You figured all that out just because the headers indicate the site passed through Cloudflare at one point? That's quite a leap!

If Cloudflare had a default rule that made it impossible to write that string on any site with their WAF, wouldn't this be a lot more widespread? Much more likely someone entered a bad rule into Cloudflare, or Cloudflare isn't involved in that rule at all.

Huh, a bit like "adult-content" filters that would censor Scunthorpe or Wikipedia articles about genitals, maybe Cloudflare saw a market to sell protection for donkeys who can't protect their webapps from getting request-injected.

I think Cloudflare WAF is a good product compared to other WAFs - by definition a WAF is intended to layer on validation that properly built applications should be doing, so it's sort of expected that it would reject valid potentially harmful content.

I think you can fairly criticise WAF products and the people who advocate for them (and created the need for them) but I don't think the CF team responsible can really be singled out.

Unfortunately this is probably a case where the market demands stupidity. The quality engineers don't have a say over market forces.

These WAF features are older than LLMs & vibe coding.

Who knows how many attacks such a "stupid" thing blocks every month?