Airlock Microgateway has built-in deny rules to block malicious requests to upstream web applications. This deny rule set is constantly evolving and updated to respond to the latest threats.
Each deny rule is identified by a deny rule key that can be referenced for configuration purposes. Each ruleKey
refers to different attack types such as SQL injection, XSS, GraphQL, TEMPLATE injection, etc.
- The CRD DenyRules allows configuring the following in the CR:
- The security
level
of the applied deny rules. - The
threatHandlingMode
(i.e.,Block
orLogOnly
) can be configured globally and on theruleKey
level. Non-deny rule dependingthreatHandlingMode
can be configured on feature level, i.e. Limits, OpenAPI and GraphQL within their CR. - Deny rule overrides to change settings (e.g. security level or threat handling mode) of specific deny rules.
- Deny rule exceptions for requests that match one or more deny rules but should not be blocked. Exceptions can be configured and fine-tuned to reduce the number of false positives using
blockedData
and/orrequestConditions
based on various characteristics. - The definition of custom deny rules.
This CR needs to be referenced in the CR ContentSecurity.