Write and test Cloudflare WAF custom rule expressions using the Ruleset Engine

Verified steps

1. Understand the expression language: Cloudflare WAF custom rules use Wireshark-style filter expressions evaluated against HTTP request fields; key fields include http.request.uri.path, http.request.method, ip.src, http.user_agent, cf.bot_management.score, and http.request.headers.
2. Combine fields with operators (eq, contains, matches for regex, in for sets) and logical connectives (and, or, not); parentheses control evaluation order—for example: (http.request.uri.path contains "/admin" and not ip.src in {YOUR_CIDR_LIST}).
3. Deploy rules to a zone via the Rulesets API: POST to /zones/{zone_id}/rulesets/{ruleset_id}/rules with a JSON body containing the expression string in the expression field and the action (block, challenge, skip, log, js_challenge, or managed_challenge) in the action field.
4. Use the log action first when introducing a new rule to observe matching traffic without blocking; review Firewall Events in the dashboard or Security Analytics to confirm the rule targets only intended traffic before switching to block.
5. Add a description field to every rule and use a consistent naming convention; rules within a phase execute in order—set the position field in the API payload (before, after, or index) to control evaluation sequence relative to managed rulesets.
6. Test expressions in the Cloudflare dashboard Expression Builder before deploying via API; the UI validates syntax and shows a preview of matched sample traffic.