Allow a custom content-type in Azure Front Door WAF without bypassing rules
We have an application that uses application/merge-patch+json extensively for PATCH requests. When it is deployed behind Azure Front Door, the firewall complains that the content type is not allowed by the policy (see screen shot).
This is a blocker (literally if the firewall is in blocking mode). I have been able to find some workarounds:
- Disable the offending rules in the WAF
- Create exclusions for content-type, allowing the requests
- Create manual rules allowing requests with this content type
Unfortunately, all these options are bad, as they bypass the firewall. Ideally, I would like to update the policy to add application/merge-patch+json as one of the content types that should be allowed. Then all the firewall rules still get to run.
Is there a way to do this, or are the allowed content types hard-coded by Microsoft?
Is there a way to do this, or are the allowed content types hard-coded by Microsoft?
AFAIK, Azure WAF’s managed rule sets (based on the OWASP Core Rule Set) do not support extending or customizing the list of allowed Content-Typevalues for rules like 920300. These rules are hard-coded by Microsoft in alignment with OWASP, so there is no way to add application/merge-patch+jsonto the allowed content types list used by Azure WAF’s managed rules.
- application/json
- application/xml
- application/x-www-form-urlencoded
- multipart/form-data
Alternatively, if you want your app to function without fully bypassing the firewall, the best compromise is to add an exclusion for rule 920300 (or 920440), scoped only to the Content-Type header with the value application/merge-patch+jsonThis approach offers the below benefits:
The WAF will still inspect the body, path, headers, and other metadata
Only the validation of
Content-Typefor that specific rule will be skipped
Reference: What content types does WAF support?
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules