action in the entry point ruleset for the http_response_firewall_managed phase.

Example

This example deploys the Cloudflare Sensitive Data Detection ruleset to the http_response_firewall_managed phase of a given zone ($ZONE_ID) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.

Invoke the Get a zone entry point ruleset operation to obtain the definition of the entry point ruleset for the http_response_firewall_managed phase. You will need the zone ID for this task.

curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_response_firewall_managed/entrypoint" \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "result": {
    "description": "Zone-level phase entry point (response)",
    "id": "<RULESET_ID>",
    "kind": "zone",
    "last_updated": "2024-03-16T15:40:08.202335Z",
    "name": "zone",
    "phase": "http_response_firewall_managed",
    "rules": [
      // ...
    ],
    "source": "firewall_managed",
    "version": "10"
  },
  "success": true,
  "errors": [],
  "messages": []
}

If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create a zone ruleset rule operation to add an execute rule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with ID e22d83c647c64a3eae91b71b499d988e). By default, the rule will be added at the end of the list of rules already in the ruleset.

curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "action": "execute",
    "action_parameters": {
        "id": "e22d83c647c64a3eae91b71b499d988e"
    },
    "expression": "true",
    "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
  }'

{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Zone-level phase entry point (response)",
    "description": "",
    "kind": "zone",
    "version": "11",
    "rules": [
      // ... any existing rules
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "e22d83c647c64a3eae91b71b499d988e",
          "version": "latest"
        },
        "expression": "true",
        "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset",
        "last_updated": "2024-03-18T18:08:14.003361Z",
        "ref": "<RULE_REF>",
        "enabled": true
      }
    ],
    "last_updated": "2024-03-18T18:08:14.003361Z",
    "phase": "http_response_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create a zone ruleset operation. Include a single rule in the rules array that executes the Cloudflare Sensitive Data Detection managed ruleset (with ID e22d83c647c64a3eae91b71b499d988e) for all incoming requests in the zone.

curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "My ruleset",
    "description": "Entry point ruleset for WAF managed rulesets (response)",
    "kind": "zone",
    "phase": "http_response_firewall_managed",
    "rules": [
        {
            "action": "execute",
            "action_parameters": {
                "id": "e22d83c647c64a3eae91b71b499d988e"
            },
            "expression": "true",
            "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
        }
    ]
  }'

Next steps

To configure the Cloudflare Sensitive Data Detection managed ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:

Disable individual rules by creating rule overrides.

For examples of creating overrides using the API, refer to Override a managed ruleset.

More resources

For more information on working with managed rulesets via API, refer to Work with managed rulesets in the Ruleset Engine documentation.

Review detected leaks

To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following:

Regularly check Security Events for any events generated by the managed ruleset.
Configure WAF alerts to be alerted of any spike of WAF events. For the Advanced Security Events Alert, you can filter by one or more domains on Enterprise plans and by the Data Loss Protection service to receive specific alerts about Sensitive Data Detection.

Was this helpful?

Community
X
Discord
YouTube
GitHub