Overview
Menu

Exception Rules

Overview

Exception rules provide a centralized allowlist configuration option, allowing for quick configuration of valid requests to be released, avoiding interception by other modules. In addition, when EdgeOne's built-in preset protection strategies (such as CC attack defense, managed rules, etc.) do not accurately identify valid requests, exception rules can provide you with fine-tuning configuration, accurately specifying the requests or request parameters that need to be released.
Note:
In the Exception rules for protection, partial request skip the scan function, which is only supported by the EdgeOne Enterprise plan.

Typical Scenarios and Usage

Exception rules can be used to specify normal requests with specific features to skip scanning of specified modules or specified rules based on existing protection strategies.
Note:
1. Supports skipping custom rules, rate limiting, CC attack defense, and managed rule protection modules.
2. If you need to skip the bot management module, please use Bot Management > Exception Rules or custom bot rules for configuration.

Example Scenario 1: Specify high-frequency API interface requests to skip CC attack defense scanning

The current site domain name is api.example.com, and the API interface for event reporting is /api/EventLogUpload. In the event of a business surge, there may be a burst of high-frequency access scenarios. Such access patterns are highly likely to be identified as attacks by CC attack defense and intercepted. For this interface, you can configure exception rules to skip the CC attack defense module to avoid false interception. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click security protection > Web Protection, enter the Web Protection details page, and select the domain name that needs to be protected in the left protection domain list, such as: api.example.com.
3. Find the Exception Rules card and click Settings. Enter the Web Protection Exception Rules list and click Add Rule.

4. In the Create Web Protection Exception Rule pop-up, fill in the rule name and select the exception type as Complete Request Skip Rule.

5. Configure the match condition and action. For example, configure the match field as request method equals POST, request path equals /api/EventLogUpload, and action as specifying the CC attack defense in the security protection module. Multiple match fields can be configured, and multiple simultaneous matches are considered "and" relationships. For a detailed introduction to match conditions, please refer to: Match Condition.

6. Click Confirm to complete the addition of this rule. At this point, the POST request for the event log reporting API interface will not be intercepted by the CC attack defense module, avoiding the possibility of false interception due to high-frequency log reporting, while other interfaces can be normally detected and protected.

Example Scenario 2: Avoid false interception of personal blog content by vulnerability protection

The current site domain name is blog.example.com, which is used for blog content sharing. The blog is based on WordPress. The blog content may share technical content related text (such as: SQL and Shell command examples), and when publishing the blog, the blog content text may trigger the attack defense rule due to matching SQL injection attack features. Through exception rules, you can configure request parameter allowlist, match the blog publishing API interface path /wp/v2/posts, and specify that the text parameter Content in the publishing content request does not participate in SQL injection attack rule scanning, avoiding false alarms and interception of blog content. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click security protection > Web Protection, enter the Web Protection details page, and select the domain name that needs to be protected in the left protection domain list, such as: api.example.com.
3. Find the Exception Rules card and click Settings. Enter the Web Protection Exception Rules list and click Add Rule.

4. In the Create Web Protection Exception Rule pop-up, fill in the rule name and select the exception type as Partial Request Field Skip Rule Scanning.



5. Configure the match condition and action. Referring to the example scenario, you can configure the match field as request path equals /wp/v2/posts, and the action as specifying all SQL injection attack defense rules in the managed rule package, not scanning the JSON request content with the specified parameter name equals content, and the parameter value wildcard match is *. For a detailed introduction to match conditions, please refer to: Match Condition.



6. Click Confirm to complete the addition of this rule. At this point, when the request path equals /wp/v2/posts to publish a blog post, the blog content will not be verified by the SQL injection attack defense rule, avoiding normal text content being mistakenly scanned as attack behavior.

Related References

The exception field types supported when skipping rule scanning for partial request fields are as follows:
Category
Option
JSON Request Content
All parameters
Match specified parameter name
Match condition parameter
Cookie Header
All parameters
Match specified parameter name
Match condition parameter
HTTP Header Parameters
All parameters
Match specified parameter name
Match condition parameter
URL Encoded Content or Query Parameters
All parameters
Match specified parameter name
Match condition parameter
Request Path URI
Query parameter part
Partial path
Complete path
Request Body Content
Complete request body
Segmented file name
Note:
Match condition parameters are completed by specifying both parameter name and parameter value match conditions, and both parameter name and value support full match and wildcard match.