Exclude URL for a specific OWASP core rule


I have several OWASP core rules that generate false positive for a specific URL across several similar sites in the same zone/domain.

The CF UI only allows me to either limit the scope for the whole OWASP core ruleset (hence removing all the ruleset rules for the specific URL, which is not good, less security for it) or disable the specific rules entirely (hence losing their protection for all the zone).

I could not find a way to exclude a specific URL for a specific rule. Am I missing something?

You should create a WAF Exception, which is the way to skip a managed ruleset, such as OWASP, or a rule within it.

When incoming requests match...
URI Path equals /my-path

If you want the same path to skip the specific rule in all subdomains (including naked domain) of a zone, the above condition should suffice. Otherwise, couple it with

Hostname is in sub1.example.com sub2.example.com etc.

Then select the OWASP ruleset, then select the specific rule.

1 Like

Thank you! Yes, I missed this button of exclusion at the top of the page of managed rules…
I tried it now and it works perfectly as I wanted!!


1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.