⚠️ Please read this first to ensure that our scanning engines can correctly reach both your website and the underlying server.

Allowlisting in Cloudflare will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defence in depth' security strategy, and put in place measure that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.

Cloudflare provides two ways to allowlist security scanners:

When configuring these two rules, they must show in the following order in Cloudflare for the allowlisting to work as expected:

Creating the rules in the order below ('Allow' Rule then WAF Bypass) will ensure that the order is populated correctly in Cloudflare settings (though you can manually reorder them if you need to). If the order is incorrect, you could see WAF-related issues including Possible Scan Interference, which can include results such as specific User Agent blocking, etc.

To get started, we'll first add an 'Allow' rule for each of Intruder's scanning ranges.

1. Click 'Create a Firewall Rule', and give it a recognisable name:

2. Using the 'Field' dropdown, select 'IP Source Address'

3. Under the Operator field, select 'is in'

4. In the 'Value' field, add all of Intruder's scanning ranges and IPs. For an up-to-date list of IP ranges, please refer to this article.

5. Under 'Choose an action', select 'Allow'

6. When finished, click save.

This will allow Intruder's scanners to circumvent some of Cloudflare's standard web application firewall protections.

Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.

*Access to rules is dependent on your Cloudflare plan, so if you can't see what you're looking for, it might be worth checking what's available with your Cloudflare subscription.