![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 9%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,011 questions
Hello @August Lim ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to exclude a custom request header from Azure WAF evaluation.
You can configure a WAF exclusion in Application gateway using the Request Header attribute.
To do so, you can use the RequestHeaderValues match variable, the operator contains, and the selector (custom.header). This configuration stops evaluation of all values for the header custom.header.
In contrast, if your WAF detects the header's name (custom.header) as an attack, you could configure an exclusion for the header key by using the RequestHeaderKeys request attribute.
When you configure an exclusion, you need to determine whether you want to exclude the name/key or the value from WAF evaluation.
NOTE: Request attributes by key and values are only available in CRS 3.2 or newer.
The new WAF engine is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine.
If you are using the older WAF engine, I would request you to set the default rule set to OWASP 3.2 and add the above-mentioned exclusion list.
Additional reference for you:
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.