Service StatusSupport Hub[email protected]
Documentation

Creating a custom WAF rule

Suggest Edits

Creating a Custom WAF Rule allows you to tailor Bunny Shield’s Web Application Firewall to meet your specific security needs. By defining custom rules, you gain precise control over how your web applications are safeguarded, enabling you to fine-tune existing protections or address unique threats. Bunny Shield's advanced capabilities ensure that you can enhance your defences without compromising the seamless experience of legitimate users.

What you'll need

Before you dive in, make sure you have the following prerequisites in place:

  • A bunny.net account ( Log in or sign up for a free trial).
  • An existing Shield Zone.
  • Advanced Plan or above on the existing Shield Zone.
  • Your AccessKey or JWT for API authentication.

These prerequisites ensure you have the necessary access and permissions to create and manage custom WAF rules effectively.

Creating a custom WAF rule

To get started, first ensure you understand the fundamentals of how we build a custom WAF rule on Bunny Shield. You can check out our Understanding Rule Engine documentation for more information.

This rule processes each HTTP request by extracting only the REQUEST_URI (Variable), converting it to lowercase, and removing whitespaces (Transformations). It then verifies if the transformed REQUEST_URI matches exactly (Operator) with '/blockedpath' (Operator Value). If a match is found, our WAF Engine will block (Response Action) the request, halting further rule processing and intercepting the request.

With the basics covered, you can now create highly effective WAF rules tailored to protect your site with customized mitigation strategies.

Examples of custom WAF rules

To illustrate how you can implement custom WAF rules, here are some practical examples:


Log request if the specific cookie is set and has a specific value

If you want to log requests that contain a specific cookie with a particular value, you can create a rule as follows:


Challenge request if a specific path is accessed

To challenge a user when they access a specific path, you can define a rule like this:


Block request if User-Agent is a known crawler

To block requests that have a User-Agent matching a known crawler, the rule would be:


By customizing these rules, you can effectively mitigate specific threats and enforce security policies tailored to your application's needs.

Need help or encountering issues?

If you encounter any difficulties or have questions, our support team is here to assist you. Please don't hesitate to contact us via support request form for prompt assistance.

Our dedicated support team is ready to help you resolve any issues you might face during the deployment process, provide additional guidance, or answer your questions.

Updated about 16 hours ago