Sequence rules
Sequence rules uses cookies to track the order of requests a user has made and the time between requests and makes them available via Cloudflare Rules. This allows you to write rules that match valid or invalid sequences. The specific cookies used to validate sequences are called sequence cookies.
Sequence rules is currently in private beta. If you would like to be included in the beta, contact your account team.
- Your account must have the Fraud Detection subscription.
- Each zone must configure the endpoints to track via Endpoint Management.
You can create a sequence custom rule via the Cloudflare dashboard or using the API.
These sequence fields are available in:
- Custom rules (
http_request_firewall_customphase) - Rate limiting rules (
http_request_ratelimit) - Bulk Redirects (
http_request_redirect) - Request Header Transform Rules (
http_request_late_transform)
| Field name | Description | Example value |
|---|---|---|
| This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string. |
|
| This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request. |
|
| This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred. |
|
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > WAF > Custom rules.
- To create a new empty rule, select Create rule.
- Enter a descriptive name for the rule in Rule name.
- Under When incoming requests match, use the Field drop-down list and select:
- Current Operation
- Previous Operations
- Elapsed time
- Under Value, build a sequence by selecting a hostname for the sequence.
- Select the checkbox for each endpoint in the order that you want them to appear in the sequence.
- Set the time to complete.
- Select Save.
- Under Then take action, select the rule action in the Choose action dropdown. For example, selecting Block tells Cloudflare to refuse requests that match the conditions you specified.
- (Optional) If you selected the Block action, you can configure a custom response.
- Under Place at, select the order of when the rule will fire.
- To save and deploy your rule, select Deploy. If you are not ready to deploy your rule, select Save as Draft.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Security rules.
- To create a new empty rule, select Create rule > Custom rules.
- Enter a descriptive name for the rule in Rule name.
- Under When incoming requests match, use the Field drop-down list to filter by Sequences and select from:
- Current Operation
- Previous Operations
- Elapsed time
- Under Value, select the edit icon to use Builder and build a sequence on the side panel.
- Under Select a hostname for this sequence, choose all or a specific hostname from the dropdown list. Optionally, you can use the search bar to search for a specific hostname.
- From the Methods dropdown list, choose all methods or a specific request method.
- Select the checkbox for each endpoint in the order that you want them to appear in the sequence.
- Set the time to complete.
- Select Save.
- Under Then take action, select the rule action in the Choose action dropdown. For example, selecting Block tells Cloudflare to refuse requests that match the conditions you specified.
- (Optional) If you selected the Block action, you can configure a custom response.
- Under Place at, select the order of when the rule will fire.
- To save and deploy your rule, select Deploy. If you are not ready to deploy your rule, select Save as Draft.
- Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
- Get the zone ID for the zone(s) where you want to enable sequence rules.
- Add the endpoints that you want to track in your sequence rules using API Shield's Endpoint Management and make note of the short ID.
- Enable the sequence cookie by adding your API token and zone ID to the following API call.
curl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{"enabled": true}'- Use the expression editor to write sequence or timing based rules via custom rules, rate limiting rules, or transform rules. You can put these rules in log only mode to monitor.
Once you have enabled sequence rules, the rules fields will be populated and you can now use the new fields in your rules.
Disabling sequence rules will stop the rules fields from being populated. If you still have rules deployed which depend on these fields, those rules may not behave as intended. Remove or disable any rules that rely on sequence fields before disabling sequence rules.
To disable sequence rules:
- Create an API token if you do not already have one. The API token must include the Zone > Fraud Detection > Edit permission.
- Get the zone ID for the zone(s) where you want to enable sequence rules.
- Add the endpoints that you want to track in your sequence rules using API Shield's Endpoint Management and make note of the short ID.
- Disable the sequence cookie using your API token, zone ID, and by setting
enabledtofalseon the following API call.
curl --request PUT https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \--header "Authorization: Bearer <API_TOKEN>" \--data '{"enabled": false}'Sequence rules introduces three new fields to Cloudflare Rules. All of these fields reference operations by their short ID. Accounts that have the Fraud Detection subscription can refer to the short ID by viewing the endpoint details via API Shield > Endpoint Management in the Cloudflare dashboard. Accounts without Fraud Detection do not have access to this field.
Cloudflare only stores up to the 10 most recent operations in a sequence for up to one hour. If there are more than 10 operations in the sequence, older operations will be dropped and will not be included in the following fields. Similarly, if an operation happened more than one hour ago, it will also not be included in the following fields.
The customer must request endpoint A before endpoint B.
cf.sequence.current_op eq "bbbbbbbb" andany(cf.sequence.previous_ops[*] == "aaaaaaaa")cf.sequence.current_op eq "bbbbbbbb" andnot any(cf.sequence.previous_ops[*] == "aaaaaaaa")Customer must request endpoint A at least one second before endpoint B.
cf.sequence.current_op eq "bbbbbbbb" andcf.sequence.msec_since_op["aaaaaaaa"] ge 1000cf.sequence.current_op eq "bbbbbbbb" andnot cf.sequence.msec_since_op["aaaaaaaa"] ge 1000Cloudflare only supports HTTPS requests since our cookies set the Secure attribute.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark