Sequence rules
Sequence rules uses cookies to track the order of requests a user has made and the time between requests and makes them available via Cloudflare Rules. This allows you to write rules that match valid or invalid sequences. The specific cookies used to validate sequences are called sequence cookies.
Sequence rules is currently in private beta. If you would like to be included in the beta, contact your account team.
Prerequisites
- Your account must have the Fraud Detection subscription.
- Each zone must have an API Shield subscription as it relies on Endpoint Management.
- Each zone must configure the endpoints to track via Endpoint Management.
Enable sequence rules via the API
- Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
- Get the zone ID for the zone(s) where you want to enable sequence rules.
- Add the endpoints that you want to track in your sequence rules using API Shield’s Endpoint Management and make note of the short ID.
- Enable the sequence cookie by adding your API token and zone ID to the following API call.
API callcurl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{"enabled": true}'
- Use the expression editor to write sequence or timing based rules via custom rules, rate limiting rules, or transform rules. You can put these rules in log only mode to monitor.
Once you have enabled sequence rules, the rules fields will be populated and you can now use the new fields in your rules.
Rules fields
Sequence rules introduces three new fields to Cloudflare Rules. All of these fields reference operations by their short ID. Accounts that have the Fraud Detection subscription can refer to the short ID by viewing the endpoint details via API Shield > Endpoint Management in the Cloudflare dashboard. Accounts without Fraud Detection do not have access to this field.
Cloudflare only stores up to the 10 most recent operations in a sequence for up to one hour. If there are more than 10 operations in the sequence, older operations will be dropped and will not be included in the following fields. Similarly, if an operation happened more than one hour ago, it will also not be included in the following fields.
Availability
These sequence fields are available in:
- Custom rules (
http_request_firewall_custom
phase) - Rate limiting rules (
http_request_ratelimit
) - Bulk redirects (
http_request_redirect
) - HTTP request header modification rules (
http_request_late_transform
)
Field name | Description | Example value |
---|---|---|
| This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string. |
|
| This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request. |
|
| This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred. |
|
Example rules
The customer must request endpoint A before endpoint B.
Valid sequencecf.sequence.current_op eq "bbbbbbbb" andany(cf.sequence.previous_ops[*] == "aaaaaaaa")
Invalid sequencecf.sequence.current_op eq "bbbbbbbb" andnot any(cf.sequence.previous_ops[*] == "aaaaaaaa")
Customer must request endpoint A at least one second before endpoint B.
Valid sequencecf.sequence.current_op eq "bbbbbbbb" andcf.sequence.msec_since_op["aaaaaaaa"] ge 1000
Invalid sequencecf.sequence.current_op eq "bbbbbbbb" andnot cf.sequence.msec_since_op["aaaaaaaa"] ge 1000
Disable sequence rules via the API
Disabling sequence rules will stop the rules fields from being populated. If you still have rules deployed which depend on these fields, those rules may not behave as intended. Remove or disable any rules that rely on sequence fields before disabling sequence rules.
To disable sequence rules:
- Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
- Get the zone ID for the zone(s) where you want to enable sequence rules.
- Add the endpoints that you want to track in your sequence rules using API Shield’s Endpoint Management and make note of the short ID.
- Disable the sequence cookie using your API token, zone ID, and by setting
enabled
tofalse
on the following API call.
API callcurl --request PUT https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{"enabled": false}'
Limitations
Cloudflare only supports HTTPS requests since our cookies set the Secure
attribute.