Skip to content

Application Gateway rules are enabled#

Security · Application Gateway · Azure.AppGw.WAFRules

Application Gateway Web Application Firewall (WAF) should have all rules enabled.

Description#

Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

When OWASP rules are turned off, the protection they provide is disabled.

Recommendation#

Consider enabling all OWASP rules within Application Gateway instances.

Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.


Last update: 2021-09-24