I'm trying to find a way to exclude certain URL paths from my Web Application Firewall (WAF) managed rule policies because they're triggering SQL injection rules, leading to too many false positives. When I attempt to add an exclusion for a specific rule, I notice there's no option to base it on the request URI. I understand that creating a custom rule would allow me to control this, but I worry that using custom rules would ignore other important rules, especially since I only want to exclude certain anomalies without negating the overall protection. Is there really no way to exclude URLs on a per-rule basis within the managed rules?
4 Answers
As for managed rules in FD WAF, the closest workaround is using a query string argument name for exclusions on a per-rule basis. It’s not perfect, but it’s something!
If you're open to changing the routing rule, consider switching to path-based routing. You could include those paths and attach a policy with your needed exclusions. Just keep in mind that rules are processed in the order they're listed, so set your wildcards as the least specific at the end!
You're right! Currently, there's no way to exclude specific request URIs for managed rules without using custom rules. It’s a bit of a bummer, but the good news is that this feature might change in the future.
Exactly! If you use a custom rule, it does override all other rules, which isn’t ideal since you want to keep some protections active. I often reserve custom rules for cases where nothing else works.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads