Cloudflare Docs
Bots
Edit this page on GitHub
Set theme to dark (⇧+D)

Sequence rules

Sequence rules uses cookies to track the order of requests a user has made and the time between requests and makes them available via Cloudflare Rules. This allows you to write rules that match valid or invalid sequences. The specific cookies used to validate sequences are called sequence cookies.

Sequence rules is currently in private beta. If you would like to be included in the beta, contact your account team.

​​ Prerequisites

  • Your account must have the Fraud Detection subscription.
  • Each zone must have an API Shield subscription as it relies on Endpoint Management.
  • Each zone must configure the endpoints to track via Endpoint Management.

​​ Enable sequence rules via the API

  1. Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
  2. Get the zone ID for the zone(s) where you want to enable sequence rules.
  3. Add the endpoints that you want to track in your sequence rules using API Shield’s Endpoint Management and make note of the short ID.
  4. Enable the sequence cookie by adding your API token and zone ID to the following API call.
API call
curl --request PUT \
--url https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
--header 'Authorization: Bearer <API_TOKEN>' \
--header 'Content-Type: application/json' \
--data '{"enabled": true}'
  1. Use the expression editor to write sequence or timing based rules via custom rules, rate limiting rules, or transform rules. You can put these rules in log only mode to monitor.

Once you have enabled sequence rules, the rules fields will be populated and you can now use the new fields in your rules.


​​ Rules fields

Sequence rules introduces three new fields to Cloudflare Rules. All of these fields reference operations by their short ID. Accounts that have the Fraud Detection subscription can refer to the short ID by viewing the endpoint details via API Shield > Endpoint Management in the Cloudflare dashboard. Accounts without Fraud Detection do not have access to this field.

Cloudflare only stores up to the 10 most recent operations in a sequence for up to one hour. If there are more than 10 operations in the sequence, older operations will be dropped and will not be included in the following fields. Similarly, if an operation happened more than one hour ago, it will also not be included in the following fields.

​​ Availability

These sequence fields are available in:

Field nameDescriptionExample value

cf.sequence.current_op
String

This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string.

c821cc00

cf.sequence.previous_ops
Array<String>

This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request.

If an operation is repeated, it will appear multiple times in the sequence.

["f54dac32", "c821cc00", "a37dc89b"]

cf.sequence.msec_since_op
Map<Number>

This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred.

This does not include the current request or operation as it only factors in previous operations in the sequence.

{"f54dac32": 1000, "c821cc00": 2000}

​​ Example rules

The customer must request endpoint A before endpoint B.

Valid sequence
cf.sequence.current_op eq "bbbbbbbb" and
any(cf.sequence.previous_ops[*] == "aaaaaaaa")
Invalid sequence
cf.sequence.current_op eq "bbbbbbbb" and
not any(cf.sequence.previous_ops[*] == "aaaaaaaa")

Customer must request endpoint A at least one second before endpoint B.

Valid sequence
cf.sequence.current_op eq "bbbbbbbb" and
cf.sequence.msec_since_op["aaaaaaaa"] ge 1000
Invalid sequence
cf.sequence.current_op eq "bbbbbbbb" and
not cf.sequence.msec_since_op["aaaaaaaa"] ge 1000

​​ Disable sequence rules via the API

Disabling sequence rules will stop the rules fields from being populated. If you still have rules deployed which depend on these fields, those rules may not behave as intended. Remove or disable any rules that rely on sequence fields before disabling sequence rules.

To disable sequence rules:

  1. Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
  2. Get the zone ID for the zone(s) where you want to enable sequence rules.
  3. Add the endpoints that you want to track in your sequence rules using API Shield’s Endpoint Management and make note of the short ID.
  4. Disable the sequence cookie using your API token, zone ID, and by setting enabled to false on the following API call.
API call
curl --request PUT https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{"enabled": false}'

​​ Limitations

Cloudflare only supports HTTPS requests since our cookies set the Secure attribute.