Custom rules
Custom rules allow you to control incoming traffic by filtering requests to a zone. They work as customized web application firewall (WAF) rules that you can use to perform actions like Block or Managed Challenge on incoming requests. You can also use the Skip action in a custom rule to skip one or more Cloudflare security features.
In the new security dashboard, custom rules are one of the available types of security rules. Security rules perform security-related actions on incoming requests that match specified filters.
Like other rules evaluated by Cloudflare's Ruleset Engine, custom rules have the following basic parameters:
- An expression that specifies the criteria you are matching traffic on using the Rules language.
- An action that specifies what to perform when there is a match for the rule.
Custom rules are evaluated in order, and some actions like Block will stop the evaluation of other rules. For more details on actions and their behavior, refer to the actions reference.
To define sets of custom rules that apply to more than one zone, use custom rulesets, which require an Enterprise plan with a paid add-on.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
Availability | Yes | Yes | Yes | Yes |
Number of rules | 5 | 20 | 100 | 1,000 |
Supported actions | All except Log | All except Log | All except Log | All |
Regex support | No | No | Yes | Yes |
Custom rulesets | No | No | No | Paid add-on |
Refer to the following pages for instructions on creating custom rules:
- Create a custom rule in the dashboard
- Create a custom rule via API
- WAF custom rules configuration using Terraform
For examples of using custom rules to address common use cases, refer to Common use cases.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark