Customized web requests and responses in Amazon WAF
This section explains how to add custom web request and response handling behavior to your Amazon WAF rule actions and default web ACL actions. Your custom settings apply whenever the action they're attached to applies.
You can customize web requests and responses in the following ways:
-
With Allow, Count, CAPTCHA, and Challenge actions, you can insert custom headers into the web request. When Amazon WAF forwards the web request to the protected resource, the request contains the entire original request plus the custom headers that you've inserted. For the CAPTCHA and Challenge actions, Amazon WAF only applies the customization if the request passes the CAPTCHA or challenge token inspection.
-
With Block actions, you can define a complete custom response, with response code, headers, and body. The protected resource responds to the request using the custom response provided by Amazon WAF. Your custom response replaces the default Block action response of
403 (Forbidden)
.
Action settings that you can customize
You can specify a custom request or response when you define the following action settings:
-
Rule action. For information, see Using rule actions in Amazon WAF.
-
Default action for a web ACL. For information, see Setting the web ACL default action in Amazon WAF.
Action settings that you cannot customize
You cannot specify custom request handling in the override action for a rule group that you use in a web ACL. See Using web ACLs with rules and rule groups in Amazon WAF. Also see Using managed rule group statements in Amazon WAF and Using rule group statements in Amazon WAF.
Temporary inconsistencies during updates
When you create or change a web ACL or other Amazon WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
The following are examples of the temporary inconsistencies that you might notice during change propagation:
After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
After you change a rule action setting, you might see the old action in some places and the new action in others.
After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
Limits on your use of custom requests and responses
Amazon WAF defines maximum settings for your use of custom requests and responses. For example, a maximum number of request headers per web ACL or rule group, and a maximum number of custom headers for a single custom response definition. For information, see Amazon WAF quotas.