Skip to content

Custom rule definitions

QuantWAF allows developers and security experts to provide configuration values to further customize the firewall’s behavior. This enables further configuration for the Core Rule Set that is provided by Coraza and allows completely custom rules to be included in the firewall.

Writing a custom rule

QuantWAF will load all .conf files that are present in /opt/proxy_config/custom-rules. Rules are written in the ModSecurity rules language.

Overriding configuration values

ModSecurity comes preconfigured with a number of variables that are used by the rulesets. These rules are defined as default values if no prior rule has set them. This enables fine-tuning of a number of parameters for the firewall.

Sample configuration value

The WAF’s default allowed content types are:

  • application/cloudevents-batch+json
  • application/cloudevents+json
  • application/csp-report
  • application/json
  • application/octet-stream
  • application/soap+xml
  • application/x-amf
  • application/xml
  • application/xss-auditor-report
  • application/x-www-form-urlencoded
  • multipart/form-data
  • multipart/related
  • text/plain
  • text/xml

Drupal relies heavily on the JSON:API specification which states that the application/vnd.api+json content type should be used when making requests. Requests that use this content type will be blocked.

This can be overridden by providing a custom .conf file that sets the allowed_request_content_type variable. For example:

# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" \
"id:1,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0-rc1',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/vnd.api+json|'"