WAF Phase¶
The Web Application Firewall (WAF) phase analyses requests for potential security threats against the OWASP ModSecurity Core Rule Set.
This phase does not have direct actions. Its behavior is controlled by the vconf.set
action in the URL Config phase. For example, you can set the modsecurity_mode
to enforce
to block requests that trigger WAF rules, or warn
to log them.
Fields¶
The WAF phase provides access to the following fields:
Example¶
While the WAF phase itself doesn't have actions, you can use its output in later phases. For example, in the rate_limit_request_late
phase, you can rate limit clients who trigger WAF rules.
The filter matches requests where the WAF has detected an exposed password:
This condition can then be used in a subsequent phase to challenge or block the user.
Use Cases¶
- Block SQL injection attempts.
- Prevent cross-site scripting (XSS) attacks.
- Protect against remote file inclusion (RFI) vulnerabilities.
- Use WAF output to inform rate limiting or other security decisions in later phases.
Use Cases¶
- Block SQL injection attempts
- Prevent cross-site scripting (XSS) attacks
- Protect against remote file inclusion (RFI) vulnerabilities
- Log suspicious requests for further analysis