MCP tool calls to api.anthropic.com blocked by Cloudflare WAF (SQL injection rule false positive)
Summary
MCP tool calls that POST through api.anthropic.com get blocked by the Cloudflare WAF when the request body contains common SQL-shaped patterns. The block returns an opaque HTML error page, which leaves the MCP layer with no actionable failure signal.
Minimal repro
Any MCP tool that submits free-form text via POST to api.anthropic.com blocks reliably on this 28-byte payload:
DELETE FROM a; DROP TABLE b;
I tested with the mcp__claude_ai_ctx__store tool (a third-party MCP server — the backend itself does not have a WAF; only the Anthropic edge does). Empirically:
DELETE FROM users WHERE deactivated=1alone — passesDROP TABLE access_tokensalone — passesUPDATE rooms SET admin=truealone — passesSELECT 1; SELECT 2; SELECT 3;— passesDELETE FROM users WHERE deactivated=1; DROP TABLE access_tokens;— blockedDELETE FROM a; DROP TABLE b;— blocked
The pattern is "≥2 destructive SQL keywords separated by ;". Classic OWASP CRS 942.x SQL-injection-stacked-query signature.
Four Ray IDs from my test runs (same regional edge): 9fa7f32a8b6f65dc, 9fa82a4abec7dc74, 9fa82ba65ddfdc74, 9fa82c017ad3dc74.
Real-world impact
I hit this trying to save infrastructure documentation about a Synapse/Matrix homeserver. The block content was prose, not SQL — but it included diagnostic queries as part of the documentation (e.g. example admin-cleanup SQL with DELETE FROM users WHERE ...; ...). The block silently failed:
- The MCP tool returned ~3 KB of raw Cloudflare HTML as the tool error
- Claude Code surfaced this as \"MCP call failed\", no Ray ID extraction, no \"WAF block\" hint
- Same content went through fine via a non-Anthropic transport (direct HTTP to the same backend, bypassing the Cloudflare edge in front of
api.anthropic.com)
Suggested fix
Roughly in priority order:
- Surface WAF blocks as structured errors. Right now the MCP layer passes through the Cloudflare HTML verbatim, which is useless as a tool result. Detect Cloudflare HTML and return JSON like
{\"error\": \"waf_block\", \"ray_id\": \"9fa82c01...\", \"hint\": \"request body matched a security rule\"}. That alone would let MCP clients (and Claude) explain what happened to the user. - Tune CRS rules for
api.anthropic.comPOST bodies. The use case here is legitimate text submission. SQL-stacked-query detection is high false-positive for documentation/code/prose. Either raise the anomaly threshold for POST bodies on MCP endpoints, or disable the specific 942.x rule families on those routes. - Document this failure mode in the Claude Code troubleshooting docs so users hitting it know to chunk content or use an alternate transport.
Environment
- Claude Code (current build, claude-opus-4-7[1m])
- MCP server: third-party (
claude.ai ctx— backend has no WAF; only the Anthropic edge does) - Source IPv6:
2a01:4f8:252:595f::*(Hetzner) - Reproducible 100% of the time on the minimal payload above
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗