Conflict with Cloudflare Web Application Firewall #4805
Description
If you are coming from the support forums or encounter the following issue, please read carefully.
This is a tracking ticket for the work on ensuring Web Stories for WordPress does not cause issues with the Cloudflare Web Aplication Firewall (WAF) or similar solutions.
Rules that so far have been identified as possibly causing conflicts:
- Cloudflare Specials > 100173 XSS, HTML Injection - Script Tag
- OWASP mod_security ruleset 981176
A similar conflict exists with Sucuri's WAF.
Who's affected?
The Cloudflare WAF is available to Pro, Business, and Enterprise plans.
How do I know I am affected?
You are likely affected when using Cloudflare's WAF offering and you are unable to save or publish stories using Web Stories for WordPress.
Workaround
Cloudflare:
Add a custom Firewall rule to disable the WAF for any Web Stories-related REST API requests, like so:
Sucuri:
Add wp-json/web-stories to the allowlist in the "Whitelist URL Paths" section.
What is being done to fix this?
We are still investigating this issue and will update this thread with any new findings.
- Check if REST API is fully functioning when opening the editor (Status Check: Add REST API endpoint #4790)
- Improved error messages if REST API requests fail (Add Context to Failure to Save Error Message #1033)
- Implement experimental workaround in the plugin (Base64-encode HTML markup over the wire #4859, Make WAF workaround opt-in for now #5038)
How can I follow progress on this issue?
Subscribe to this issue using the "Subscribe" button in the sidebar:
User reports so far