← back to demos

~/security-demo

// Managed Rules · Custom Rules · Rate Limiting Rules — all on one domain

// Rules run at Cloudflare's edge before this Worker ever sees the request

Three layers of protection. One dashboard. Zero origin code.

Managed RulesZero-day + OWASP coverage, curated by Cloudflare.
Custom RulesBlock, challenge, or allow on any request attribute.
Rate LimitingStop brute-force, abuse, and runaway traffic.
pillar 01
Managed Rules

Cloudflare writes the rules. You click deploy. No WAF specialists, no rule-tuning marathons.

// rulesets active: Cloudflare Managed · OWASP Core (PL2) · Exposed Credentials Check

Attack
Payload
What CF does
Try it
XSS
?q=<script>alert(1)</script>
blockManaged + OWASP
SQL injection
?id=1' OR '1'='1
blockManaged + OWASP
Credential stuffing
POST /login (breached pwd)
logflip to challenge in prod

// Blocks return Cloudflare's default block page. The credential-stuffing request reaches the Worker (always 401) but is logged in Security Events.

pillar 02
Custom Rules

Your security policy, your rules. Block, challenge, or allow based on anything in the request — no backend changes required.

// rules active: Scraper & pentest UA block · Admin challenge · API key enforcement · Bot fingerprint block

Attack
Payload
What CF does
Try it
Pentest tool
User-Agent: sqlmap/1.7
blockcustom JSON response
Admin probe
GET /admin
managed_challengehumans pass <1s, bots fail
Unauth API call
GET /api/data (no x-api-key)
blocknever reaches origin
Bot fingerprint
cf.bot_management.score ≤ 30
blockreads JA4, ignores UA

// All Custom Rules are scoped to http.host eq "security.nobledemos.com" — the rest of the zone is untouched.

▸ Why curl from your laptop won't trigger this rule

Bot Management scores every request 1–99 (1 = automated, 99 = human). The score comes from JA3/JA4 TLS fingerprints, HTTP/2 frame patterns, IP reputation, and behavioral signals — not the User-Agent. Spoofing -A "BadScraper" changes nothing.

A plain curl from your laptop typically scores 30–60: residential IP with clean reputation, plus a TLS handshake that looks similar enough to common dev tooling. It clears the ≤ 30 threshold.

Run it from GCP Cloud Shell instead. Three signals collapse the score to 1:

  • Datacenter ASN — Google's cloud range, low rep for browsing traffic
  • Python-flavored TLS stack — Cloud Shell's curl links against a TLS library whose JA4 matches a known automation signature (you'll see "Python - TLS Signature" in Security Events)
  • No browser context — no __cf_bm session, no behavioral history, no JS challenge passed

Bot score 1 → blocked with 403. Open the rule in the dashboard, then copy the Cloud Shell URL and run the curl above to see it fire.

open cloud shell ↗ view rule in dashboard ↗
pillar 03
Rate Limiting Rules

Count what matters — per IP, per user, per API key, per country. Stop abuse without punishing your real customers.

// rules active: Brute-force login protection · Per-API-key quota

Attack
Limit
What CF does
Try it
Brute-force login
POST /login · per IP
5 / 10s → block 10m
↓ run below
Per-API-key abuse
GET /api/data · per x-api-key
10 / 10s → block 60s
↓ run below

brute-force login

POST /login · limit 5 / 10s · expect 429 after 5
total
0
401
0
429
0
err
0

per-api-key quota

GET /api/data · key demo-key-abc123 · limit 10 / 10s
total
0
200
0
429
0
err
0
request timeline
login
api-key
allowed
429 limited
pillar 04
Challenge Actions

Not every suspicious request should be blocked outright. Sometimes the right answer is "prove you're human." Cloudflare runs the challenge at the edge — your origin only sees verified visitors.

try it live
🛡️
Managed Challenge
Cloudflare picks the lightest interstitial that still proves the visitor is human — usually invisible, sometimes a Turnstile widget. Recommended for most use cases.
action: Managed Challenge
when: path eq /managed-challenge
Try Managed Challenge ↗
☑️
Interactive Challenge
The classic "I'm not a robot" checkbox. Always visible, always requires a click. Useful when you want a deliberate user gesture before granting access.
action: Interactive Challenge
when: path eq /interactive-challenge
Try Interactive Challenge ↗

// rules active on challenge-endpoint.nobledemos.com: /managed-challenge → managed_challenge · /interactive-challenge → interactive_challenge

attack simulation

Here's what attack.sh does. Every request prints a single colored line — and every block, challenge, and 429 shows up in the Security Events view in the dashboard in real time.

INTERNET SQLi / XSS Bots & scrapers Pentest tools Brute-force Abusive API Unauth /admin Real users ✓ CLOUDFLARE EDGE MANAGED RULES CATCHES • SQL injection • XSS payloads • Cmd injection • Known CVEs • Bad reputation • Leaked creds Cloudflare-curated CUSTOM RULES CATCHES • Scraper UAs • /admin access • Missing API key • Geo blocks • IP allowlists • Header checks Your rules RATE LIMITING CATCHES • Brute-force • API abuse • Credential stuff • Runaway clients • Scraper bursts • Flash floods Per-IP / per-key YOUR ORIGIN ✓ CLEAN TRAFFIC Only legitimate requests No WAF code to run No origin load from attacks No bandwidth cost 
# run against all three pillars in sequence
curl -sSL https://security.nobledemos.com/attack.sh | bash -s -- all

# or target one pillar at a time
curl -sSL https://security.nobledemos.com/attack.sh | bash -s -- managed
curl -sSL https://security.nobledemos.com/attack.sh | bash -s -- custom
curl -sSL https://security.nobledemos.com/attack.sh | bash -s -- ratelimit

# or download, inspect, and run
curl -O https://security.nobledemos.com/attack.sh
chmod +x attack.sh
./attack.sh all
download attack.sh view source open security events ↗

// Dependencies: bash + curl. No Python, no npm. Safe to run on your laptop — every request targets this demo domain only.

// rules managed by scripts/setup-security-rules.mjs · every rule tagged [noble-demos:security]