LET'S TALK
← All work
OWASP CRS 4.xOWASP Top-10PCI-DSS Req 6.4.2SOC2 CC6.6Deep Prototype

WAFRulePolicy — Web Application Firewall Rule Hygiene

32 WAF rules across OWASP Core Rule Set 4.x + custom rules. Per rule: action (block / log / count / disabled), 7-day fired/blocked stats, false-positive rate, last-tuned date, paranoia level. Surfaces 4 rules with FP rate >15%, 2 stuck in count-mode for >90 days (decide: promote or remove), 1 rule unfired for 18 months.

WAFRulePolicy — Web Application Firewall Rule Hygiene preview
Open live →

What it is

The shape behind every healthy WAF deployment. Most teams enable the OWASP CRS, set everything to block, and let it run. WAFRulePolicy is the audit that asks: which rules are blocking real attacks, which are noise, which are stuck, which are zombie rules from a threat that no longer exists.

What’s in it

  • 32 rules spanning OWASP CRS 4.x + custom:
    • OWASP CRS 4 — SQLi (UNION / boolean / time-based), XSS (reflected / DOM), LFI / RFI, RCE, PHP injection (disabled — we don’t run PHP), Java RCE / Log4Shell, XXE, session fixation, paranoia-level 4 (stuck in count-mode 180d at 42% FP)
    • Custom — bot UA list, datacenter ASN block, rate-limit per IP, geo-block (OFAC SDN nations), Tor block (log-only), credential-stuffing, GraphQL introspection block, SSRF/metadata-IP block (PT-001 fix), open-redirect (PT-003 fix), method enumeration, slowloris, large-payload, mass-assignment guard (PT-009)
  • Per-rule shape:
    • Action (block / log / count / disabled)
    • 7-day fired count + blocked count + block-rate %
    • False-positive rate
    • Last-tuned days ago
    • Paranoia level (1-4)
    • Status classifier (healthy / noisy / stuck-count / unused)
  • 4 noisy rules surfaced — datacenter ASN block (0.42% FP volume), CRS PL=4 (42% FP), high-velocity scraper (28% FP), GraphQL introspection (18% FP — dev-env leakage).
  • Per-rule recommendation — keep / tune / promote / demote / remove with explicit rationale.
  • ModSecurity rule-preview copy-pasteable per rule.

Why this shape

WAF rule hygiene is the work nobody does until the SOC team is drowning in false positives or the auditor asks “show me the last 12 months of WAF tuning”. OWASP CRS recommends paranoia-aware tuning + count-then-block promotion. PCI-DSS v4.0 Req 6.4.2 mandates a WAF for any web-facing CDE. SOC2 CC6.6 (boundary protection) demands documented effectiveness. WAFRulePolicy prototypes the audit.

How it ships

Single HTML file, ~16KB. Zero dependencies. 32 rules × 4 actions × FP-rate scoring + ModSecurity rule preview in 200 lines of vanilla JavaScript.

Open the tool →