WAF policy not exluding Header Content-type after exclusion

Question

WAF policy not exluding Header Content-type after exclusion

Owin Gruters - iO 46

Hi,

In WAF policy for Azure Frontdoor Premium I get a false positive from a Header parameter Content-Type. User's image

I have made an exclusion for it, but keep getting the false positive. User's image

I have tried with exclusion of both RequestHeaderNames = "Content-Type" and also with RequestHeaderNames startsWith "Content", because maybe the dash had something to do with it. No success

GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-13T14:57:40.5666667+00:00

@Owin Gruters - iO ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When you say that "I have made an exclusion for it, but keep getting the false positive", do you mean that the traffic is still getting blocked?

If yes, could you please provide some more details on the type of request which is generating this "Content-Type" header?

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T08:18:31.3966667+00:00

Hi Gita,

Yes I mean that the traffic is still being blocked. Well... not really blocked, but it is adding to the AnomalyScoring as you see in my first screenshot.

The issue is coming from a call to Azure B2C as you might be able to see in the request_Uri in my first screenshot. Obviously it is coming from the signing-up flow in Azure B2C. I don't know what other information to provide other that what is in the logging as displayed in the screenshot

Kind regards
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-14T09:31:18.6333333+00:00

@Owin Gruters - iO , I wanted to understand where and how this "Content-type" is setup in your Azure B2C sign-up flow?

Like for example, you can see the Content-type request in the below link to get an access token for the OAuth 2.0 authorization code flow in Azure Active Directory B2C:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#2-get-an-access-token

Similarly, how is the HeaderValue:Content-Type setup in your Azure AD B2C signup flow? Is there a custom policy or authorization setting with this content-type? Or your B2C is sending this Content-type automatically for the sign-up flow? We need this information to reproduce this issue on our end and understand why the exclusions are not working.

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T10:22:19.2533333+00:00

Hi Gita,

We use a custom policy, but Content-type is not something we have touched/defined in any way. the URL also suggests this is a call done by some call is done by AB2C itself. We never explicitly call this 'perftrace' URL.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-15T12:27:09.47+00:00

Thank you for the information, @Owin Gruters - iO . Please allow me some time to check this and get back to you with an update.
Wesley 0 Reputation points

2025-04-25T09:18:21.61+00:00

still not fixed ...

1 answer

Your answer

GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-13T14:57:40.5666667+00:00

@Owin Gruters - iO ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When you say that "I have made an exclusion for it, but keep getting the false positive", do you mean that the traffic is still getting blocked?

If yes, could you please provide some more details on the type of request which is generating this "Content-Type" header?

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T08:18:31.3966667+00:00

Hi Gita,

Yes I mean that the traffic is still being blocked. Well... not really blocked, but it is adding to the AnomalyScoring as you see in my first screenshot.

The issue is coming from a call to Azure B2C as you might be able to see in the request_Uri in my first screenshot. Obviously it is coming from the signing-up flow in Azure B2C. I don't know what other information to provide other that what is in the logging as displayed in the screenshot

Kind regards
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-14T09:31:18.6333333+00:00

@Owin Gruters - iO , I wanted to understand where and how this "Content-type" is setup in your Azure B2C sign-up flow?

Like for example, you can see the Content-type request in the below link to get an access token for the OAuth 2.0 authorization code flow in Azure Active Directory B2C:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#2-get-an-access-token

Similarly, how is the HeaderValue:Content-Type setup in your Azure AD B2C signup flow? Is there a custom policy or authorization setting with this content-type? Or your B2C is sending this Content-type automatically for the sign-up flow? We need this information to reproduce this issue on our end and understand why the exclusions are not working.

Regards,

Gita
Owin Gruters - iO 46 Reputation points

2023-06-14T10:22:19.2533333+00:00

Hi Gita,

We use a custom policy, but Content-type is not something we have touched/defined in any way. the URL also suggests this is a call done by some call is done by AB2C itself. We never explicitly call this 'perftrace' URL.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2023-06-15T12:27:09.47+00:00

Thank you for the information, @Owin Gruters - iO . Please allow me some time to check this and get back to you with an update.
Wesley 0 Reputation points

2025-04-25T09:18:21.61+00:00

still not fixed ...

Answer 1

Hello @Owin Gruters - iO ,

I understand that you keep getting false positives from a Header parameter Content-Type in WAF policy for Azure Front Door Premium when accessing the Azure AD B2C signup flow, even after adding an exclusion for it.

I discussed this issue with the Azure Front Door Product Group team, and they reproduced the issue on their end to investigate it further and found that it is a bug in AFD WAF, which will be fixed within the next few months (approx. ETA: before the end of September).

For the time being, you can use a custom rule or disable the rule as a workaround. Apologies for the inconvenience.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

WAF policy not exluding Header Content-type after exclusion

1 answer

Your answer