Simon Willison fixed an overly aggressive Cloudflare WAF rule that was blocking simple single-term searches on his Django-PostgreSQL faceted search engine. The solution: one rule targeting only URLs with at least one ampersand in the query string, `(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")`, leaving bare `?q=term` requests untouched.

The more interesting thread is the tooling path he took to get there. Willison first tried the Cloudflare MCP server with Claude Code, found it could not edit the relevant WAF rules, then pivoted to the Cloudflare REST API directly, also through Claude Code. That failure-and-fallback workflow is documented in the full post.

Read it for the MCP limitation notes specifically. As AI tooling gets bolted onto every API surface, knowing where the gaps are between what an MCP claims to expose and what it actually controls is operationally useful.

[READ ORIGINAL →]