Azure Web Application Firewall
An Azure service that provides protection for web apps.
Azure WAF exclude specific content-type header
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 43%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
eenchev
10
Reputation points
Hi community,
I am trying to make an exclusion for a ruleid which is triggered for [REQUEST_HEADERS:Content-Type:application/scim+json; charset=UTF-8]}. It seems pretty straightforward:
- Match on RequestHeaderValues contains: scim+json
However the rule continues to be triggered. It seems the exclusion is not working at all. Also tried by changing the match for RequestHeaderName contains 'scim+json' but still no success. If I use a match for Content-type it will basically allow any content-type which is not the purpose.
I will appreciate any advise if someone has done this.
Azure Web Application Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator2025-09-19T10:42:28.19+00:00 Hi eenchev,
Thanks for your question on the Microsoft Q&A portal!
To help us investigate and resolve this for you quickly, could you please provide a few additional details:
- Which WAF SKU are you using—Azure Application Gateway WAF or Azure Front Door WAF?
- What version of the managed rule set are you using?
- What is the exact Rule ID being triggered?
- Are you applying the exclusion globally or per rule?
- Did you configure the exclusion using the correct match variable (e.g., RequestHeaderValues for Content-Type)?
- Have you tried matching the full header value, including charset and case sensitivity?
- Is the Content-Type header value consistent across requests, or does it vary?
- Have you tested the exclusion with controlled requests to isolate the behavior?
- Have you reviewed WAF logs to confirm which part of the request is triggering the rule?
- Has the WAF policy been fully deployed after making changes?
- Are there any custom rules that might conflict with your exclusion?
- Does the Rule ID inspect other parts of the request (e.g., body) that might affect exclusion behavior?
Looking forward to your response so we can assist you further.
Thanks,
Pranitha
-
eenchev 10 Reputation points
2025-09-19T13:55:08.7166667+00:00 Hi Pranitha,
The exact log from the Application gateway is:
{application/scim+json found within [REQUEST_HEADERS:Content-Type:application/scim+json; charset=utf-8]}
The policy is WAF v2 on Application gateway v2 using latest Azure DRS 2.1 ruleset. The Specific ruleid which is matched is 920420. Here are the rule exclusions implemented both global and specific for the ruleid. I have tried only specific and only the global with no success.
{ matchVariable: 'RequestHeaderValues' selectorMatchOperator: 'Contains' selector: 'scim+json'
exclusionManagedRuleSets: [] } { matchVariable: 'RequestHeaderValues' selectorMatchOperator: 'Contains' selector: 'scim+json'
exclusionManagedRuleSets: [ { ruleSetType: 'Microsoft_DefaultRuleSet' ruleSetVersion: '2.1' ruleGroups: [ { ruleGroupName: 'PROTOCOL-ENFORCEMENT' rules: [ { ruleId: '920420' } ] } ] }I have tried with match selector : application/scim+json as well. WAF logs show only the message provided above: {application/scim+json found within [REQUEST_HEADERS:Content-Type:application/scim+json; charset=utf-8]} . I understand it that specifically the request header value application/scim+json is the reason for the match.
I have to check about specific custom-rules. Besides the kql query in the ApplicationGatewayFirewallLog is there a way to see more in depth information about the rule matches?
Thank you for the suggestions.
-
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator
2025-09-22T10:32:50.4+00:00 Hi eenchev,
Thanks for the detailed follow-up and for sharing your configuration and logs!
You're using Azure Application Gateway WAF v2 with the latest Microsoft Default Rule Set (DRS) 2.1. A managed rule (ID 920420) is being triggered by the Content-Type header value:
application/scim+json; charset=utf-8
You've tried to exclude this header using the match variable RequestHeaderValues with a selector like scim+json, but the rule continues to fire. You've tested both global and rule-specific exclusions and confirmed that the WAF logs show the match is happening on the full header value.
This is because:
The issue is likely due to how WAF exclusions match the full header value, including case sensitivity and exact formatting. The match variable RequestHeaderValues expects a full and exact match (or a substring match depending on the operator), but the presence of charset=utf-8 and potential case differences may cause the exclusion to fail.
Also, the Content-Type header is not split automatically into MIME type and charset—so your selector must account for the full string.
Here is the recommended steps:
To exclude this specific header value from triggering rule 920420, try the following:
Use RequestHeaderValues with full value match
{"matchVariable": "RequestHeaderValues","selectorMatchOperator": "Equals","selector": "application/scim+json; charset=utf-8","exclusionManagedRuleSets": [{"ruleSetType": "Microsoft_DefaultRuleSet","ruleSetVersion": "2.1","ruleGroups": [{"ruleGroupName": "PROTOCOL-ENFORCEMENT","rules": [{"ruleId": "920420"}]}]}]}Ensure the casing and spacing match exactly what appears in the WAF logs. If the logs show charset=utf-8, do not use charset=UTF-8. Useful microsoft documents:
I hope this helps to resolve the issue.
Thanks!
-
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator
2025-09-23T10:44:22.89+00:00 Hi eenchev,
Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
Thanks!
-
eenchev 10 Reputation points
2025-09-23T12:22:10.8266667+00:00 Hi Pranitha,
I tried to add the exclusion as per your recommendation (both via bicep code and azure arm). Apparently the whole string is not allowed: spaces and special characters like semi-column are not allowed. Have you tested it ?
I am trying to substitute with selector: 'application/scim+json%3B%20charset=utf-8'
-
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator
2025-09-24T08:03:01.7+00:00 Hi eenchev,
Thank you for detailing your scenario and for testing various exclusion options.
What's happening:
Azure Application Gateway WAF does not currently allow spaces, semicolons, or some other special characters in the selector field when creating exclusions for request headers. This is why trying to use the full string (e.g., application/scim+json; charset=utf-8) as the selector gives you an error, even though the log clearly shows this is the value being matched.
Why does this happen?
This is a documented product limitation. The selector field in an exclusion must only have letters, numbers, and some punctuation. Spaces, semicolons (;), slashes (/), and plus (+) symbols are not supported in the selector as of the latest WAF version. For reference, please see the https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal , and the known issues thread.
What can you do?
Unfortunately, there is no direct workaround to match the full header value with forbidden characters in the selector. Here are your current options:
- Use a partial match: Setting the selector to just scim or scim+json (with Contains or Equals) may work, but if that pattern could appear in other Content-Type headers, it will exclude those as well, which may not be what you want.
- Broaden the exclusion: Matching only on scim+json is often the narrowest allowed, but it won’t match the full string including the semicolon and charset. Double-check if this meets your security requirements.
- Custom Rules: As a last resort, consider creating a custom rule to allow this traffic, but be aware this could reduce protection for more than just this header.
Useful Microsoft document:
I hope this helps to resolve the issue.
Thanks!
-
eenchev 10 Reputation points
2025-09-24T14:34:14.6366667+00:00 Hi,
Thank you for confirming that special symbols are not allowed. As already mentioned initially I tried with partial match in the RequestHeaderValues and it seems it is not working.
-
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator
2025-09-26T16:32:42.19+00:00 Hi eenchev,
Hope you are doing well.
I’m looking into this for you and will follow up soon with a resolution.
Thanks
-
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator
2025-10-09T17:09:58.6633333+00:00 Hi eenchev,Hope you are doing well.
We have requested some details in a private message. Could you please check and share them in message with us?
Thanks
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 38%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Camilo Santana 0 Reputation points2025-10-24T21:31:59.88+00:00 I have the same problem. Why isn't the recommendation public? the partial match operators don't work. I can only use "Equals Any" which is too broad for our use.
Sign in to comment
Sign in to answer