Cloudflare Rules
Short answer: there isn’t a canonical Cloudflare artifact called “the 65 Cloudflare rules.” Cloudflare uses several
Rules products (each with many possible rules), plus
WAF managed rules,
DDoS rule categories, and
Zero Trust domain categories. None of Cloudflare’s docs define a fixed “65-rule” list.
Cloudflare Docs+2Cloudflare Community+2
Here are two likely interpretations, organized in tables so you can pick what you meant:
1) Cloudflare “Rules” products (top-level categories)
| Category | What it does | Typical use |
|---|
| Redirect Rules | Send users from one URL to another with match/conditions. | Site moves, vanity URLs. |
| Transform Rules | Rewrite URLs/headers (request/response). | Normalize paths, add/remove headers. |
| Cache Rules | Fine-tune what/when to cache. | Bypass cache for logged-in users; cache APIs. |
| Configuration Rules | Toggle Cloudflare features per-request. | Turn on Bot Fight Mode for certain paths. |
| Origin Rules | Override origin host/port/SNI per match. | Route a path to a different backend. |
| Compression Rules | Control compression settings. | Force Brotli/Gzip on specific assets. |
Sources: Cloudflare “Rules” overview and Page Rules migration notes.
Cloudflare Docs+1
2) Zero Trust “Domain categories” (these easily exceed ~65 when you include subcategories)
Cloudflare Gateway classifies domains into
Security categories and
Content categories, each with multiple subcategories (the combined list runs well over 60 entries). Here’s the condensed view by top-level category, with examples:
| Top-level category | Examples of categories/subcategories (not exhaustive) |
|---|
| Security categories | Anonymizer, Brand Embedding, Command & Control & Botnet, Compromised Domain, Cryptomining, DGA Domains, DNS Tunneling, Malware, Phishing, Potentially Unwanted Software, Private IP Address, Scam, Spam, Spyware. |
| Content categories | Ads; Adult Themes (Nudity, Pornography); Business & Economy (Brokerage & Investing, Cryptocurrency, Personal Finance); Education (Educational Institutions, Science, Space & Astronomy); Entertainment (Audio Streaming, Gaming, Movies, Music, News & Media, etc.); Gambling; Government & Politics; Health; Information Technology; Internet Communication; Job Search & Careers; Miscellaneous; Questionable Content (Hacking, Militancy/Hate/Extremism, Profanity, Piracy, etc.); Real Estate; Religion; Safe for Kids; Shopping & Auctions; Society & Lifestyle (Dating & Relationships, Food & Drink, Photography, Social Networks, Lingerie & Bikini, Alcohol, etc.); Sports; Technology (APIs, File Sharing, AI, Remote Access, Search Engines, Translators, etc.); Travel; Vehicles; Violence (Weapons); Weather. |
| Misc. subcategories | Login Screens, No Content, URL Alias/Redirect, Unreachable. |
| Security risk subcategories | New Domains, Newly Seen Domains, Parked & For Sale Domains. |
| Special | Always blocked (Child Abuse); CIPA. |
Full details (including the long “Category and subcategory IDs” table) are in the docs. If you want, I can extract those into a CSV with exactly how many there are today.
Cloudflare Docs
If you meant a
different “65” (for example, a specific WAF managed-rules bundle or DDoS ruleset version), tell me which product/context (WAF Managed Rules, DDoS Managed Rules, Magic Firewall, etc.), and I’ll generate a precise, commented table for that set with rule IDs, tags, defaults, and recommended actions.
Cloudflare Docs+2Cloudflare Docs+2
You said:
list all cloudflare rules by category and notate which plan they belong to in a table.
ChatGPT said:
It’s tricky to compile a
complete list of “all Cloudflare rules by category and which plan they belong to,” because many rule types are shared across plans with different quotas or capabilities, and Cloudflare often rolls out changes or new feature limits. But I can produce a representative table of the main
Cloudflare Rules / Rules-type products (categories) along with their availability / limits by plan (Free, Pro, Business, Enterprise), based on the latest documentation. You can treat this as a baseline, and I can help refine for your specific plan or use case.
Here’s a summary table:
| Rule / Rules-product / category | Purpose / what it lets you do | Availability on plans | Key limits or differences by plan |
|---|
| Transform Rules | Modify URI path, query, HTTP request/response headers | Available on all plans. Cloudflare Docs | Maximum number of active transform rules: Free: 10, Pro: 25, Business: 50, Enterprise: 300. Regex support only on Business+ / Enterprise. Cloudflare Docs+1 |
| Configuration Rules | Toggle/adjust Cloudflare settings (e.g. features) based on rule matches | Available on all plans. Cloudflare Docs | Rule count: Free: 10, Pro: 25, Business: 50, Enterprise: 300. Cloudflare Docs |
| Compression Rules | Control which responses are compressed, algorithm choice | Available on all plans. Cloudflare Docs | Rule count: Free: 10, Pro: 25, Business: 50, Enterprise: 300. Cloudflare Docs |
| Origin Rules | Override origin attributes (hostname, port, etc.) for matched traffic | Included in Rules engine (all plans) Cloudflare Docs+1 | Under new rules limits, Enterprise supports up to 300 origin rules. Cloudflare Docs |
| Cache Rules | Fine-tune caching behavior (what to cache, TTL, bypass) | Available on all plans (as part of new Rules suite) The Cloudflare Blog+1 | Under new unified limits, Enterprise allows up to 300 cache rules. Cloudflare Docs |
| Single Redirects | Create static/dynamic URL redirects (pattern → target) | Available on all plans via Rules / URL forwarding. Cloudflare Docs+1 | Under the “increased limits” rollout, the max allowed rules for Single Redirects has been boosted; Enterprise sees 300. Cloudflare Docs |
| Bulk Redirects | Upload large lists of source → target redirects (account-wide) | Available to all accounts. Cloudflare Docs+2The Cloudflare Blog+2 | Quotas (after 2025 update): Free: 10,000 URL redirects, Pro: 25,000, Business: 50,000, Enterprise: 1,000,000. Cloudflare Docs+2Cloudflare Docs+2 |
| Page Rules (legacy) | Trigger actions (redirect, cache settings, etc.) based on URL patterns | Available on all plans (legacy) Cloudflare Docs+2Cloudflare Docs+2 | Number allowed: Free 3, Pro 20, Business 50, Enterprise 125. Cloudflare Docs+1 |
| Snippets | Small JS snippets / custom logic embedded in rules | Available on Pro, Business, Enterprise (free plan doesn’t support) Cloudflare Docs+1 | Rule count (per account/zone): Pro: 25, Business: 50, Enterprise: 300. |
| WAF Managed Rules / Custom WAF rules | Prebuilt security rules (SQLi, XSS, etc.) and ability to add custom firewall rules | WAF managed rules are available on all plans (though features vary). | Enterprise offers account-level deployment across zones, advanced tuning, etc. |
| Firewall / Custom Rules (Firewall Rules) | Block / challenge / allow / rate-limit traffic based on expressions | Available on all plans. | For Enterprise, there’s a “Rule Preview” feature to test rules before enabling. |
Notes & caveats:
- In February 2025, Cloudflare announced increased limits for many rules categories: Single Redirects, Transform Rules, Cache Rules, Origin Rules, Configuration Rules, Compression Rules all now have higher quotas under Enterprise (from 125 → 300).
- Some features (e.g. regex support in Transform Rules) are only available starting at Business / Enterprise.
- Page Rules is a legacy product; Cloudflare is migrating many of the functions to the newer, dedicated Rules categories (Cache, Redirect, Configuration).
- Bulk Redirects quotas refer to total URL redirects across lists (not just lists themselves).
