📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

I wonder if this is what is plaguing us with Cloudflare's WAF and the OWASP Core Ruleset: https://community.cloudflare.com/t/owasp-ruleset-unexpectedly-has-a-high-false-positive-rate/814544

@watford-ep This PR only touches rule 932281 which I don't see in any of your screenshots, so this isn't the cause of your issues.

I suggest using a lower paranoia level as PL-2 and above are known to have false positives due since the rules are more aggressive. If your still having problems with false positives at PL-1 (Default paranoia level) then you'll need to create a rule exclusion. I'm not very familiar with Cloudflare's WAF so I won't be able to help you there.

No, I definitely can confirm that this is not the case. I don't think cloudflare is using v4 at all. But let me take a look.

@fzipi thanks, it popped up out of nowhere on a holiday weekend which was a surprise!

@sixlettervariables No worries. I had problems with axios also in the past, but IMHO it was/is because it is not sending proper headers. Therefore it is not matching as application/json and ultimately not being sent to the proper parser. Naturally you will be matching a bunch of unrelated rules.

Maybe you can try this using our sandbox and see if you can reproduce.

The worst part is that when logging, you only have the payload (body). There is no header logging available. The answer I got from support was to "just use your own web server or load balancer to get all the headers". Which is ........... (fill in the blanks).

Added comment: https://community.cloudflare.com/t/owasp-ruleset-unexpectedly-has-a-high-false-positive-rate/814544/7?u=felipe.zipitria