Create a rule via API
Use the Rulesets API to create configuration rules via API.
When creating a configuration rule via API, make sure you:
- Set the rule action to
set_config. - Define the parameters in the
action_parametersfield according to the settings you wish to override for matching requests. - Deploy the rule to the
http_config_settingsphase at the zone level.
Follow this workflow to create a configuration rule for a given zone via API:
-
Use the List zone rulesets operation to check if there is already a ruleset for the
http_config_settingsphase at the zone level. -
If the phase ruleset does not exist, create it using the Create a zone ruleset operation. In the new ruleset properties, set the following values:
- kind:
zone - phase:
http_config_settings
- kind:
-
Use the Update a zone ruleset operation to add a configuration rule to the list of ruleset rules. Alternatively, include the rule in the Create a zone ruleset request mentioned in the previous step.
Make sure your API token has the required permissions to perform the API operations.
Example: Add a rule that enables Email Obfuscation and Browser Integrity Check
The following example sets the rules of an existing phase ruleset ({ruleset_id}) to a single configuration rule — enabling Email Obfuscation and Browser Integrity Check for the contacts page — using the Update a zone ruleset operation:
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "rules": [ { "expression": "starts_with(http.request.uri.path, \"/contact-us/\")", "description": "Obfuscates email addresses and enables BIC in contacts page", "action": "set_config", "action_parameters": { "email_obfuscation": true, "bic": true } } ]}'Example: Add a rule that turns on I'm Under Attack mode for the admin area
The following example sets the rules of an existing phase ruleset ({ruleset_id}) to a single configuration rule — turning on I'm Under Attack mode for the administration area — using the Update a zone ruleset operation:
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "rules": [ { "expression": "http.host eq \"admin.example.com\"", "description": "Turn on I'\''m Under Attack mode for admin area", "action": "set_config", "action_parameters": { "security_level": "under_attack" } } ]}'The API token used in API requests to manage configuration rules must have at least the following permission:
- Zone > Config Rules > Edit
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark