Sometimes is useful to exclude WAF processing for some headers value (e.g. based on Content-Type value) to avoid false positives. Today the exclusions rule filter doesn't include headers or headers value. This is now achiavable using routes, but it is an actual WAF exclusion rule so that's where it should be.
Undesired impact: Because an exclusion rule is pre-populated based on request log, I don't want to force SecOps to remove all http headers one by one if they don't expect to match a specific header
workaround 2: It's also achievable using a Service Policy.
Attachments Open full size