Skip to content
Cloudflare Docs

Cloudflare Exposed Credentials Check Managed Ruleset

The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials.

The managed ruleset includes rules for the following CMS applications:

  • WordPress
  • Joomla
  • Drupal
  • Ghost
  • Plone
  • Magento

Additionally, this managed ruleset also includes generic rules for other common patterns:

  • Check forms submitted using a POST request containing username and password arguments
  • Check credentials sent as JSON with email and password keys
  • Check credentials sent as JSON with username and password keys

The default action for the rules in managed ruleset is Exposed-Credential-Check Header (named rewrite in the API and in Security Events).

The managed ruleset also contains a rule that blocks HTTP requests already containing the Exposed-Credential-Check HTTP header used by the Exposed-Credential-Check Header action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials.

For more information on exposed credential checks, refer to Check for exposed credentials.

Configure in the dashboard

You can configure the following settings of the Cloudflare Exposed Credentials Check Managed Ruleset in the dashboard:

  • Set the action to perform. When you define an action for the ruleset, you override the default action defined for each rule. The available actions are: Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. To remove the action override, set the ruleset action to Default.
  • Override the action performed by individual rules. The available actions are: Exposed-Credential-Check Header, Managed Challenge, Block, JS Challenge, Log, and Interactive Challenge. For more information, refer to Available actions.
  • Disable specific rules.
  • Customize the filter expression. With a custom expression, the Cloudflare Exposed Credentials Check Managed Ruleset applies only to a subset of the incoming requests.
  • Configure payload logging.

For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.

Configure via API

To enable the Cloudflare Exposed Credentials Check Managed Ruleset for a given zone via API, create a rule with execute action in the entry point ruleset for the http_request_firewall_managed phase.

Example

This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to the http_request_firewall_managed phase of a given zone ($ZONE_ID) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.

  1. Invoke the Get a zone entry point ruleset operation to obtain the definition of the entry point ruleset for the http_request_firewall_managed phase. You will need the zone ID for this task.

    Required API token permissions

     At least one of the following token permissions is required:
    • Response Compression Write
    • Response Compression Read
    • Config Settings Write
    • Config Settings Read
    • Dynamic URL Redirects Write
    • Dynamic URL Redirects Read
    • Cache Settings Write
    • Cache Settings Read
    • Custom Errors Write
    • Custom Errors Read
    • Origin Write
    • Origin Read
    • Managed headers Write
    • Managed headers Read
    • Zone Transform Rules Write
    • Zone Transform Rules Read
    • Mass URL Redirects Write
    • Mass URL Redirects Read
    • Magic Firewall Write
    • Magic Firewall Read
    • L4 DDoS Managed Ruleset Write
    • L4 DDoS Managed Ruleset Read
    • HTTP DDoS Managed Ruleset Write
    • HTTP DDoS Managed Ruleset Read
    • Sanitize Write
    • Sanitize Read
    • Transform Rules Write
    • Transform Rules Read
    • Select Configuration Write
    • Select Configuration Read
    • Bot Management Write
    • Bot Management Read
    • Zone WAF Write
    • Zone WAF Read
    • Account WAF Write
    • Account WAF Read
    • Account Rulesets Read
    • Account Rulesets Write
    • Logs Write
    • Logs Read
    • Logs Write
    • Logs Read
    Get a zone entry point ruleset
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \
      --request GET \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
    {
      "result": {
        "description": "Zone-level phase entry point",
        "id": "<ENTRY_POINT_RULESET_ID>",
        "kind": "zone",
        "last_updated": "2024-03-16T15:40:08.202335Z",
        "name": "zone",
        "phase": "http_request_firewall_managed",
        "rules": [
          // ...
        ],
        "source": "firewall_managed",
        "version": "10"
      },
      "success": true,
      "errors": [],
      "messages": []
    }

  2. If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create a zone ruleset rule operation to add an execute rule to the existing ruleset deploying the Cloudflare Exposed Credentials Check Managed Ruleset (with ID c2e184081120413c86c3ab7e14069605). By default, the rule will be added at the end of the list of rules already in the ruleset.

    Required API token permissions

     At least one of the following token permissions is required:
    • Response Compression Write
    • Config Settings Write
    • Dynamic URL Redirects Write
    • Cache Settings Write
    • Custom Errors Write
    • Origin Write
    • Managed headers Write
    • Zone Transform Rules Write
    • Mass URL Redirects Write
    • Magic Firewall Write
    • L4 DDoS Managed Ruleset Write
    • HTTP DDoS Managed Ruleset Write
    • Sanitize Write
    • Transform Rules Write
    • Select Configuration Write
    • Bot Management Write
    • Zone WAF Write
    • Account WAF Write
    • Account Rulesets Write
    • Logs Write
    • Logs Write
    Create a zone ruleset rule
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$ENTRY_POINT_RULESET_ID/rules" \
      --request POST \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      --json '{
        "action": "execute",
        "action_parameters": {
            "id": "c2e184081120413c86c3ab7e14069605"
        },
        "expression": "true",
        "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset"
      }'
    {
      "result": {
        "id": "<ENTRY_POINT_RULESET_ID>",
        "name": "Zone-level phase entry point",
        "description": "",
        "kind": "zone",
        "version": "11",
        "rules": [
          // ... any existing rules
          {
            "id": "<RULE_ID>",
            "version": "1",
            "action": "execute",
            "action_parameters": {
              "id": "c2e184081120413c86c3ab7e14069605",
              "version": "latest"
            },
            "expression": "true",
            "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset",
            "last_updated": "2024-03-18T18:08:14.003361Z",
            "ref": "<RULE_REF>",
            "enabled": true
          }
        ],
        "last_updated": "2024-03-18T18:08:14.003361Z",
        "phase": "http_request_firewall_managed"
      },
      "success": true,
      "errors": [],
      "messages": []
    }

  3. If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create a zone ruleset operation. Include a single rule in the rules array that executes the Cloudflare Exposed Credentials Check Managed Ruleset (with ID c2e184081120413c86c3ab7e14069605) for all incoming requests in the zone.

    Required API token permissions

     At least one of the following token permissions is required:
    • Response Compression Write
    • Config Settings Write
    • Dynamic URL Redirects Write
    • Cache Settings Write
    • Custom Errors Write
    • Origin Write
    • Managed headers Write
    • Zone Transform Rules Write
    • Mass URL Redirects Write
    • Magic Firewall Write
    • L4 DDoS Managed Ruleset Write
    • HTTP DDoS Managed Ruleset Write
    • Sanitize Write
    • Transform Rules Write
    • Select Configuration Write
    • Bot Management Write
    • Zone WAF Write
    • Account WAF Write
    • Account Rulesets Write
    • Logs Write
    • Logs Write
    Create a zone ruleset
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \
      --request POST \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      --json '{
        "name": "My ruleset",
        "description": "Entry point ruleset for WAF managed rulesets",
        "kind": "zone",
        "phase": "http_request_firewall_managed",
        "rules": [
            {
                "action": "execute",
                "action_parameters": {
                    "id": "c2e184081120413c86c3ab7e14069605"
                },
                "expression": "true",
                "description": "Execute the Cloudflare Exposed Credentials Check Managed Ruleset"
            }
        ]
      }'

Next steps

To configure the Exposed Credentials Check Managed Ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:

  • Specify the action to perform for all the rules in the ruleset by creating a ruleset override.

  • Disable or customize the action of individual rules by creating rule overrides.

For examples of creating overrides using the API, refer to Override a managed ruleset.

More resources

For more information on working with managed rulesets via API, refer to Work with managed rulesets in the Ruleset Engine documentation.