I'm working on an ASP.NET web application that uses Azure Application Gateway with WAF enabled. I've been facing a frustrating issue where Azure WAF keeps blocking valid user input, particularly in address fields. For instance, a Bulgarian client's address contains the character '№', which is perfectly legitimate, but WAF flags it as potentially dangerous. I have to manually remove such characters, and I really don't want to do that since they are part of real customer addresses. This issue also extends to other quotation marks used on Bulgarian keyboards. I've come across similar issues where WAF blocks characters like "", and I noticed the solutions typically suggest either turning off the rule or adding exclusions. However, I'm hesitant to disable core rules just for this one field. What's the best way to ensure that user inputs with characters like '№' or Bulgarian quotes can pass through Azure WAF without being blocked, without having to disable important security rules or stripping out valid data?
2 Answers
The main issue lies with Azure creating its own variations of the OWASP rules. You can enable logging to identify which rules are causing the blocks, but the actual modified rules aren’t accessible. I switched to using an Nginx Ingress Controller in AKS as my WAF, which allows for the original OWASP rules, but that won't be a long-term solution since it won’t be supported after April 2026. For now, it's about trying to guess the blocking rules from logs and turning off those pesky specifics.
I had a ton of false positives with Azure WAF as well. We ended up switching to Cloudflare, which has better detection, but it does come with the drawback of additional dependencies. It may sound cleaner, but I totally understand the concerns with adding unnecessary complexity. In the end, I might just disable that specific rule because it’s the simplest workaround right now.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads