Add an header value criteria in WAF Exclusion Rules

Sometimes is useful to exclude WAF processing for some headers value (e.g. based on Content-Type value) to avoid false positives. Today the exclusions rule filter doesn't include headers or headers value. This is now achiavable using routes, but it is an actual WAF exclusion rule so that's where it should be.

  • Paolo Di Liberto
  • Feb 22 2023
  • Attach files
  • Guest commented
    2 Mar 02:25pm

    Undesired impact: Because an exclusion rule is pre-populated based on request log, I don't want to force SecOps to remove all http headers one by one if they don't expect to match a specific header

    workaround 2: It's also achievable using a Service Policy.