6 min left
Back to Series

The Stack > Article 7 | Intermediate | 6 min read

Article 7Intermediate6 min read

Tuning Cloudflare WAF before you reach for MCP

A false-positive CAPTCHA on every search query is a configuration problem, not an infrastructure problem. Simon Willison fixed it with a one-character rule change — and learned when MCP is the wrong tool.


Web application firewall rules filtering search traffic

Simon Willison documented a fix this week for a Cloudflare Web Application Firewall (WAF) rule that was triggering CAPTCHA challenges on nearly every search query on his site. The default bot-protection rule treated all search URLs as suspicious. Legitimate readers hit friction on every lookup. The fix was not a new CDN tier or a migration — it was narrowing the rule to match only URLs containing an ampersand, which correlates with multi-parameter queries that aggressive crawlers tend to generate.

The story is small. The lessons generalize: security defaults often over-block real users, and the fastest fix is usually a tighter rule — not more infrastructure.

Why default WAF rules over-block

Cloudflare's managed bot rules optimize for catching automated traffic. Search endpoints are a common attack surface: SQL injection probes, parameter fuzzing, and scraper floods all target query strings. A broad rule that challenges any request to /search catches bots — and also catches a human typing a single keyword.

Think of it like airport security screening every passenger because one gate had a incident last month. The policy is defensible in the abstract. The queue at peak hour tells you it is wrong for your traffic shape.

The symptom is familiar: users complain about CAPTCHAs on normal browsing, support tickets spike, and analytics show drop-off at the search box. The underlying issue is a rule scoped to the path, not to the signal that distinguishes bots from humans in your specific application.

The ampersand heuristic

Willison's adjustment changed the match condition from "any search URL" to "search URLs containing &". Single-parameter searches (?q=python) pass through. Multi-parameter requests (?q=python&sort=date) still trigger the challenge.

The heuristic rests on a simple observation: legitimate users on a personal site rarely construct complex multi-filter searches. Aggressive crawlers and injection tools often do. One character in the match pattern shifted the false-positive rate without removing protection on the traffic shape that actually looked automated.

A WAF rule should encode a hypothesis about what is malicious in your traffic — not a blanket distrust of an entire endpoint.

This is not universal advice. A site with heavy faceted search would need a different signal. The pattern to internalize is: start from observed bot behavior, write a rule that targets that behavior, measure false positives, iterate.

When MCP is the wrong tool

Willison attempted the fix through Cloudflare's Model Context Protocol (MCP) integration first. MCP exposes Cloudflare APIs to coding agents — a sensible first move when you already live in Claude Code. In this case, the MCP server could read rules but could not edit the specific custom rule configuration needed. The agent switched to direct API calls and completed the change.

That sequence is worth remembering. MCP is a convenience layer for agent-to-service communication. It is not a guarantee that every API surface is exposed. When an agent hits a capability gap, falling back to the underlying API — or the dashboard — is faster than forcing the protocol to do something it was not wired for.

ApproachGood forWatch out for
Dashboard editOne-off rule tweaks, visual diffNot scriptable, no audit trail in git
Direct APIFull CRUD on rules, automatableRequires auth setup, easy to misconfigure
MCP via agentExploratory changes from a coding sessionCapability coverage varies by server implementation

Measuring after the change

Any WAF adjustment should be followed by a before/after check. Compare challenge rates on the affected path, watch error logs for injection attempts that now slip through, and spot-check legitimate user flows. Willison's change reduced friction on single-parameter searches while preserving challenges on multi-parameter traffic — a trade-off he can revisit if crawler patterns shift.

Security tuning is a loop, not a one-time configuration. Bot behavior adapts. Your rules should too.


What this means for builders

Audit managed rules before accepting defaults. Cloudflare, AWS WAF, and similar products ship with sensible starting points that may not match your traffic. A fifteen-minute review of which paths trigger challenges often finds obvious false positives.

Write rules as testable hypotheses. "Block search URLs with ampersands" is falsifiable — you can measure how many real users hit it. "Block all search" is not; you only notice when users leave.

Know your agent tool limits. MCP servers vary in what they expose. Keep API credentials and dashboard access as fallbacks when the agent reports it cannot complete an operation.

Prefer surgical rules over blanket protection. Narrow matches reduce user friction and make incident response easier — you know exactly what you changed when something breaks.

Conclusion

Infrastructure problems get expensive solutions. Configuration problems get cheap ones. Willison's CAPTCHA issue was the second kind: one character in a WAF match pattern restored normal search behavior for real users while keeping bot protection on the traffic that actually looked automated. The tooling story — MCP first, direct API when MCP fell short — is equally practical for anyone wiring agents into production infra.


CloudflareWAFMCPClaude Codesecuritydev toolinginfrastructure

Up next in the series

Article 8Live

Four registers for LLM coding conversations

Chelsea Troy outlined four modes for working with coding agents — explore, brainstorm, decide, implement. Mixing them in one prompt is why context windows fill up and outputs drift.

LLMClaudepromptingcoding agents