Disclaimer:
All information provided on this page was developed by TPimenta LAB. Please consult the official documentation for the most accurate and up-to-date information. We are not responsible for any issues, damages, or data loss that may occur from using this information.

USE AT YOUR OWN RISK.
Cloudflare Security Reference

Password Spraying Protection

How Cloudflare protects endpoints where credentials are passed in the request body.

--data-raw 'username=tpimentacf%40gmail.com&password=1z1muef2'

Protection Layers

1
Advanced Rate Limiting — Per-Username Body Field
Enterprise Advanced Rate Limiting add-on

Rate limit by the username value extracted from the form body. This catches distributed password spraying where an attacker uses many different IPs to target the same account.

Rule matching expression:

# Match POST to login endpoint with a password in the body
http.request.uri.path eq "/login" and
http.request.method eq "POST" and
http.request.body.form["password"] ne ""

Counting characteristic (track rate per username):

http.request.body.form["username"]

Docs: Rate Limiting Parameters Rate Limiting Rules

2
Bot Management — Block Automated Tools
Enterprise Bot Management add-on

Password spraying is almost always automated. Bot Management assigns a score of 1–99 to each request. Block or challenge low-scoring requests (hydra, Burp Intruder, scripted curl loops, etc.) at the login endpoint. 

# Block automated requests hitting the login page
http.request.uri.path eq "/login" and
cf.bot_management.score lt 30

Docs: Bot Scores Bot Management Plans

3
WAF Custom Rules — Body Pattern Matching
Enterprise Pro / Business (limited)

Use WAF custom rules to inspect the body and block requests matching a specific password pattern, known default passwords, or malformed login requests (missing fields).

Match a specific password format with regex:

# Example: block if password matches a known weak pattern
http.request.uri.path eq "/login" and
http.request.body.form["password"] matches "^[a-z0-9]{8}$"

Block malformed requests (missing password field):

http.request.uri.path eq "/login" and
http.request.method eq "POST" and
not http.request.body.form["password"] ne ""

Docs: WAF Custom Rules

4
Leaked Credential Check (LCC)
Enterprise WAF add-on

Cloudflare automatically checks submitted credentials against known breached credential databases. Use the cf.waf.credential_check.* fields to detect and act on compromised passwords. 

# Block or challenge requests with a known leaked password
cf.waf.credential_check.username ne "" and
cf.waf.credential_check.password_leaked eq true

Docs: Leaked Credential Check

Key Fields for URL-Encoded Form Body (application/x-www-form-urlencoded)

http.request.body.form["username"] Value of the username parameter in the POST body. Used as a rate-limiting characteristic to track per-account attempts.
http.request.body.form["password"] Value of the password parameter. Used in rule expressions to match, inspect, or pattern-match the submitted password.
http.request.body.raw Raw request body string. Use for custom parsing or when fields are not standard form-encoded.
cf.bot_management.score Bot score 1–99. Score of 1 = certainly automated. Score of 99 = certainly human. Requires Bot Management add-on.
cf.waf.credential_check.password_leaked Boolean. True if the submitted password matches a known breached credential database entry.

Recommended Layered Approach

Layer Tool What It Catches Required Plan
1 Advanced Rate Limiting (per username in body) Volume-based spraying, distributed IPs targeting the same account Enterprise + Advanced Rate Limiting
2 Bot Management Automated tools (hydra, Burp Intruder, scripts, headless browsers) Enterprise + Bot Management
3 WAF Custom Rules Body pattern matching, malformed requests, known password formats Pro / Business / Enterprise
4 Leaked Credential Check Credentials matching known breached databases Enterprise + WAF add-on