4.3 Query String Filtering

Previous4.2 User Agent Filtering Next4.4 HTTP Header Filtering

Last updated 9 days ago

4.3 Query String Filtering

📖 Overview

The Query String Filtering module enables you to control and sanitize the query parameters (GET variables) attached to incoming requests.

By defining allowed or blocked query strings on a per-path basis, you can protect sensitive endpoints, APIs, and web forms against tampering, injection, or unexpected behavior.

This adds a powerful application-layer control that complements WAF rules and general request validations.

🎯 Purpose

Allow only expected parameters on specific pages.
Block unexpected or malicious parameters.
Remove untrusted query parameters automatically.
Harden API endpoints, authentication flows, and payment pages.

✅ How It Works

You define rules specifying:

Target Page Path: (e.g., /login, /api/user/info, /checkout)
Allowed Query Keys: (e.g., email, token, id)

When a request is made:

Only the listed keys are allowed.
Any additional parameters are either removed or blocked based on configuration.

📋 Example

Allowed Keys for /login

email
redirect_uri

Incoming Request:

/login?email=user@example.com&admin=true

Behavior:

admin=true is removed or causes a block, depending on rule setting.

🛠️ Configuration Options

Allow Only These Keys: Block or strip any parameter not explicitly listed.
Action Mode:
- Remove unauthorized arguments silently
- Block the request if unauthorized arguments are detected
Multiple Rules: Create multiple rules for different paths.

🚀 Use Cases

Scenario

Benefit

Protect login and signup endpoints

Prevent parameter injection

Secure API requests

Enforce strict parameter structure

Harden payment callbacks

Only allow signed, expected arguments

Reduce attack surface

Disallow noisy or unnecessary parameters

🧠 Best Practices

Whitelist only absolutely necessary parameters.
Avoid allowing “debug”, “test”, or unused parameters on production systems.
Combine Query String Filtering with WAF to maximize protection.
Review URL patterns regularly as your application evolves.

⚙️ How to Add a Query String Filter

Go to Security Rules > Query String Filtering.
Click Add New Rule.
Enter the Page Path.
Define all allowed query keys.
Choose the action (Remove unauthorized / Block unauthorized).
Save the rule.

🛡️ The rule will be active immediately for all matching requests.

⚡ Important Notes

Query filtering happens before request routing to backend servers.
Filtering is case-sensitive for parameter names.
Be cautious on dynamic URLs where parameters may vary unexpectedly.

🎯 By enforcing strict query string structures, you prevent misuse, abuse, and accidental exposure of your application's internal logic.

Previous4.2 User Agent Filtering Next4.4 HTTP Header Filtering

Last updated 9 days ago

📖 Overview

The Query String Filtering module enables you to control and sanitize the query parameters (GET variables) attached to incoming requests.

By defining allowed or blocked query strings on a per-path basis, you can protect sensitive endpoints, APIs, and web forms against tampering, injection, or unexpected behavior.

This adds a powerful application-layer control that complements WAF rules and general request validations.

🎯 Purpose

Allow only expected parameters on specific pages.
Block unexpected or malicious parameters.
Remove untrusted query parameters automatically.
Harden API endpoints, authentication flows, and payment pages.

✅ How It Works

You define rules specifying:

Target Page Path: (e.g., /login, /api/user/info, /checkout)
Allowed Query Keys: (e.g., email, token, id)

When a request is made:

Only the listed keys are allowed.
Any additional parameters are either removed or blocked based on configuration.

📋 Example

Allowed Keys for /login

email
redirect_uri

Incoming Request:

/login?email=user@example.com&admin=true

Behavior:

admin=true is removed or causes a block, depending on rule setting.

🛠️ Configuration Options

Allow Only These Keys: Block or strip any parameter not explicitly listed.
Action Mode:
- Remove unauthorized arguments silently
- Block the request if unauthorized arguments are detected
Multiple Rules: Create multiple rules for different paths.

🚀 Use Cases

Scenario

Benefit

Protect login and signup endpoints

Prevent parameter injection

Secure API requests

Enforce strict parameter structure

Harden payment callbacks

Only allow signed, expected arguments

Reduce attack surface

Disallow noisy or unnecessary parameters

🧠 Best Practices

Whitelist only absolutely necessary parameters.
Avoid allowing “debug”, “test”, or unused parameters on production systems.
Combine Query String Filtering with WAF to maximize protection.
Review URL patterns regularly as your application evolves.

⚙️ How to Add a Query String Filter

Go to Security Rules > Query String Filtering.
Click Add New Rule.
Enter the Page Path.
Define all allowed query keys.
Choose the action (Remove unauthorized / Block unauthorized).
Save the rule.

🛡️ The rule will be active immediately for all matching requests.

⚡ Important Notes

Query filtering happens before request routing to backend servers.
Filtering is case-sensitive for parameter names.
Be cautious on dynamic URLs where parameters may vary unexpectedly.

🎯 By enforcing strict query string structures, you prevent misuse, abuse, and accidental exposure of your application's internal logic.