I know that AWS WAF is pretty dumb and non-configurable, but last time it becomes stricter.
We can't send even request to backend like:
POST https://our.url/page_id
{
"data": "<a></a>"
}
In this case awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body_RC_COUNT
rule will be triggered.
I tried to find any ways how core-rule-set
may be customized, but looks like it is impossible. But I want to trust that is my lack of search and it may be customized in some way. If not, current WAF is simply unusable. I can't imagine case when it may be used with these strict non-editable standard rules.
So the question is:
Is it possible to set some safe domains (like https://our.url
) that will be passed without blocking? Or maybe some ways to allow <a>
tag for example?
You can customize the action on the AWS managed rule in this way: