• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero Blog

NameHero Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories

Using Cloudflare’s “URL Normalization” Rules

Bhagwad Park

Published on: April 15, 2021

Categories: Website Security 0

Last week, Cloudflare announced in a blog post that it was implementing a new feature – allowing URL rewrites on the EDGE. This is pretty cool. But the post hid another change that I feel is more directly relevant to website owners, and those concerned about website security. Namely URL Normalization. Here’s why that’s important.

Unicode Encoding of URLs

Here’s a simple example. Take the domain namehero.com. Type it into your web browser and visit the site. Everything works as it should, right?

Now type in this URL instead:

%6E%61%6D%65%68%65%72%6F.com

Surprise! It works exactly the same! What’s happened? Simple – I used a Unicode converter to get the symbols for each letter in “namehero.com”. The browser automatically converted the Unicode into the human readable equivalent and displayed the page.

This is just a small example of the various tricks that both benign and malicious users can play to get your browser to do something unexpected. Some years ago, WordFence documented a devastating workaround that affected Chrome and Firefox users through a phishing attack that was undetectable by humans. What’s even worse, is that this behavior appeared to be intended. This is why even though Chrome released a fix, Firefox still required a manual configuration change.

Many of these policies are implemented with internationalization in mind. But then the security experts and architects of the guts of the Internet also need to figure out how they can be used securely.

Unicoded URLs Can Bypass Firewalls

Now that you know you can visit certain URLs without actually typing in the literal name, it’s not hard to see that they can be used to bypass firewall rules. All they need to do is replace just one letter of their name with a Unicode letter, and they’re through! Here’s a complete list of Unicode replacements for ASCII characters. With something like this, crafting a URL to bypass a firewall is child’s play!

The worst part is that you won’t even realize why your firewall isn’t working. If I check my firewall logs, it renders without the Unicode. So I’m left with the impression that a request that should have been blocked slipped through when it shouldn’t have!

Cloudflare’s URL Normalization Solves This

 With the latest update, Cloudflare uses URL normalization to first parse the URLs it receives, then sends them through the firewall for processing. So no matter how the attackers try and use Unicode characters to bypass the firewall, they still won’t be able to get through.

This is tied into the main rewrite update, since they both rely on the same technology. Hence the clubbing of these two issues together in the blog post.

Enabling URL Normalization

To enable URL normalization, go to the configuration settings page under the “Firewall” tab  as shown here:

URL Normalization with Cloudflare
URL Normalization with Cloudflare

Click the “Normalize Incoming URLs” option to turn it on and you’re done! Now you can try violating your firewall rules using Unicode. You’ll see that it doesn’t work anymore.

This Also Applies to Page Rules

Even if you’re not using Cloudflare’s firewall, you’re almost certainly using at least one page rule. If not, you should be! Here are four good uses of Cloudflare’s page rules. Now with URL normalization, these rules will work as expected even if someone purposely or accidentally tries to access them differently.

All in all, a good update from Cloudflare for free. It addresses an issue that I honestly hadn’t even thought about until I read about it!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

Speed up your site: solving the WordPress slowdown

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • Website Performance
  • Web Hosting
  • Resellers
  • Website Development
  • Website Security
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Knowledgebase
  • Announcements
  • Affiliates
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 NameHero, LLC. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA