Sometimes is useful to exclude WAF processing for some headers value (e.g. based on Content-Type value) to avoid false positives. Today the exclusions rule filter doesn't include headers or headers value. This is now achiavable using routes, but it is an actual WAF exclusion rule so that's where it should be.
If you want to disable WAF entirely based on header match, "Trusted Client Rules" feature can be used. Its avaiable under HTTP Load balancer --> Common Security Controls section
Thanks Sudhir. My idea was something different. E.g if you want to skip WAF processing for a specific content type for a binary file uploads. It is not about disabling specific signature or violation. But, as said, today you can do that with routes or service policies. thank you
there is a section called context
I don't see any headers in waf exclusion rule. you can exclude by domain, path, methods..but not headers name/value (at least, in my tenant).
I wouldn't make header/value fields pre-populated by request logs.
WAF exclusion rules provide the ability to exclude by context ( cookies, headers , query params , req body etc )
Undesired impact: Because an exclusion rule is pre-populated based on request log, I don't want to force SecOps to remove all http headers one by one if they don't expect to match a specific header
workaround 2: It's also achievable using a Service Policy.