It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.

For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:

  ../../apache/logs/error.log
  AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
  /../..//../..//../..//../winnt/system32/netstat.exe?-a

We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.

> For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error

> We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

this causes me pain

Why in the world should those be 500 even? Those all are "40x client fuckup".

I guess someone was told, when compiling those strings, that they should observe this known-good implementation (that actually crashed upon receiving such things) and record whatever it returns, and then mandate it of everyone else from now on.