amazon-waf

is it possible to add safe URLs in AWS WAF?


I know that AWS WAF is pretty dumb and non-configurable, but last time it becomes stricter.

We can't send even request to backend like:

POST https://our.url/page_id

{
    "data": "<a></a>"
}

In this case awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body_RC_COUNT rule will be triggered.

I tried to find any ways how core-rule-set may be customized, but looks like it is impossible. But I want to trust that is my lack of search and it may be customized in some way. If not, current WAF is simply unusable. I can't imagine case when it may be used with these strict non-editable standard rules.

So the question is: Is it possible to set some safe domains (like https://our.url) that will be passed without blocking? Or maybe some ways to allow <a> tag for example?


Solution

  • You can customize the action on the AWS managed rule in this way: