{"id":62,"date":"2025-12-05T00:00:00","date_gmt":"2025-12-05T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2025\/12\/05\/waf-updating-the-waf-maximum-payload-values\/"},"modified":"2025-12-05T00:00:00","modified_gmt":"2025-12-05T00:00:00","slug":"waf-updating-the-waf-maximum-payload-values","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2025\/12\/05\/waf-updating-the-waf-maximum-payload-values\/","title":{"rendered":"WAF &#8211; Updating the WAF maximum payload values"},"content":{"rendered":"<p>We are reinstating the maximum request-payload size the Cloudflare WAF inspects to the following values:<\/p>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th>Free<\/th>\n<th>Professional<\/th>\n<th>Business<\/th>\n<th>Enterprise<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>WAF scans request payload up to:<\/td>\n<td>1 MB<\/td>\n<td>8 KB<\/td>\n<td>8 KB<\/td>\n<td>128 KB<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Key Findings<\/strong><\/p>\n<p>On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives. This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.<\/p>\n<p>Consequently, we have decided to revert this change. Our Free plans will maintain the 1 MB limit as they are not experiencing an increase in false positives.<\/p>\n<p><strong>Impact<\/strong><\/p>\n<p>Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.<\/p>\n<p>The initial increase in the size of the body inspected by the WAF may result in a higher rate of false positives being triggered in both the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset. This higher rate should revert back to a normal value once the new limits are in place.<\/p>","protected":false},"excerpt":{"rendered":"<p>We are reinstating the maximum request-payload size the Cloudflare WAF inspects to the following values: Free Professional Business Enterprise WAF scans request payload up to: 1 MB 8 KB 8 KB 128 KB Key Findings On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-62","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=62"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/62\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}