Skip to content

LeakedCredentialDetection

Source: src/Cloudflare/LeakedCredentialCheck/Detection.ts

A custom detection location for Cloudflare Leaked Credential Checks (/zones/{zone_id}/leaked-credential-checks/detections) — a pair of ruleset expressions telling the WAF where to find the username and password in your application’s login requests, so credentials submitted in non-standard payloads can still be checked against breach data.

Requires Leaked Credential Checks to be enabled on the zone (see {@link LeakedCredentialCheck}) — every detection operation fails with the typed LeakedCredentialChecksDisabled error otherwise. The number of custom detections is plan-gated (the free plan allows none — creation fails with the typed DetectionQuotaExceeded error).

Safety: detections carry no ownership markers. When there is no prior state, read scans the zone for an existing detection with the same expressions and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Custom detection locations

Section titled “Custom detection locations”

Detect credentials in a JSON login body

const check = yield* Cloudflare.LeakedCredentialCheck("Lcc", {
  zoneId: zone.zoneId,
});


yield* Cloudflare.LeakedCredentialDetection("LoginBody", {
  // Reference the check's zoneId so the toggle deploys first.
  zoneId: check.zoneId,
  username: 'lookup_json_string(http.request.body.raw, "user")',
  password: 'lookup_json_string(http.request.body.raw, "secret")',
});

Username-only detection

yield* Cloudflare.LeakedCredentialDetection("UsernameHeader",  {
  zoneId: check.zoneId,
  username: 'http.request.headers["x-username"][0]',
});