DenyRules

microgateway.airlock.com/v1alpha1


DenyRules configures request filtering using Airlock built-in and custom deny rules.
Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
If undefined, default settings are applied, designed to work with most upstream web application services.

apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: deny-rules-example
spec:
  request:
    builtIn:
      settings:
        # Use the deny rules in security level 'Strict'
        level: Strict
        # Explicitly set the 'threatHandlingMode' to 'Block'
        threatHandlingMode: Block
      overrides:
        # Set the deny rule security level to 'Standard' for
        # the deny rule 'XSS' if it is applied to request parameters.
        - conditions:
            ruleKeys:
              - XSS
            types:
              - Parameter
          settings:
            level: Standard
      exceptions:
        # Define a deny rule exception for the deny rule 'SQL'
        # for the query parameter 'search' under the path '^/member/'.
        - blockedData:
            parameter:
              name:
                matcher:
                  exact: search
              source: Query
          requestConditions:
            path:
              matcher:
                prefix: /member/
            method:
              - GET
          ruleKeys:
            - SQL
    custom:
      rules:
        # Define a custom deny rule which blocks requests
        # containing a 'referer' header matching the regex '.*bad.tv'.
        - ruleKey: CM_REFERRER_BLOCK
          blockData:
            header:
              name:
                matcher:
                  exact: referer
              value:
                matcher:
                  regex: .*bad.tv
apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
  name: default
spec: 
  request: 
    builtIn: 
      settings: 
        level: Standard
        threatHandlingMode: Block
    custom: {}

DenyRules

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired deny rules behavior. no

DenyRules.spec

Field Type Description Required Default Allowed Values
request object Request configures deny rules for downstream requests. no

DenyRules.spec.request

Field Type Description Required Default Allowed Values
builtIn object BuiltIn configures the built-in deny rules. no
custom object Custom allows configuring additional deny rules. no

DenyRules.spec.request.builtIn

Field Type Description Required Default Allowed Values
exceptions object[] Exceptions allows to define exceptions for specific requests and deny rules. no
overrides object[] Overrides allows to override the builtIn settings for specific deny rules. no
settings object Settings contains the keys which will be adjusted. no

DenyRules.spec.request.builtIn.exceptions[]

Field Type Description Required Default Allowed Values
blockedData object BlockedData defines an exception based on the request data causing the block. no parameter{}, header{}, path{}, pathSegment{}, json{}
requestConditions object RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. no
ruleKeys DenyRuleKey[] RuleKeys restricts the exception to a set of deny rules. no ENCODING, EXPLOIT, HPP, HTML, IDOR, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SCANNING, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS

DenyRules.spec.request.builtIn.exceptions[].blockedData

Field Type Description Required Default Allowed Values
header object Header defines an exception based on a blocked header.
Only one of parameter, header, path, pathSegment or json can be set.
no
json object JSON defines an exception based on a blocked JSON property.
Only one of parameter, header, path, pathSegment or json can be set.
no
parameter object Parameter defines an exception based on a blocked parameter.
Only one of parameter, header, path, pathSegment or json can be set.
no
path object Path defines an exception based on the blocked path.
Only one of parameter, header, path, pathSegment or json can be set.
no
pathSegment object PathSegment defines an exception based on a blocked path segment.
Only one of parameter, header, path, pathSegment or json can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json

Field Type Description Required Default Allowed Values
jsonPath string JSONPath defines the JSONPath pattern to match the path within the JSON.
Expressions in JSONPath i.e. ?(expr) are not supported.
no
key object Key defines the key of the JSON property.
At most one of key and value can be set.
no
value object Value defines the value of the JSON property.
At most one of key and value can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
source enum Source defines the source of the parameter. no Any Query, Post, Any
value object Value defines the value of a parameter. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment

Field Type Description Required Default Allowed Values
segments object Segments defines the position of a segment within the path. no index{}
value object Value defines the value of a path segment. no

DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.segments

Field Type Description Required Default Allowed Values
index int Index specifies an exact path segment position by index (0-based). no [0, 9223372036854775807]

DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].blockedData.pathSegment.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.builtIn.exceptions[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.builtIn.exceptions[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

DenyRules.spec.request.builtIn.overrides[]

Field Type Description Required Default Allowed Values
conditions object Conditions select which built-in deny rules’ settings will be adjusted. no
settings object Settings override the corresponding properties for the selected rules. no

DenyRules.spec.request.builtIn.overrides[].conditions

Field Type Description Required Default Allowed Values
ruleKeys DenyRuleKey[] RuleKeys is a list of built-in deny rule names. no ENCODING, EXPLOIT, HPP, HTML, IDOR, LDAP, NOSQL, OGNL, PHP, PROTOCOL, SANITY, SCANNING, SQL, TEMPLATE, UNIXCMD, WINCMD, XSS
types enum[] Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. no Header, Parameter, Path, PathSegment, JSON

DenyRules.spec.request.builtIn.overrides[].settings

Field Type Description Required Default Allowed Values
level enum Level specifies the filter strength. no Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled. no Block, LogOnly

DenyRules.spec.request.builtIn.settings

Field Type Description Required Default Allowed Values
level enum Level represents a set of deny rules with different filter strengths. no Standard Unfiltered, Basic, Standard, Strict
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom

Field Type Description Required Default Allowed Values
rules object[] Rules defines list of additional deny rules. no

DenyRules.spec.request.custom.rules[]

Field Type Description Required Default Allowed Values
blockData object BlockData specifies the request data which should cause a block. yes parameter{}, header{}, path{}, pathSegment{}, json{}
requestConditions object RequestConditions defines additional request properties which must be matched in order for this rule to apply. no
ruleKey string RuleKey defines a technical key for the deny rule. Must be unique. yes
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a deny rule matches. no Block Block, LogOnly

DenyRules.spec.request.custom.rules[].blockData

Field Type Description Required Default Allowed Values
header object Header specifies to block requests containing a matching header.
Only one of parameter, header, path, pathSegment or json can be set.
no
json object JSON specifies to block requests containing a matching JSON property in the body.
Only one of parameter, header, path, pathSegment or json can be set.
no
parameter object Parameter specifies to block requests containing a matching parameter.
Only one of parameter, header, path, pathSegment or json can be set.
no
path object Path specifies to block requests with a matching path.
Only one of parameter, header, path, pathSegment or json can be set.
no
pathSegment object PathSegment specifies to block requests containing a matching path segment.
Only one of parameter, header, path, pathSegment or json can be set.
no

DenyRules.spec.request.custom.rules[].blockData.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].blockData.header.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.json

Field Type Description Required Default Allowed Values
key object Key defines the key of a JSON object. no
value object Value defines the value of a JSON object. no

DenyRules.spec.request.custom.rules[].blockData.json.key

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.key.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.json.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.json.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.parameter

Field Type Description Required Default Allowed Values
name object Name defines the name of a parameter. no
value object Value defines the value of a parameter. no

DenyRules.spec.request.custom.rules[].blockData.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.parameter.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.parameter.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.path

Field Type Description Required Default Allowed Values
matcher object Matcher specifies which path to block. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].blockData.pathSegment

Field Type Description Required Default Allowed Values
segments object Segments restricts which path segments are filtered by this rule.
If not specified, all segments of a path are filtered.
no index{}
value object Value specifies which path segment values to block. yes

DenyRules.spec.request.custom.rules[].blockData.pathSegment.segments

Field Type Description Required Default Allowed Values
index int Index restricts the rule to the path segment at this index (0-based). no [0, 9223372036854775807]

DenyRules.spec.request.custom.rules[].blockData.pathSegment.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].blockData.pathSegment.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

DenyRules.spec.request.custom.rules[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

DenyRules.spec.request.custom.rules[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

DenyRules.spec.request.custom.rules[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

DenyRules.spec.request.custom.rules[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

Default Deny Rule Keys

Key Name Description
ENCODING Encoding and Conversion Exploits in Header and Parameter Value Prevents injection of special encoded characters, such as double URL encoded characters in header values.

Prevents the Java MIN_VALUE floating point attack in header and parameter values on all security levels.
EXPLOIT Known Exploits Protects against the exploitation of specific (e.g.,framework specific) bugs and vulnerabilities by preventing the injection of special payloads not covered by the other Deny Rules.

For instance, prevents attacks targeting the Spring4Shell vulnerability.
HPP HTTP Parameter Pollution Prevents HTTP parameter pollution by blocking nested parameters in parameter values on security level Strict.

In an HTTP parameter pollution (HPP) attack, an attacker injects or supplies HTTP parameters in a way that “confuses” the recipient and which may be interpreted by an application in unexpected ways.
This rule prevents nesting parameters using percent-encoding like in the example below where the query parameter some-param

some-param=some-value%26nested-param%3Dnested-value

can be decoded to

some-param=some-value&nested-param=nested-value

and some technologies might accept the disguised nested parameter.

Both client-side and server-side HPP attacks exist and some consequences are application errors, modification of internal state, or the bypassing of input validations and WAF filters.
In some cases attackers try to disguise attack payloads in multiple parameter values, in order to avoid detection by a WAF. The application might concatenate the parts again, thereby triggering the attack.
HTML HTML Injection in Path, Header and Parameter Value Prevents HTML injection through HTTP paths, header and parameter values.

Similar to a Cross-Site Scripting (XSS) attack, a HTML injection attack injects HTML into a website, which is then loaded and executed by unsuspecting users visiting the compromised site. This way, an attacker can modify the page content and for example embed malicious links or try to phish users.
HTML injection vulnerabilities occur when unsanitized user input is stored or reflected as part of the web page. This often happens on websites allowing users to upload posts or add comments.

An unquoted context attack occurs when user input is directly interpreted as HTML.

A quoted context attack occurs when user input is put within quotes.
In the following example, a user can supply the url to an image, which is then displayed on the website:

<img src="USER_INPUT">

An attacker can “break out” of the string and perform a HTML injection with the payload

"> <h1>This is a HTML injection</h1

This results in the combined HTML

<img src=""> <h1>This is a HTML injection</h1

and the injection is displayed on the vulnerable website.


The security level Basic does not prevent any HTML injection.
The security level Standard prevents injection of well-known HTML tags (e.g.,<img src="path">) as well as injection of well-known HTML attribute names in a single or double quoted attribute value (e.g.,' href="url").
The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.
IDOR Insecure Direct Object Reference in Path and Parameter Values Prevents insecure direct object references and file inclusion for HTTP paths and parameter values.

An insecure direct object reference (IDOR) is a publicly exposed identifier that can be used to directly access to internal objects and is not subject to access control.

As an example, we use a well-known type of an IDOR exploit, the directory traversal attack.
Consider a url where part of the page content is fetched from a file on the server using the relative path in the ‘file’ parameter, e.g.

https://some-website.org/show-file-content?file=content.html

In this example, the ‘file’ parameter is the direct object reference. Unless this parameter is validated or sanitized, an attacker could gain access to files, that are not supposed to be accessible via the url, by changing the value of the ‘file’ parameter.
For instance to retrieve the /etc/passwd file an attacker could move from the directory where the website files are stored to the root directory of the server:

https://some-website.org/show-file-content?file=../../etc/passwd


For paths:
The security level Basic and Standard prevents directory traversal and injection of certain critical files (e.g.,.htaccess).
The security level Strict further prevents injection of file paths with critical suffixes (e.g.,.exe).
For parameter values:
The security level Basic prevents directory traversal and injection of certain critical files (e.g.,/etc/passwd).
The security level Standard prevents injection of known top-level directory paths (e.g.,/etc/) and critical protocol schemes (e.g.,“php://”).
The security level Strict further prevents injection of file paths with critical suffixes (e.g.,.exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format.
LDAP LDAP Injection in Header and Parameter Value Prevents LDAP(Lightweight Directory Access Protocol) query injection in header and parameter values.

In an LDAP injection an attacker tries to leak or modify sensitive data represented in a LDAP data store. This is possible when an application accesses data using LDAP search filters containing unsanitized user input.


Security level Standard prevents the injection of new logical operations NOT, AND, OR.
The security level Strict further prevents injecting new comparison operations e.g.,’equal to’, or ‘greater than or equal to’.
NOSQL NoSQL Injection in Header Value and Parameter Name and Value Prevents NoSQL injection in header values, parameter names and values on security level Standard and Strict.

For a more detailed explanation of query injections, see the SQL description.

As a simplified example of a NOSQL injection, consider an unsecure login form where users can input their username and password.
The user input is passed to the MongoDB query

db.users.find({username: <USER_INPUT.username>, password: <USER_INPUT.password>})

An attacker can enter the username admin and the password {$ne: ""} to construct the query

db.users.find({username: admin, password: {$ne: ""}})

which will return the first document where username is admin and the password is non-empty.
This way the attacker can bypass the login and enter the website without knowing the password.


The security levels Standard and Strict prevent the injection of keywords, functions, and operators of common NoSQL databases (e.g.,MongoDB).
In particular, they prevent injection attempts that are part of JSON objects or PHP arrays,.
OGNL Object Graph Navigation Library (OGNL) injection (Apache Struts) Prevents OGNL injection on all security levels.

Similar to other injection attacks, e.g.,SQL injection, in an OGNL injection attack, an attacker sends malicious requests containing OGNL expressions to a vulnerable application.
If the application uses OGNL to handle unvalidated user input, the OGNL expressions in the request are interpreted, which may result in arbitrary code execution, data theft, or other security concerns.
PHP PHP Injection in Header Value and Parameter Value Prevents PHP code injection in header and parameter values.

Similar to other injection attacks, e.g.,SQL injection or UNIX command injection, a PHP code injection attack can occur when unsanitized user input is forwarded to a system that interprets PHP.
In particular, by injecting PHP script tags (e.g.,<?php ... ?>) an attacker might be able to execute arbitrary PHP code on the server.


All security levels prevent the injection of standard PHP script tags.
Additionally, security level Standard and Strict prevent injection of shortened and legacy PHP script tags.
PROTOCOL HTTP Protocol Integrity Prevents HTTP response splitting by blocking injection of an HTML response body or response header.

HTTP response splitting can occur when user input from an HTTP request is returned in the HTTP response without being validated.
As an example, imagine a website that allows users to set a cookie (using the set-cookie parameter), which is returned in the headers of the HTTP response:

https://www.some-website.com/?set-cookie=something

If an attacker can insert carriage return and line feed characters, they are able insert new headers, write a response body, or create a second malicious HTTP response entirely. Using HTTP response splitting an attacker may perform cross-site scripting, web cache poisoning, or similar attacks.
SANITY Sanity of Header and Parameter Prevents injection of non-printable and special encoded characters, as well as invalid unicode and formats in header names and values.
SCANNING Automated Scanning Prevents automated scanning with standard tools by blocking associated headers and parameters which are used to probe an application.
Activated on all security levels.
SQL SQL Injection (SQLi) in Header and Parameter Value Prevents SQL injection for header and parameter values.

In an SQL injection attack, an attacker tries to execute malicious SQL queries in order to leak or corrupt sensitive data. This is possible when an application forwards unsafe and improperly sanitized user input to a database.

As an example of a SQL injection attack one can imagine an online shop’s website. Users can input text into a search bar to find items in the inventory. The search bar forwards the user input to its inventory database with the following statement:

SELECT * FROM inventory WHERE item_name = "<user input>";

An attacker could exploit this using the attack payload

"; DROP TABLE inventory; --

which would result in the execution of the following two queries and thus the deletion of the inventory:

SELECT * FROM inventory WHERE item_name = ""; DROP TABLE inventory; --";

When user input is placed inside quotes like in the example above, we call that a quoted context. Otherwise, we talk about an unquoted context. In general, it is slightly harder to exploit the quoted context because an attack is interpreted as a simple string unless the attacker “breaks out” of the quotes.


The security level Basic prevents injection of
- input that tries to terminate a previous statement and adds new SQL statements (e.g.,; DROP TABLE)
- set operations (e.g.,UNION SELECT)
- SQL statements obfuscated as C-style comments which can be interpreted as regular SQL by MySQL and MariaDB
in any context.
The security level Standard further prevents injection of SQL sub queries and SQL expressions in quoted context (e.g.,' or 1=1--).
The security level Strict further prevents SQLi in unquoted context (e.g.,1 or 1).
TEMPLATE Template and Expression Language Injection Prevents template and expression language injections for various client-side and server-side templating engines on security levels Standard and Strict.

Template injection is similar to other injection attacks. Template injection vulnerabilites can occur when unsanitized user input is evaluated as part of a template expression.
As a simple example consider a website that greets the user with the username parameter provided in a request.

<h1>Hello <?php echo $_GET['username']; ?></h1>

An attacker can provide a payload that uses special character (e.g.,{{...}}, ${...}, #{...}, and similar) so that a malicious expression is evaluated by the template engine and an attack is triggered.


The security levels Standard and Strict prevent template injection attacks in both client-side frameworks (e.g.,Angular, React, Meteor, etc.) and server-side frameworks (e.g.,Apache Velocity, Java EL, ASP.NET Razor, etc) by recognizing a variety of special characters used in templates of common frameworks.
UNIXCMD UNIX Command Injection in Header and Parameter Value Prevents UNIX command injections through HTTP header and parameter values.

In an OS command injection attack, the attacker aims to execute arbitrary OS commands on vulnerable hosts. This is possible if an application forwards user-input to a system shell in an unsafe (unsanitized) manner.

There are different flavors of command injection attacks, depending on the context where user input is fed to the shell.

In a quoted context, the user input is placed inside quotes, usually intended as a parameter for another command. For example, an application on a UNIX system might feed user input to the ls command, like so:

ls "<some user input>"

This is called a quoted context attack, because the injection string is placed inside a quoted context. Consider the input

"; <some command> #

which, if placed inside the context, becomes

ls ""; <some command> #"

<some command> can now be replaced by any command of the attackers choice, and will be executed on the system.

In unquoted contexts, the attackers input is directly interpreted as a command, without the need for a context breakout.


The security level Basic prevents exploitation of the shellshock bug (also known as bashdoor).
The security level Standard prevents injection of (what we consider) critical UNIX commands in quoted context (e.g.,";cat /etc/password #).
Security level Strict additionally blocks a wider range of obfuscated UNIX commands in quoted contexts and prevents command injection in unquoted context (e.g.,; cat /etc/password).
WINCMD Windows Command Injection in Header and Parameter Value Prevents Windows command injections through HTTP header and parameter values.

For a more detailed explanation of OS command injection, see UNIXCMD.

Security level Standard provides protection against Windows command injection in a quoted context.
The security level Strict extends this protection to unquoted contexts.
XSS Cross-Site Scripting (XSS) in Path, Header and Parameter Value Prevents Cross-Site Scripting attacks for paths, header and parameter values.

In a Cross-Site Scripting (XSS) attack, an attacker injects code (often JavaScript) into a website. This code is loaded and executed by unsuspecting users visiting the compromised site.
An example is that of a Web Forum where a malicious user creates a post containing carefully designed text. When other users visit the forum, their browsers will interpret the text as JavaScript and execute it. Depending on the injected code, this can lead to session or credential stealing, or malware delivery to the victim’s machine.

There are many forms of XSS attacks depending on the position of the injection in the context of the original webpage’s HTML:
If the code is injected at a location where it is not directly interpreted as a JavaScript statement, the attack must include additional instructions to indicate that the code should be interpreted as JavaScript. Often, this is achieved using <script> tags or HTML event handlers, e.g.,onload.

In a so-called “quoted context attack” an attacker finds a way to inject directly into a context already interpreted as JavaScript, making the attack much easier to perform.
This can happen, if, for example, user input is directly fed into a JavaScript variable:

var f = "<some user input>"

This is called a quoted context attack, because the injection string is placed inside a quoted context. For the attack to succeed, the attacker still needs to perform what is called a “context breakout” to do anything useful.

An unquoted context attack occurs when user input is directly interpreted as plain javascript (not inside a variable assignment or similar). This attack is easier to perform and harder to detect than a quoted context attack.


The security level Standard prevents injection of JavaScript code in quoted context.
The security level Basic prevents injection of <script> tags and known HTML event handlers.
The security level Strict prevents injection of JavaScript code in unquoted context.