List a zone's WAF rules
GET
/api/zones/{zoneId}/security/waf-rules
Returns the zone's own WAF rules, ordered by execution "order" ascending. Global WAF rules are not included here; see the global-waf-rules endpoint for those.
Authorizations
ApiToken
Long-lived API token created via POST /api/api-tokens (returned once in plaintext).
Type
API Key (header: X-API-TOKEN)
or
JWT
JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer
Type
HTTP (bearer)
Parameters
Path Parameters
zoneId*
Zone identifier
Type
Requiredstring
Query Parameters
page
The collection page number
Type
integer
Default
1itemsPerPage
The number of items per page
Type
integer
Default
30Minimum
0Maximum
100Responses
waf-rule collection
JSON "totalItems": 0, "search": { "@type": "string", "template": "string", "variableRepresentation": "string", "mapping": [ { "@type": "string", "variable": "string", "property": "string", "required": true } ] }, "view": { "@id": "string", "@type": "string", "first": "string", "last": "string", "previous": "string", "next": "string" }, "member": [ { "@context": "string", "@id": "string", "@type": "string", "id": "550e8400-e29b-41d4-a716-446655440000", "description": "Block SQL injection attempts on the login endpoint", "enabled": true, "participationMode": "opt_out", "phase": "request", "order": 10, "match": "all", "conditions": [ { "targets": [ "string" ], "transforms": [ "string" ], "operator": "string", "pattern": "string", "negate": true } ], "expression": "string", "action": "block", "status": 403, "score": 5, "rateBps": 1024, "delayMs": 250, "log": false, "stop": false, "createdAt": "2026-07-01T12:00:00+00:00", "updatedAt": "2026-07-01T12:00:00+00:00" } ]
{
}
