Closed danwashusen closed 1 year ago
I agree. In general, we need to enrich the Web ACL with more custom rules. In my case, I need to allow certain hosts to perform a lot of requests or to send requests with a sql-injection-like queries, without blocking them.
Thanks for the suggestions. Custom rules are not in the scope of this solution at this time, but we have added your requests to our backlog and will evaluate them for future releases. For now, you can use AWS WAF console to create custom rules or feel free to modify the source code (webacl and main templates) to add custom rules that fit your use case.
@aijunpeng Thanks for the response. While I'm definitely interested in this as an official feature, what I was actually asking for is some guidance in how the solution can/should be modified to suit (what seems like) a pretty common requirement...
Even a short guide on achieving the same via the UI would be helpful, I imagine, to a lot of people...
You can try updating the statement for XssRule in aws-waf-security-automations-webacl.template source code, or updating the XssRule via WAF console -> Rule JSON editor.
close the ticket due to user inactivity
Hi!
We've been following the WAFv2 implementation guide and have managed to get the solution up and running for our app. Overall most things seem to be working great, however we have a few requests that are now returning 403s due to false positives (e.g. XSS, image upload, etc).
Is there any guidance available on how we should go about modifying the solution to accommodate the false positives (without resorting to the UI)?
Seems like it would be a pretty common scenario. Maybe we could modify the solution to include a simple 'URL allow list' config value (or something)...?
Thanks!