WAF Rules

WAF custom rules allow organizations to define specific allow, block, or rate-limit actions for HTTP requests based on conditions including IP addresses, geographic origin, headers, URI patterns, query string parameters, and request body content. Custom rules supplement managed rule groups to protect application-specific attack surfaces that generic rules cannot anticipate.

Rule testing with count mode before enforcement mode prevents accidental blocking of legitimate traffic.