Skip to content

FraudDetectionSettings

Source: src/Cloudflare/Fraud/FraudDetectionSettings.ts

The fraud-detection (Fraud User Profiles) settings of a Cloudflare zone (/zones/{zone_id}/fraud_detection/settings) — a zone-scoped singleton: every zone always has exactly one fraud-detection settings object, so there is no create or delete on the Cloudflare side. Reconciling this resource adopts the singleton and PUTs only the fields you explicitly set, leaving every other field untouched.

Fraud Detection is a beta, subscription-gated product: writing userProfiles, non-empty usernameExpressions, or authenticationSettings fails with FraudDetectionNotEntitled unless the zone has a fraud detection subscription.

On destroy, the resource restores the fields it managed to the values observed before its first write (the initialSettings snapshot). Fields that were never set by this resource are not touched. authenticationSettings that did not exist before the first write cannot be cleared and are left as-is.

Fraud User Profiles

Section titled “Fraud User Profiles”
yield* Cloudflare.FraudDetectionSettings("Fraud", {
  zoneId: zone.zoneId,
  userProfiles: "enabled",
  usernameExpressions: [
    'lookup_json_string(http.request.body.raw, "username")',
  ],
});

Authentication outcome classification

Section titled “Authentication outcome classification”
yield* Cloudflare.FraudDetectionSettings("Fraud", {
  zoneId: zone.zoneId,
  userProfiles: "enabled",
  authenticationSettings: {
    successCriteria: { kind: "status_code", statusCodes: [200] },
    failureCriteria: { kind: "status_code", statusCodes: [401, 403] },
  },
});

Username expressions only

Section titled “Username expressions only”
yield* Cloudflare.FraudDetectionSettings("Fraud", {
  zoneId: zone.zoneId,
  usernameExpressions: [],
});