Skip to content

ContentScanningExpression

Source: src/Cloudflare/ContentScanning/Expression.ts

A custom scan expression (“payload”) for WAF Content Scanning — tells the malicious-uploads scanner where to find encoded or nested content in the request body (/zones/{zone_id}/content-upload-scan/payloads).

An expression’s identity is its payload text within the zone: the API offers create/list/delete only (no update), so changing payload triggers a replacement. The zone must have Content Scanning enabled (see Cloudflare.ContentScanning) — payload calls on a zone where scanning is disabled fail with the typed ContentScanningNotEnabled error.

Safety: expressions carry no ownership markers. When there is no prior state, read scans the zone for an expression with the same payload text and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating expressions

Section titled “Creating expressions”

Scan a JSON-embedded file field

const scanning = yield* Cloudflare.ContentScanning("UploadScanning", {
  zoneId: zone.zoneId,
});


yield* Cloudflare.ContentScanningExpression("ScanJsonFile", {
  zoneId: scanning.zoneId,
  payload: 'lookup_json_string(http.request.body.raw, "file")',
});

Scan a base64-encoded form field

yield* Cloudflare.ContentScanningExpression("ScanBase64Document", {
  zoneId: scanning.zoneId,
  payload: 'base64_decode(http.request.body.form["document"][0])',
});