Application Gateway rules are enabled

Security · Application Gateway · Rule · 2022_09 · Critical

Application Gateway Web Application Firewall (WAF) should have all rules enabled.

Description

Application Gateway instances with WAF allow OWASP detection/ prevention rules to be toggled on or off. All OWASP rules are turned on by default.

When OWASP rules are turned off, the protection they provide is disabled.

Recommendation

Consider enabling all OWASP rules within Application Gateway instances.

Before disabling OWASP rules, ensure that the backend workload has alternative protections in-place. Alternatively consider updating application code to use safe web standards.

Links

• Best practices for endpoint security on Azure
• Securing PaaS deployments
• What is Azure Web Application Firewall on Azure Application Gateway?
• Web Application Firewall CRS rule groups and rules
• Web Application Firewall best practices

Comments