This library contains a collection of practical Wirefilter examples that you can use as a reference for building
your own filter expressions.
Click on any example to copy it to your clipboard, then paste it into the Playground to
test it.
Basic Filters
These examples demonstrate the foundational concepts of Wirefilter expressions, including basic comparison
operators and logical operations.
Simple Equality Comparison
Matches when the HTTP host is exactly "example.com"
http.host == "example.com"
Copied to clipboard!
Simple Boolean
Matches when SSL is enabled
ssl
Copied to clipboard!
Basic Logical AND
Matches when the HTTP host is "api.example.com" AND the request path starts with "/v2"
http.host == "api.example.com" && starts_with(http.request.uri.path, "/v2")
Copied to clipboard!
Basic Logical OR
Matches when the HTTP host is either "example.com" OR "www.example.com"
http.host == "example.com" || http.host == "www.example.com"
Copied to clipboard!
Negation with NOT
Matches when the HTTP method is NOT "POST"
!(http.method == "POST") or http.method != "POST"
Copied to clipboard!
HTTP Filters
These examples focus on filtering HTTP traffic based on various HTTP headers, methods, and content.
Filter by HTTP Method
Matches when the HTTP method is either GET or HEAD
http.method in {"GET" "HEAD"}
Copied to clipboard!
Filter by URL Path
Matches when the request path contains "admin"
http.request.uri.path contains "admin"
Copied to clipboard!
Filter by URL Parameters
Matches when the URL has a parameter named "debug"
http.request.uri.query contains "debug="
Copied to clipboard!
Filter by Specific HTTP Header
Matches when the user agent contains "Mozilla"
http.user_agent contains "Mozilla"
Copied to clipboard!
Check Referrer Domain
Matches when the referrer header contains "facebook.com"
http.referer contains "facebook.com"
Copied to clipboard!
Access Custom Header
Matches when a specific X-Custom-Header is present with value "special-value"
http.request.headers["x-custom-header"] == "special-value"
Copied to clipboard!
IP Filtering
These examples show how to filter traffic based on IP addresses, ranges, and geo-location.
Match Specific IP
Matches when the source IP is exactly 192.168.1.1
ip.src == 192.168.1.1
Copied to clipboard!
Match IP in CIDR Range
Matches when the source IP is in the 10.0.0.0/8 private network range
cidr(ip.src, "10.0.0.0/8")
Copied to clipboard!
Match IPv6 Address
Matches when the destination IP is a specific IPv6 address
ip.dst == 2606:4700:4700::1111
Copied to clipboard!
Filter by Country
Matches when the source IP is from the United States
ip.geoip.country == "US"
Copied to clipboard!
Filter by Specific ASN
Matches traffic from a specific autonomous system number (AS13335 is Cloudflare)
ip.geoip.asnum == 13335
Copied to clipboard!
Security Filters
These examples focus on security-related filtering to identify potential threats or vulnerabilities.
SQL Injection Detection
Basic detection of SQL injection attempts in URL parameters
http.request.uri.query matches "(\%27)|(\')|(--)|(%23)|(#)"
Copied to clipboard!
XSS Attack Detection
Basic detection of Cross-Site Scripting attempts
http.request.uri.query matches "(
Copied to clipboard!
Complex Filters
These examples demonstrate more sophisticated filtering techniques combining multiple conditions.
API Rate Limiting Exception
Complex rule for whitelisting trusted IPs from rate limiting on an API
starts_with(http.request.uri.path, "/api/") && !(cidr(ip.src, "192.168.0.0/16") ||
http.request.headers["x-api-key"] == "trusted-key-abc123")
Copied to clipboard!
Multi-factor Bot Detection
Combines multiple factors to identify suspicious bot traffic
cf.client.bot && http.user_agent contains "bot" && http.request.headers["accept-language"] == "" &&
cf.threat_score > 20
Copied to clipboard!
Admin Access Protection
Restricts admin access to specific IPs and authenticated users
http.request.uri.path contains "/admin" && !(cidr(ip.src, "10.0.0.0/8") || http.cookie contains
"admin_session=")
Copied to clipboard!
← Back to Playground