Get started
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Settings.
- Under Incoming traffic detections, turn on Malicious uploads.
- 
In the Cloudflare dashboard, go to the Security Settings page. Go to Settings
- 
(Optional) Filter by Detection tools. 
- 
Turn on Malicious uploads detection. 
Use a POST request similar to the following:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone WAF Write
- Account WAF Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/content-upload-scan/enable" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"Use the cloudflare_content_scanning resource to enable content scanning for a zone. For example:
resource "cloudflare_content_scanning" "zone_content_scanning_example" {  zone_id = "<ZONE_ID>"  enabled = true}Use Security Analytics and HTTP logs to validate that malicious content objects are being detected correctly.
You can use the EICAR anti-malware test file ↗ to test content scanning (select the ZIP format).
Alternatively, create a custom rule like described in the next step using a Log action instead of a mitigation action like Block. This rule will generate security events that will allow you to validate your configuration.
Create a custom rule that blocks detected malicious content objects uploaded to your application.
For example, create a custom rule with the Block action and the following expression:
| Field | Operator | Value | 
|---|---|---|
| Has malicious content object | equals | True | 
If you use the Expression Editor, enter the following expression:
(cf.waf.content_scan.has_malicious_obj)Rule action: Block
This rule will match requests where Cloudflare detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to Content scanning fields.
Optional: Combine with other Rules language fields
 You can combine the previous expression with other fields and functions of the Rules language. This allows you to customize the rule scope or combine content scanning with other security features. For example:
- 
The following expression will match requests with malicious content objects uploaded to a specific endpoint: Field Operator Value Logic Has malicious content object equals True And URI Path contains upload.phpExpression when using the editor: (cf.waf.content_scan.has_malicious_obj and http.request.uri.path contains "upload.php")
- 
The following expression will match requests from bots uploading content objects: Field Operator Value Logic Has content object equals True And Bot Score less than 10Expression when using the editor: (cf.waf.content_scan.has_obj and cf.bot_management.score lt 10)
For additional examples, refer to Example rules.
To check uploaded content in a way that is not covered by the default configuration, add a custom scan expression.
- 
Log in to the Cloudflare dashboard ↗, and select your account and domain. 
- 
Go to Security > Settings. 
- 
Under Incoming traffic detections, select Malicious uploads. 
- 
Select Add content object location. 
- 
In Content location, enter your custom scan expression. For example: lookup_json_string(http.request.body.raw, "file")
- 
Select Save. 
- 
In the Cloudflare dashboard, go to the Security Settings page. Go to Settings
- 
(Optional) Filter by Detection tools. 
- 
Under Malicious uploads detection > Configurations, select the edit icon. 
- 
Select Add content location. 
- 
In Content location, enter your custom scan expression. For example: lookup_json_string(http.request.body.raw, "file")
- 
Select Save. 
Use a POST request similar to the following:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone WAF Write
- Account WAF Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/content-upload-scan/payloads" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '[    {        "payload": "lookup_json_string(http.request.body.raw, \"file\")"    }  ]'The above request will add the following expression to the current list of custom scan expressions:
lookup_json_string(http.request.body.raw, "file")Use the cloudflare_content_scanning_expression resource to add a custom scan expression. For example:
resource "cloudflare_content_scanning_expression" "my_custom_scan_expression" {  zone_id = <ZONE_ID>  payload = "lookup_json_string(http.request.body.raw, \"file\")"}For more information, refer to Custom scan expressions.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark