Create a WAF rule for a zone
POST
/api/zones/{zoneId}/security/waf-rules
Creates a zone-scoped WAF rule owned by the given zone, subject to the zone's maximum WAF-rule limit. The rule must define at least one condition or an expression; a "block" action requires a valid HTTP "status" (100-599) and a "throttle" action requires "rateBps" and/or "delayMs".
Authorizations
ApiToken
Long-lived API token created via POST /api/api-tokens (returned once in plaintext).
Type
API Key (header: X-API-TOKEN)
or
JWT
JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer
Type
HTTP (bearer)
Parameters
Path Parameters
zoneId*
Zone identifier
Type
Requiredstring
Request Body
JSON "description": "Block SQL injection attempts on the login endpoint", "enabled": true, "phase": "request", "order": 10, "match": "all", "conditions": [ ], "expression": "string", "action": "block", "status": 403, "score": 5, "rateBps": 1024, "delayMs": 250, "log": false, "stop": false
{
}
Responses
waf-rule resource created
JSON "@context": "string", "@id": "string", "@type": "string", "id": "550e8400-e29b-41d4-a716-446655440000", "description": "Block SQL injection attempts on the login endpoint", "enabled": true, "participationMode": "opt_out", "phase": "request", "order": 10, "match": "all", "conditions": [ { "targets": [ "string" ], "transforms": [ "string" ], "operator": "string", "pattern": "string", "negate": true } ], "expression": "string", "action": "block", "status": 403, "score": 5, "rateBps": 1024, "delayMs": 250, "log": false, "stop": false, "createdAt": "2026-07-01T12:00:00+00:00", "updatedAt": "2026-07-01T12:00:00+00:00"
{
}
