Obtain a Cloudflare API token with the Zone WAF Edit permission scoped to the target zone; use a scoped token (not the global API key) for least privilege
List existing custom ruleset rules with GET /client/v4/zones/ZONE_ID/rulesets to identify the custom WAF ruleset ID for your zone
Add a rule by sending a PUT or PATCH to the rules array within the ruleset at /client/v4/zones/ZONE_ID/rulesets/RULESET_ID; each rule object requires an expression (Wireshark-style filter syntax), action (block, challenge, js_challenge, managed_challenge, log, skip), description, and enabled flag
Test new rules by setting action to log first, then monitor matching traffic in the Cloudflare security events log before switching to block or challenge
Order rules within the ruleset deliberately; Cloudflare evaluates rules in order and stops at the first matching rule's action unless the action is log, which is non-terminating
Use the Cloudflare expression language fields (http.request.uri.path, http.request.headers, ip.geoip.country, cf.threat_score, etc.) to write precise match conditions
Known gotchas
A PUT to the ruleset replaces all rules; use PATCH with a targeted operation or carefully reconstruct the full rules array to avoid accidentally deleting existing rules
Custom rules run after Cloudflare's managed rulesets by default; if you need a custom rule to override a managed rule, use a skip rule positioned before the managed ruleset phase
Expression syntax errors cause the entire API call to be rejected; test expressions in the Cloudflare dashboard's expression builder before deploying via API
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp