Littlegolden those rules seem over-cautious. I'd say most likely it's one with include or limit. Those parameters are part of the JSON:API spec Flarum is using, so if the firewall blocks them it's guaranteed there will be issues.
I don't believe any of these rules are useful in practice. Modern apps already properly escape most inputs/outputs, and attackers know ways to encode them to bypass the rules anyway...
