Enable only Joomla rules
Use the Rulesets API to configure the execution of a managed ruleset and override its behavior. By default, enabled rules perform the actions defined by the managed ruleset issuer. This example uses overrides to ensure that only rules with a specific tag are enabled.
Follow the steps below to configure the execution of a managed ruleset with two overrides for enabling only the rules tagged with joomla.
- Add a rule to a phase entry point ruleset that executes a managed ruleset.
- Configure a ruleset override that disables all rules in the managed ruleset.
- Configure a tag override that enables only the rules with a given tag.
Tag overrides take precedence over ruleset overrides. Only the rules with the specified tag are enabled, and all other rules are disabled.
This example deploys the Cloudflare Managed Ruleset to a phase with only Joomla rules enabled. The name, kind, and phase fields are omitted from the request because they are immutable.
Example: Enable only Joomla rules using category overrides at the zone level
Required API token permissions
At least one of the following token permissions
is required:
Response Compression WriteConfig Settings WriteDynamic URL Redirects WriteCache Settings WriteCustom Errors WriteOrigin WriteManaged headers WriteZone Transform Rules WriteMass URL Redirects WriteMagic Firewall WriteL4 DDoS Managed Ruleset WriteHTTP DDoS Managed Ruleset WriteSanitize WriteTransform Rules WriteSelect Configuration WriteBot Management WriteZone WAF WriteAccount WAF WriteAccount Rulesets WriteLogs WriteLogs Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "block", "enabled": true } ] } } } ] }'"id": "<MANAGED_RULESET_ID>"adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests for the specified zone ($ZONE_ID)."enabled": falsedefines an override at the ruleset level that disables all rules in the managed ruleset."categories": [{"category": "joomla", "action": "block", "enabled": true}]defines an override at the tag level that enables the Joomla rules and sets their action toblock.
Example: Enable only Joomla rules using category overrides at the account level
Required API token permissions
At least one of the following token permissions
is required:
Mass URL Redirects WriteMagic Firewall WriteL4 DDoS Managed Ruleset WriteTransform Rules WriteSelect Configuration WriteAccount WAF WriteAccount Rulesets WriteLogs Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "block", "enabled": true } ] } } } ] }'"id": "<MANAGED_RULESET_ID>"adds a rule to the ruleset of a phase that will apply the Cloudflare Managed Ruleset to requests forexample.com."enabled": falsedefines an override at the ruleset level that disables all rules in the managed ruleset."categories": [{"category": "joomla", "action": "block", "enabled": true}]defines an override at the tag level that enables the Joomla rules and sets their action toblock.
You can add more than one category override to a rule.
This example adds two overrides to the rule that executes a managed ruleset (<MANAGED_RULESET_ID>) in the http_request_firewall_managed phase. Note that the name, kind, and phase fields are omitted from the request because they are immutable.
Example: Add more than one category override at the zone level
Required API token permissions
At least one of the following token permissions
is required:
Response Compression WriteConfig Settings WriteDynamic URL Redirects WriteCache Settings WriteCustom Errors WriteOrigin WriteManaged headers WriteZone Transform Rules WriteMass URL Redirects WriteMagic Firewall WriteL4 DDoS Managed Ruleset WriteHTTP DDoS Managed Ruleset WriteSanitize WriteTransform Rules WriteSelect Configuration WriteBot Management WriteZone WAF WriteAccount WAF WriteAccount Rulesets WriteLogs WriteLogs Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "true", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "log", "enabled": true }, { "category": "wordpress", "enabled": false } ] } } } ] }'Example: Add more than one category override at the account level
Required API token permissions
At least one of the following token permissions
is required:
Mass URL Redirects WriteMagic Firewall WriteL4 DDoS Managed Ruleset WriteTransform Rules WriteSelect Configuration WriteAccount WAF WriteAccount Rulesets WriteLogs Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "rules": [ { "action": "execute", "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"", "action_parameters": { "id": "<MANAGED_RULESET_ID>", "overrides": { "enabled": false, "categories": [ { "category": "joomla", "action": "log", "enabled": true }, { "category": "wordpress", "enabled": false } ] } } } ] }'The order of the overrides in the ruleset determines if rules in the deployed managed ruleset are enabled or disabled. Overrides placed later in the list take precedence over earlier overrides.
Consider four rules from the managed ruleset in the code above that have different combinations of category tags. The following table shows the status of the rules after the overrides.
| Rule in managed ruleset | Tags | Rule status after overrides |
|---|---|---|
| ManagedRule1 | drupal, dos | Disabled |
| ManagedRule2 | drupal, dos, joomla | Enabled |
| ManagedRule3 | dos, joomla, wordpress | Disabled |
| ManagedRule4 | drupal, wordpress | Disabled |
| ManagedRule5 | (no tags) | Disabled |
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark