Customized web requests and responses in Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Customized web requests and responses in Amazon WAF

This section explains how to add custom web request and response handling behavior to your Amazon WAF rule actions and default web ACL actions. Your custom settings apply whenever the action they're attached to applies.

You can customize web requests and responses in the following ways:

  • With Allow, Count, CAPTCHA, and Challenge actions, you can insert custom headers into the web request. When Amazon WAF forwards the web request to the protected resource, the request contains the entire original request plus the custom headers that you've inserted. For the CAPTCHA and Challenge actions, Amazon WAF only applies the customization if the request passes the CAPTCHA or challenge token inspection.

  • With Block actions, you can define a complete custom response, with response code, headers, and body. The protected resource responds to the request using the custom response provided by Amazon WAF. Your custom response replaces the default Block action response of 403 (Forbidden).

Action settings that you can customize

You can specify a custom request or response when you define the following action settings:

Action settings that you cannot customize

You cannot specify custom request handling in the override action for a rule group that you use in a web ACL. See Using web ACLs with rules and rule groups in Amazon WAF. Also see Using managed rule group statements in Amazon WAF and Using rule group statements in Amazon WAF.

Temporary inconsistencies during updates

When you create or change a web ACL or other Amazon WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.

The following are examples of the temporary inconsistencies that you might notice during change propagation:

  • After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.

  • After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.

  • After you change a rule action setting, you might see the old action in some places and the new action in others.

  • After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.

Limits on your use of custom requests and responses

Amazon WAF defines maximum settings for your use of custom requests and responses. For example, a maximum number of request headers per web ACL or rule group, and a maximum number of custom headers for a single custom response definition. For information, see Amazon WAF quotas.