Add an header value criteria in WAF Exclusion Rules
Sometimes is useful to exclude WAF processing for some headers value (e.g. based on Content-Type value) to avoid false positives. Today the exclusions rule filter doesn't include headers or headers value. This is now achiavable using routes, but it is an actual WAF exclusion rule so that's where it should be.
-
Paolo Di Liberto
- Feb 22 2023
- Will not implement
Related ideas
If you want to disable WAF entirely based on header match, "Trusted Client Rules" feature can be used. Its avaiable under HTTP Load balancer --> Common Security Controls section
Attachments Open full size
Thanks Sudhir. My idea was something different. E.g if you want to skip WAF processing for a specific content type for a binary file uploads. It is not about disabling specific signature or violation. But, as said, today you can do that with routes or service policies. thank you
Attachments Open full size
there is a section called context
Attachments Open full size
I don't see any headers in waf exclusion rule. you can exclude by domain, path, methods..but not headers name/value (at least, in my tenant).
I wouldn't make header/value fields pre-populated by request logs.
Attachments Open full size
WAF exclusion rules provide the ability to exclude by context ( cookies, headers , query params , req body etc )
Attachments Open full size
Undesired impact: Because an exclusion rule is pre-populated based on request log, I don't want to force SecOps to remove all http headers one by one if they don't expect to match a specific header
workaround 2: It's also achievable using a Service Policy.
Attachments Open full size