Create Managed Rule Exclusion to exclude a rule on a particular host

Question

Create Managed Rule Exclusion to exclude a rule on a particular host

Jaco Fourie 0

Hi, I am trying to create an exclusion rule on a particular OWASP policy code to exclude a particular host name. I include the rule and use the following:

Match Variable: Request Header Values

Operation: Equals

Select: {my.host.com}

I've tried various other types of exclusions looking at the detailed data and creating rules looking at Arg Keys etc... but I feel this does not work and does not do anything? I view the Firewall logs and still see the messages Match and coming through. Does this even work?

However, I have created some Custom rules which seem to work fine, but I don't want to exclude a hostname from all OWASP rules.

Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-06-27T15:37:33.96+00:00

Hello Jaco Fourie

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-06-30T10:49:25.0866667+00:00

Hello Jaco Fourie

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back

1 answer

Your answer

Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-06-27T15:37:33.96+00:00

Hello Jaco Fourie

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back
Ganesh Patapati 8,755 Reputation points Microsoft External Staff Moderator

2025-06-30T10:49:25.0866667+00:00

Hello Jaco Fourie

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back

Answer 1

Hello Jaco Fourie

Request Header Values is a broad option since it checks all values in all headers, not just a specific one like Host. Unless the hostname is explicitly included in a custom header, it may not match as intended.

When using {my.host.com}, please make sure it requires an exact match. Some header parsers may add port numbers or change the case, which can cause mismatches.

OWASP policies are predefined managed rules, and their behavior is not always easy to change with exclusion rules, especially if the match conditions are too general.

For better accuracy, update the Match Variable to RequestHeaderName or RequestHeaderNames to specifically target the Host header. Alternatively, use RequestHeader and specify Host in the selector.

For example, ensure the exclusion applies to the specific OWASP rule ID you want to bypass. If no Match Rule IDs are set, the exclusion won’t be limited to a single rule, and misconfiguration may prevent it from working.

Finally, check that the transformation setting isn’t modifying the header value before matching, as changes like converting to lowercase can also lead to mismatches.

Hope this helps and let me know if you need more assistance!

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Create Managed Rule Exclusion to exclude a rule on a particular host

1 answer

Your answer