Malicious uploads detection

The malicious uploads detection is a traffic detection that scans files and other content uploaded to your application for malware.

When you turn on this detection, the WAF inspects incoming uploads and checks them for malicious signatures. The scan results are available as fields you can use in custom rules and rate limiting rules to act on requests containing malicious content.

Note

This feature is available to customers on an Enterprise plan with a paid add-on.

How it works

Once you turn on this detection, Cloudflare inspects all incoming traffic and identifies content objects automatically.

When Cloudflare detects one or more content objects in a request, it sends them to an antivirus (AV) scanner for analysis. The AV scanner is the same one used in Cloudflare Zero Trust.

Based on the scan results, the detection populates fields you can reference in rule expressions. For example, you can create a rule to block requests with malicious files, or a more specific rule that also matches on file size, file type, or URI path.

Notes

Content scanning does not block or challenge requests on its own. It provides detection signals only. To act on these signals, create custom rules or rate limiting rules.

For more information on detection versus mitigation, refer to Concepts.

Enabling malicious uploads detection can introduce latency since content objects will be scanned. Latency can vary depending on object size.

What is a content object?

A content object is a file or binary payload in a request that Cloudflare identifies as scannable content. The malicious uploads detection uses heuristics to find content objects automatically, without relying on the request's Content-Type header (since this header can be manipulated).

The following content types are excluded from scanning: text/html, text/x-shellscript, application/json, text/csv, and text/xml. All other detected content is treated as a content object. Common examples include:

• Executable files (for example, .exe, .bat, .dll, and .wasm)
• Documents (for example, .doc, .docx, .pdf, .ppt, and .xls)
• Compressed files (for example, .gz, .zip, and .rar)
• Image files (for example, .jpg, .png, .gif, .webp, and .tif)
• Video and audio files

If Cloudflare detects a malicious object but cannot determine its exact content type, it reports the object as application/octet-stream.

Scanned content

Content scanning can check the following content objects for malicious content:

• Uploaded files in a request
• Portions of the request body for multipart requests encoded as multipart/form-data or multipart/mixed
• Specific JSON properties in the request body (containing, for example, files encoded in Base64) according to the custom scan expressions you provide

All content objects in an incoming request will be checked, namely for requests with multiple uploaded files (for example, a submitted HTML form with several file inputs).

The content scanner will fully check content objects with a size up to 50 MB. For larger content objects, the scanner will analyze the first 50 MB and provide scan results based on that portion of the object.

Notes

• The AV scanner will not scan some particular types of files, namely the following:

  • Password-protected archives
  • Archives with more than three recursion levels
  • Archives with more than 300 files
  • PGP-encrypted files

• In rare cases, the AV scanner may time out and fail to analyze a content object. When this happens, the cf.waf.content_scan.has_failed field will be set to true.

Custom scan expressions

Sometimes, you may want to specify where to find the content objects, such as when the content is a Base64-encoded string within a JSON payload. For example:

{ "file": "<BASE64_ENCODED_STRING>" }

In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to Configure a custom scan expression.

For more information and additional examples of looking up fields in nested JSON payloads, refer to the lookup_json_string() function documentation.

Note

The content scanner will automatically decode Base64 strings.

Content scanning fields

When content scanning is enabled, you can use the following fields in WAF rules:

Field	Description
Has content object cf.waf.content_scan.has_obj Boolean	Indicates whether the request contains at least one content object.
Has malicious content object cf.waf.content_scan.has_malicious_obj Boolean	Indicates whether the request contains at least one malicious content object.
Number of malicious content objects cf.waf.content_scan.num_malicious_obj Integer	The number of malicious content objects detected in the request (zero or greater).
Content scan has failed cf.waf.content_scan.has_failed Boolean	Indicates whether the file scanner was unable to scan any of the content objects detected in the request.
Number of content objects cf.waf.content_scan.num_obj Integer	The number of content objects detected in the request (zero or greater).
Content object size cf.waf.content_scan.obj_sizes Array<Integer>	An array of file sizes in bytes, in the order the content objects were detected in the request.
Content object type cf.waf.content_scan.obj_types Array<String>	An array of file types in the order the content objects were detected in the request.
Content object result cf.waf.content_scan.obj_results Array<String>	An array of scan results in the order the content objects were detected in the request. Possible values: clean, suspicious, infected, and not scanned.

For examples of rule expressions using these fields, refer to Example rules.