July 04, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAF & OWASP Top ThreatsSQL InjectionThis policy has been updated to improve the detection of benchmark, sleep, Postgres pg_sleep, and wait-for-delay injectionsBlockBlock
WAF & OWASP Top ThreatsXML External EntityThis policy has been updated to contain additional attack vectorsBlockBlock
Allow Known BotsGoogle Service botThis policy allows general Google Service bots requestsN/AAllow

June 27, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAF & OWASP Top ThreatsProtocol AttackThis policy has been updated to better detect CRLF injectionsBlockBlock
WAF & OWASP Top ThreatsXSS Attackhis policy has been updated to improve the detection of HTML injection attacksBlockBlock

June 20, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
NEW! Advanced API ProtectionNon-Baselined API RequestsEnable a positive security policy that blocks requests to an API that is not part of the API baseline - more information can be found here.N/ABlock
NEW! Advanced API ProtectionAPI-Level AuthorizationBlock API calls to endpoints tagged as 'admin' or 'privileged' from being accessed by users who are NOT authorized - more information can be found here.N/ABlock
NEW! Advanced API ProtectionSensitive Data ExposureBlock API responses that contain PII data. This check can be disabled for certain API endpoints by tagging them appropriately - more information can be found here.N/ABlock
NEW! Advanced API ProtectionInvalid API TrafficBlock API requests and responses that do not conform to a JSON structure.N/ABlock
NEW! Advanced API ProtectionAuth Token ProtectionPrevent multiple authentication attempts and block access for users with multiple invalid token attempts - more information can be found here.N/ABlock
Protocol ValidationUnknown User-AgentThis policy was updated to validate requests that present unknown User-Agent headers.JS ValidationJS Validation
Protocol ValidationPrevent Malformed Request MethodsThis policy was updated to block requests with missing or empty User-Agent headers.N/ABlock

June 13, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
Edge RulesTag Generating RulesIntroducing the 'Paid' Magic Tag, a new magic tag that has similar functionality to 'Registered' and 'Logged In' tags - more information can be found here.NATag

June 06, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
Allow Known BotsGoogle Inspection ToolGoogle Inspection Tool was added to the Known Bots ruleset.N/AAllow
Allow Known BotsGoogle Store BotGoogle Store Bot was added to the Known Bots ruleset.N/AAllow

May 16, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAF & OWASP Top ThreatsShellshock AttackThis policy has been improved to reduce the false-positive rateBlockBlock

May 09, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAF & OWASP Top ThreatsCode InjectionThe policy has been improved to reduce false positivesBlockBlock
WAF & OWASP Top ThreatsXSS AttackThe policy has been improved to reduce false positivesBlockBlock

April 24, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
CMS ProtectionWhitelist WordPress AdminThis policy was updated to improve the detection of logged-in WordPress adminsAllowAllow

April 04, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAF & OWASP Top ThreatsSQL InjectionThis policy has been updated to improve the detection of conditional SQL injection attemptsBlockBlock
Allow Known BotsThis policy's detection of the following bots has been improved: Workato, New Relic, Ahrefs, and moreAllowAllow

March 21, 2023

RulesetPolicyDescription of UpdatePrevious ActionNew Action
CMS ProtectionWhitelist WordPress AdminThis policy was updated to improve the detection of logged-in WordPress adminsAllowAllow
WAF & OWASP Top ThreatsCode InjectionThis policy has been updated to reduce false positivesBlockBlock
WAF & OWASP Top ThreatsXSS AttackThis policy has been updated to detect additional XSS filtersBlockBlock