I rolled out the Cloud Armor feature in front of a GKE cluster with the sqli-stable expression. For the most part, it works well. However, I started to get some complaints from users that feature in the application were throwing 403. What appears to be happening is particular POST requests with form data are getting caught in the rule.
It would seem by analysis that its rejecting array-based form elements i.e. a checkbox named city[] with a list of 8 or so cities.
I can of course re-architect the application, but I'd rather not touch it if possible. Any help would be great.
You can view "blocked" request in HTTP(S) LB Stackdriver logging (resource.type="http_load_balancer") with status detail as denied_by_security_policy.
To fix this issue, you can manually adjust the policy, or remove the policy from the HTTPLB.
Cloud Armor pre-configured rules (WAF) consists of multiple signatures (CRS rule), if you believe a specific signature is blocking traffic that needs to be allowed, the rule can be tuned to disable noisy or otherwise unnecessary signatures.