The current WAF exclusion rule allows rules to be applied based on the domain, path and method. These are all aspects of the http request. It would be great if this could be extended to the http request headers. For example, only performing the exclusion if the user-agent header matched a specific string or regex. Exactly how the API protection feature works which allows for matching on any header with specific area for cookie header matching and 3rd specific are for query string parameter matching.

While this can be accomplished via routes, doing so via WAF exclusion rules is a more direct and intuitive approach.

WAF-exclusion-r...

×

Attachments Open full size