Thanks for the question! We are investigating and will update you shortly.

@rfcdejong when working with templates, a good starting point is to make the change in the portal or PowerShell / CLI, and then use resources.azure.com to view how it is expressed in the JSON.

@rfcdejong We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

@TravisCragg-MSFT I don't think the original question was just about how to use the CLI, PowerShell or ARM... there doesn't seem to be any examples of how to do this through the portal either. For example, if I don't want the WAF to inspect the id_token in form data (as it sometimes contains a "--" which is seen as SQL injection) how do I do this?

Hi, indeed samples are missing !
i am interested for example to exclude submission of multi part file uploads.
what value should i put in the request-header exclusion ? "Content-Type: multipart" ?!?!? please - samples would be helpfull !

@pierslawson @TheILPlace Thanks for the feedback! I am reopening this issue and assigning it to the content author to evaluate and update as appropriate.

@rfcdejong
Examples added.

It's still not really clear to me. The samples provided are very generic.

What I understand from the current docs is that you can exclude things based on:

• Request header
• Request cookie
• Request body

A request header consists of two things: the name of the header and it's value. Based on the portal actually stating "Request header name", I'm assuming it will only match based on the name of the header and NOT it's value.

So assume that I've got a request header "Host" which contains the URL of the page, in that case the exclusions only allow me to check if is a header named "Host" is present. They do not allow me to filter based on the actual URL in that field, is that correct?

If this is the case, and I believe it is, the docs should reflect that. And from a functionality point of view that's killing, cause what good is header key checking going to bring me if pretty much all HTTP headers are featuring similar keys. It's the value part that's the interesting bit. If anyone can clear this up that would be much appreciated.

I'm also in the dark about whether the exemption are supposed to match the header name or the header value. The documentation could be a lot clearer. Active Directory inserted tokens are specifically called out as a common example, but the example rules don't seem to apply to this scenario.

I believe the exemption matches on header name (as you say the documentation does not make this clear). What it also does not make clear is that the exemption is only for bad content in the value of a matching header. If the header name itself contains "bad content" the exemption does not work. So a "Starts With" exemption of "_id" does not stop a header name of "_id--xyz" causing a SQL Injection detection being made.

Just to echo some of the earlier comments more detail / examples would be much appreciated along with functionality to allow "complex" exclusions. This is in part because we do not want to be less restrictive than we need to be.

Things like:

• Exclude a field selector (ie. header name) and contents as stated above in @jsiegmund post
• Exclude a cookie that contains "X" when it triggers rule "Y"
• Exclude an attribute when trying to access a URL containing "Z"

This would allow us to ensure we're being as specific as we can when allowing traffic.

@rfcdejong
More clarification was added to the article: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration#waf-exclusion-lists

please-close

@rfcdejong We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

@TravisCragg-MSFT @vhorne I'm not sure if it is a bug with the WAF or the documentation, but if the header you are trying to exclude using an Exact Match contains a full stop, the matching does not work... You have to change the exclusion to a Starts With for the part of the header up to the full stop.

I'd also like to mention that the exclusion only stops the checking of the header value, the header name is still checked. This makes it impossible to use the WAF in front of an ASP.Net Core application that uses OAuth without disabling two SQL Injection rules for the entire site... see this issue:

https://github.com/aspnet/AspNetCore/issues/4589

Neither side seems to be taking responsibility!

This is still very unclear to me. I understand "Request cookie name" and "Request header name", but what is "Request attribute name"? What is an attribute in that context? The documentation talks about attributes by saying we can filter a querystring based on the header value only, which does not make any sense to me:

You can specify an exact request header, body, cookie, or query string attribute match. Or, you can optionally specify partial matches. The exclusion is always on a header field, never on its value.

So how can I match something on the querystring for example? Or more specifically (and much more useful), how can I match something for specific routes? The example I'm looking for specifically is disabling the WAF body check on large uploads; I would ignore the body for the route in this specific case, but based on the documentation I have no idea if that's possible or not. (Note: I'm not looking for help here, but explaining what is my need when reading the documentation)

Using the portal it is possible to add Request header name, Request cookie name and Request attribute name. What exactly is the name for. How to add exclusions in powershell, CLI or in anARM template? I'm missing that documentation.

Document Details

⚠ _Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking._

• ID: c0c27cd7-15fd-7358-9740-734cfa6b641f
• Version Independent ID: 9cbc5678-98e1-3c21-df0a-81d8b7e21241
• Content: Web application firewall request size limits and exclusion lists in Azure Application Gateway - Azure portal
• Content Source: articles/application-gateway/application-gateway-waf-configuration.md
• Service: application-gateway
• GitHub Login: @vhorne
• Microsoft Alias: victorh

This thread was closed two times already but original question asked by author of this thread is not addressed: "It's not explained in the WAF docs what are the exact names used PowerShell/CLI for Request header name, Request cookie name and Request attribute name.

Please add these names in docs + description what they are:
RequestArgNames
RequestCookieNames
RequestHeaderNames

It took me ages to find out them - it's not possible to List Exclusions using resources.azure.com (it uses old API ver: 2018-07-01). I had to use Postman and use API ver 2018-11-01, then it listed Exclusions and find out what are exact names. Would save me many hours having this info in Docs.

Also, the bugs within WAF persist around matching. There is nowhere to report them other than UserVoice which appears more about feature requests than bugs. Another added regarding Exact match bug:

https://feedback.azure.com/forums/217313-networking/suggestions/38013085-web-application-firewall-exact-exculsion-does-not