An Directus change repeated fields[] query params to avoid Cloudflare WAF “parameter pollution”?

I’m deploying a Directus app on a cloud hosting provider that uses Cloudflare WAF. When I try to log in, the request is blocked with a 403 error.

After investigating, the issue comes from this request made by Directus:

/directus/users/me?fields[]=*&fields[]=role.id

Cloudflare WAF flags this as “parameter pollution” because the same query parameter name (fields[]) appears more than once. I asked the hosting provider to whitelist this behavior, but they refused.

My question is: is there a way to configure Directus to change how this query is generated?
For example, something like:

/directus/users/me?fields[]=*,role.id

instead of multiple fields[] parameters.

Any workaround, configuration option, or supported approach in Directus would be greatly appreciated. Thanks!

The api would accept`/directus/users/me?fields=*,role.id` or `/directus/users/me?fields=*&fields=role.id`. There is no parameter polution here multiple parameters with the same name result in an array of multiple values.

Even though the api accepts various formats it is not currently configurable which syntax the app uses.

For usage with directus i’d recommend trying again to have this invalid rule be disabled. There will be more situations beyond fields that will trigger this rule like sorting by multiple fields or filtering with arrays.