DBS App Security Workshop

Rules

Task

In this section we will explore features which allow changes to settings & behavior, and configure some examples with Transform Rules.

If you are familiar with Page Rules you may be wondering why they are missing. While these are valid, they are an older part of our stack which will be sunset in due course. As a matter of best practice, use one of the new Rules options to suit your needs.

Why

It is common to wish to change defaults and have custom settings best suited to your application. Cloudflare Rules allow you to make adjustments to requests and responses, configure custom settings, and trigger specific actions for matching requests.

There are many options which can be configured, so please feel free to explore settings beyond these exercises. Before proceeding with the tasks, please briefly familiarize yourself with the Rules documentation above.

Steps

1. Create a transform rule that adds a header to all responses

Transform Rules allow you to adjust the URI path, query string, and HTTP headers of requests and responses on the Cloudflare global network.

In this task, we will create a rule to add the common security header X-Frame-Options to all responses. We’ll then see how we can make this easier with Managed Transforms.

In the Cloudflare Dashboard go to Rules ‣ Transform Rules ‣ Modify Response Header.

Click Create rule.

Create Cache Rule
  • Enter a descriptive name for the rule, such as “Add X-Frame-Options”
  • Set When incoming requests match… to All incoming requests
  • Set the Then… criteria to…
  • Add
  • Set the Header name to X-Frame-Options
  • Set the Value to SAMEORIGIN

You configuration should look like this:

Create Transform Rule

Feel free to add some other arbitrary headers if you wish, then click Deploy.

2. Verify header in a response

Using curl (or via the browser method shared previously) let’s check the HTTP response headers:

$ curl -svo /dev/null "https://cfdemolab-zone-xxx.cfdemolab.xyz/services/luggages/"

<TLS output removed intentionally>

< HTTP/2 200
< date: Thu, 26 Oct 2023 13:36:50 GMT
< content-type: text/html
< last-modified: Thu, 26 Oct 2023 03:55:50 GMT
< x-origin: origin-1
< accept-ranges: bytes
< cf-cache-status: DYNAMIC
< some-other-header: Hello
< x-frame-options: SAMEORIGIN
< server: cloudflare
< cf-ray: 81c317271b8a76c3-LHR
< cf-team: 1c0dcccc66000076c341ccb400000001

You can see the x-frame-options and some-other-header headers are now present

3. Add more Security Headers with Managed Transforms

Now that you are familiar with how you can add headers, let’s add some more!

Firstly, Disable the rule you just deployed, and then navigate to Rules ‣ Transform Rules ‣ Managed Transforms.

Managed Transforms

As can be seen, there are several options to choose from here, based on common scenarios. Go ahead and enable Add security headers within the HTTP response headers section.

Security Headers

Now repeat your curl (or view in your browser) - note the presence of the new headers like x-xss-protection:

$ curl -svo /dev/null "https://cfdemolab-zone-0000000612.cfdemolab.xyz/services/luggages/"

<TLS output removed intentionally>

< HTTP/2 200
< date: Thu, 26 Oct 2023 13:54:11 GMT
< content-type: text/html
< last-modified: Thu, 26 Oct 2023 03:55:50 GMT
< x-origin: origin-2
< accept-ranges: bytes
< cf-cache-status: DYNAMIC
< expect-ct: max-age=86400, enforce
< referrer-policy: same-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< server: cloudflare
< cf-ray: 81c33096d9c176c3-LHR
< cf-team: 1c0ddcb241000076c348e27400000001

4. Add a URL Rewrite Rule

Sometimes it is desirable to show a page different to what is in the URL. Now we will explore the URL rewrite functionality to show the /services/luggages page when requesting /services/arrows.

Navigate to Rules ‣ Transform Rules ‣ Rewrite URL.

Create and deploy a rule:

  • Enter a descriptive name for the rule, such as “Show Luggages Page on Arrows URL”
  • Set When incoming requests match… to Custom filter expression
  • Set the Field to URI Path
  • Set the Operator to equals
  • Set the Value to /services/arrows/
  • Set the Then… criteria to…
  • Rewrite to…
  • Static services/luggages/

You configuration should look like this:

URL Rewrite
  • Leave the other values as default (but feel free to explore them!) and click Deploy

Browse to /services/arrows/ on your AcmeCorp Website

Notice that the Luggages page is displayed, despite the URL for arrows being preserved

URL Rewrite Result

5. (Optional) Add more rules

Explore the various options within rules - can you create a rule to redirect /services/calculators/ back to the AcmeCorp home page?

Summary

In this section we explored Transform Rules.

Next, let's have a look at API Shield.