Azure WAF exclusions clarity of 920420

Question

Azure WAF exclusions clarity of 920420

Alex 515

Hello,Good day!

In Azure Frontdoor and AppGw WAF logs, I recently saw some requests were getting blocked by the ruleID 920420.

Upon checking the logs, it said matchVariableName 'Header Value: Content-type' and matchVariableValue 'application/gzip' is not allowed by the policy, which is basically that ruleID 920420.

Couple of queries:

Does 920420 ruleID evaluates/inspects only the Content-Type header in the requests?
If yes, then creating an exclusion with matchVariable as HeaderName Equals Content-type, is basically equivalent to disabling that ruleID, right?

Alex 515 Reputation points

2025-07-23T23:26:01.8433333+00:00

Hi Sree,

Thank you for the help.

Follow-up question:

Since creating an exclusion with Request header name Equals Content-Type for 920420 would be equivalent to disabling that ruleID, as this rule specifically inspects only that header, is it possible to specifically exclude application/gzip value?

I don't want to create a custom rule for this, because, i believe, if the custom rule matches and allows that request, it bypasses evaluation of all managed WAF rules, right?
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-24T22:41:45.6166667+00:00

Hello Alex

Thanks for the follow up question.

You're absolutely right in your understanding of Azure WAF rule ID 920420. This rule specifically inspects the Content-Type header to detect potentially risky or non-standard values such as application/gzip.

Can we exclude only the application/gzip value from triggering rule 920420?

Currently, Azure WAF does not support value-based exclusions for specific header values. When you create an exclusion with:

matchVariable": "RequestHeaderNames",

"selectorMatchOperator": "Equals",

"selector": "Content-Type

This means all values of Content-Type will bypass evaluation by this rule—not just application/gzip.

Why not use a custom rule to allow application/gzip?

You're correct, custom rules are evaluated before managed rules, and if a custom rule matches and allows a request, all managed rules are skipped for that request. This can unintentionally bypass other important security checks, which is why it's generally not recommended unless you're confident in the safety of the traffic.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-25T20:19:00.3966667+00:00

Hello Alex

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-28T19:00:55.1433333+00:00

Hi Alex

I wanted to follow up and check if you had the opportunity to review the information provided in our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.

1 answer

Your answer

Alex 515 Reputation points

2025-07-23T23:26:01.8433333+00:00

Hi Sree,

Thank you for the help.

Follow-up question:

Since creating an exclusion with Request header name Equals Content-Type for 920420 would be equivalent to disabling that ruleID, as this rule specifically inspects only that header, is it possible to specifically exclude application/gzip value?

I don't want to create a custom rule for this, because, i believe, if the custom rule matches and allows that request, it bypasses evaluation of all managed WAF rules, right?
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-24T22:41:45.6166667+00:00

Hello Alex

Thanks for the follow up question.

You're absolutely right in your understanding of Azure WAF rule ID 920420. This rule specifically inspects the Content-Type header to detect potentially risky or non-standard values such as application/gzip.

Can we exclude only the application/gzip value from triggering rule 920420?

Currently, Azure WAF does not support value-based exclusions for specific header values. When you create an exclusion with:

matchVariable": "RequestHeaderNames",

"selectorMatchOperator": "Equals",

"selector": "Content-Type

This means all values of Content-Type will bypass evaluation by this rule—not just application/gzip.

Why not use a custom rule to allow application/gzip?

You're correct, custom rules are evaluated before managed rules, and if a custom rule matches and allows a request, all managed rules are skipped for that request. This can unintentionally bypass other important security checks, which is why it's generally not recommended unless you're confident in the safety of the traffic.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-25T20:19:00.3966667+00:00

Hello Alex

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-28T19:00:55.1433333+00:00

Hi Alex

I wanted to follow up and check if you had the opportunity to review the information provided in our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.

Answer 1

Hi Alex

Rule ID 920420 is part of the OWASP Core Rule Set (CRS) used by Azure WAF (both App Gateway and Front Door). This rule is designed to detect potentially malicious or unexpected content types in HTTP headers, particularly the Content-Type header.> Does 920420 ruleID evaluates/inspects only the Content-Type header in the requests?

If yes, then creating an exclusion with matchVariable as HeaderName Equals Content-type, is basically equivalent to disabling that ruleID, right?

Yes, your understanding is correct.

Azure WAF rule ID 920420 specifically inspects the Content-Type header in incoming HTTP requests. It is part of the Default Rule Set (DRS) and is categorized under protocol enforcement. The rule is triggered when the Content-Type header contains a value that is not allowed by policy, such as application/gzip, */*, or other non-standard or potentially risky types

Creating an exclusion with matchVariable set to RequestHeaderNames and selectorMatchOperator set to Equals with selector as Content-Type is not entirely equivalent to disabling ruleID 920420, but it effectively prevents the rule from evaluating the Content-Type header, achieving a similar outcome for that specific header. Here's the detailed explanation based on Microsoft documentation:

For further guidance, you might consider checking out the Web Application Firewall exclusion lists documentation, which covers how to configure these exclusions effectively.

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Azure WAF exclusions clarity of 920420

1 answer

Your answer