Azure Web Application Firewall
An Azure service that provides protection for web apps.
361 questions
Create Managed Rule Exclusion to exclude a rule on a particular host
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 87%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Jaco Fourie
0
Reputation points
Hi, I am trying to create an exclusion rule on a particular OWASP policy code to exclude a particular host name. I include the rule and use the following:
Match Variable: Request Header Values
Operation: Equals
Select: {my.host.com}
I've tried various other types of exclusions looking at the detailed data and creating rules looking at Arg Keys etc... but I feel this does not work and does not do anything? I view the Firewall logs and still see the messages Match and coming through. Does this even work?
However, I have created some Custom rules which seem to work fine, but I don't want to exclude a hostname from all OWASP rules.
Azure Web Application Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator2025-06-26T18:57:12.0233333+00:00 Hello Jaco Fourie
Request Header Values is a broad option since it checks all values in all headers, not just a specific one like Host. Unless the hostname is explicitly included in a custom header, it may not match as intended.
When using {my.host.com}, please make sure it requires an exact match. Some header parsers may add port numbers or change the case, which can cause mismatches.
OWASP policies are predefined managed rules, and their behavior is not always easy to change with exclusion rules, especially if the match conditions are too general.
For better accuracy, update the Match Variable to RequestHeaderName or RequestHeaderNames to specifically target the Host header. Alternatively, use RequestHeader and specify Host in the selector.
For example, ensure the exclusion applies to the specific OWASP rule ID you want to bypass. If no Match Rule IDs are set, the exclusion won’t be limited to a single rule, and misconfiguration may prevent it from working.
Finally, check that the transformation setting isn’t modifying the header value before matching, as changes like converting to lowercase can also lead to mismatches.
Hope this helps and let me know if you need more assistance!
If the above is unclear or you are unsure about something, please add a comment below.
-
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator
2025-06-27T15:37:33.96+00:00 Hello Jaco Fourie
Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back
Sign in to comment
Sign in to answer