DenyRules

microgateway.airlock.com/v1alpha1

DenyRules configures request filtering using Airlock built-in and custom deny rules. Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. To handle possible false positives, lower the security level or define fine-granular deny rule exceptions If undefined, default settings are applied, designed to work with most upstream web application services.

apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: ...
spec:
  ...

apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: default
spec: 
  request: 
    builtIn: 
      settings: 
        level: Standard
        threatHandlingMode: Block
    custom: {}

DenyRules

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired deny rules behavior. no

DenyRules.spec

Field Type Description Required Default Allowed Values
request object Request configures deny rules for downstream requests. no

DenyRules.spec.request

Field Type Description Required Default Allowed Values
builtIn object BuiltIn configures the built-in deny rules. no
custom object Custom allows configuring additional deny rules. no

DenyRules.spec.request.builtIn

Field Type Description Required Default Allowed Values
exceptions object[] Exceptions allows to define exceptions for specific requests and deny rules. no
overrides object[] Overrides allows to override the builtIn settings for specific deny rules. no
settings object Settings contains the keys which will be adjusted. no

DenyRules.spec.request.builtIn.exceptions[]

Field Type Description Required Default Allowed Values
blockedData object BlockedData defines an exception based on the request data causing the block. This can either be a parameter, header, path or JSON property. no parameter{}, header{}, path{}, json{}
requestConditions object RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. no
ruleKeys DenyRuleKey[] RuleKeys restricts the exception to a set of deny rules. no SCANNING, IDOR, ENCODING, HTML, HPP, EXPLOIT, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS

DenyRules.spec.request.builtIn.exceptions[].blockedData

Field Type Description Required Default Allowed Values
header object Header defines an exception based on a blocked header. Only one of parameter, header, path or json can be set. no
json object JSON defines an exception based on a blocked JSON property. Only one of parameter, header, path or json can be set. no
parameter object Parameter defines an exception based on a blocked parameter. Only one of parameter, header, path or json can be set. no
path object Path defines an exception based on the blocked path. Only one of parameter, header, path or json can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json

Field Type Description Required Default Allowed Values
jsonPath string JSONPath defines the JSONPath pattern to match the path within the JSON. no
key object Key defines the key of the JSON property. no
value object Value defines the value of the JSON property. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
source enum Source defines the source of the parameter. no Any Query, Post, Any
value object Value defines the value of a parameter. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

DenyRules.spec.request.builtIn.overrides[]

Field Type Description Required Default Allowed Values
conditions object Conditions select which built-in deny rules’ settings will be adjusted. no
settings object Settings override the corresponding properties for the selected rules. no

DenyRules.spec.request.builtIn.overrides[].conditions

Field Type Description Required Default Allowed Values
ruleKeys DenyRuleKey[] RuleKeys is a list of built-in deny rule names. no SCANNING, IDOR, ENCODING, HTML, HPP, EXPLOIT, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS
types enum[] Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. no Header, Parameter, Path, JSON

DenyRules.spec.request.builtIn.overrides[].settings

Field Type Description Required Default Allowed Values
level enum Level specifies the filter strength. no Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled. no Block, LogOnly

DenyRules.spec.request.builtIn.settings

Field Type Description Required Default Allowed Values
level enum Level represents a set of deny rules with different filter strengths. no Standard Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom

Field Type Description Required Default Allowed Values
rules object[] Rules defines list of additional deny rules. no

DenyRules.spec.request.custom.rules[]

Field Type Description Required Default Allowed Values
blockData object BlockData specifies the request data which should cause a block. yes parameter{}, path{}, header{}, json{}
requestConditions object RequestConditions defines additional request properties which must be matched in order for this rule to apply. no
ruleKey string RuleKey defines a technical key for the deny rule. Must be unique. yes
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom.rules[].blockData

Field Type Description Required Default Allowed Values
header object Header specifies to block requests containing a matching header. Only one of parameter, path, header or json can be set. no
json object JSON specifies to block requests containing a matching JSON property in the body. Only one of parameter, path, header or json can be set. no
parameter object Parameter specifies to block requests containing a matching parameter. Only one of parameter, path, header or json can be set. no
path object Path specifies to block requests with a matching path. Only one of parameter, path, header or json can be set. no

DenyRules.spec.request.custom.rules[].blockData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].blockData.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.json

Field Type Description Required Default Allowed Values
key object Key defines the key of a JSON object. no
value object Value defines the value of a JSON object. no

DenyRules.spec.request.custom.rules[].blockData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
value object Value defines the value of a parameter. no

DenyRules.spec.request.custom.rules[].blockData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].blockData.path

Field Type Description Required Default Allowed Values
matcher object Matcher specifies which path to block. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.custom.rules[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

DenyRules.spec.request.custom.rules[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

Default Deny Rule Keys

Key Name Description
SCANNING Automated Scanning Prevents automated scanning with standard tools
IDOR Insecure Direct Object Reference in Path and Parameter Values Prevents insecure direct object references and file inclusion for HTTP paths and parameter values. For paths:
The security level Basic and Standard prevents directory traversal and injection of certain critical files (e.g. .htaccess).
The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe).
For parameter values:
The security level Basic prevents directory traversal and injection of certain critical files (e.g. /etc/passwd).
The security level Standard prevents injection of known top level directory paths (e.g. /etc/) and critical protocol schemes (e.g. "php://").
The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format.
ENCODING Encoding and Conversion Exploits in Header and Parameter Value Prevents injection of special encoded characters, such as double URL encoded characters in header values.
HTML HTML Injection in Path, Header and Parameter Value Prevents HTML injection through HTTP paths, header and parameter values. The security level Basic does not prevent any HTML injection. The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="url"). The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.
HPP HTTP Parameter Pollution Prevents HTTP parameter pollution by blocking nested parameters in parameter values.
EXPLOIT Known Exploits Prevents injections of special payloads not covered by the other Deny Rules.
LDAP LDAP Injection in Header and Parameter Value Prevents LDAP query injection in header and parameter values.
NOSQL NoSQL Injection in Header Value and Parameter Name and Value Prevents NoSQL injection in header values and in parameter names and values.
OGNL Object Graph Navigation Library (OGNL) injection (Apache Struts) Prevents OGNL injection.
PHP PHP Injection in Header Value and Parameter Value Prevents PHP code injection in header and parameter values.
PROTOCOL HTTP Protocol Integrity Prevents HTTP response splitting by blocking injection of an HTML response body or response header.
SANITY Sanity of Header and Parameter Prevents injection of special encoded characters in header names and values
SQL SQL Injection (SQLi) in Header and Parameter Value Prevents SQL injection for header and parameter values. The security level Basic prevents injection of new SQL statements (e.g. ; DROP TABLE) and set operations (e.g. UNION SELECT). The security level Standard further prevents injection of SQL sub queries and SQL expressions in single quote context (e.g. ' or 1=1--). The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).
TEMPLATE Template and Expression Language Injection Prevents template and expression language injections for various client-side and server-side templating engines.
UNIXCMD UNIX Command Injection in Header and Parameter Value Prevents UNIX command injections through HTTP header and parameter values.
WINCMD Windows Command Injection in Header and Parameter Value Prevents Windows command injections through HTTP header and parameter values.
XSS Cross-Site Scripting (XSS) in Path, Header and Parameter Value Prevents Cross-Site Scripting attacks for paths, header and parameter values. The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload"). The security level Standard prevents injection of JavaScript code in quoted context. The security level Strict prevents injection of JavaScript code in unquoted context.