All Products
Search
Document Center

API Gateway:Request block plugin

Last Updated:Jun 22, 2026

The request-block plugin blocks HTTP requests that match specific URL, header, or body patterns, helping you prevent external access to protected resources.

Plugin type

Security protection plugin.

Configuration fields

You must configure at least one of block_urls, block_headers, or block_bodys.

Field Type Required Default Description
block_urls array of string No - URL patterns to match against request paths and query strings.
block_headers array of string No - Patterns to match against request header names and values.
block_bodys array of string No - Patterns to match against request body content.
blocked_code number No 403 HTTP status code returned to blocked requests.
blocked_message string No - Response body returned to blocked requests.
case_sensitive bool No true Specifies whether matching is case-sensitive. Set to false for case-insensitive matching.

Examples

Block requests by URL

block_urls:
- swagger.html
- foo=bar
case_sensitive: false

Blocked requests:

curl http://example.com?foo=Bar
curl http://example.com/Swagger.html

Because case_sensitive is set to false, foo=Bar matches the foo=bar rule, and Swagger.html matches the swagger.html rule.

Block requests by header

block_headers:
- example-key
- example-value

Blocked requests:

curl http://example.com -H 'example-key: 123'
curl http://example.com -H 'my-header: example-value'

The first request matches because its header name contains example-key. The second request matches because its header value contains example-value.

Block requests by body

block_bodys:
- "hello world"
case_sensitive: false

Blocked requests:

curl http://example.com -d 'Hello World'
curl http://example.com -d 'hello world'

Both requests match because case_sensitive is set to false.

Apply rules to specific routes or domains

You can define separate blocking rules for different routes and domains. Rules are evaluated in order, and the first matching rule takes effect.

The following configuration applies to the route-a and route-b routes:

block_bodys:
- "hello world"

The following configuration applies to the *.example.com and test.com domains:

block_urls:
- "swagger.html"
block_bodys:
- "hello world"
Note
  • route-a and route-b refer to routes specified when you create gateway routes. If a client request matches one of these routes, the corresponding rules take effect.

  • *.example.com and test.com match domain names in requests. If a client request matches one of these domains, the corresponding rules take effect.

  • Rules take effect in order. After the first rule matches, subsequent rules are skipped.

Request body size limit

When block_bodys is configured, body matching applies only to requests smaller than 32 MB. Requests larger than 32 MB that do not match any block_urls or block_headers rules are allowed through without being blocked.

If block_bodys is configured and the request body exceeds the DownstreamConnectionBufferLimits value configured for the gateway, the gateway returns a 413 Payload Too Large error. To increase this limit, adjust DownstreamConnectionBufferLimits on the parameter configuration page.

Warning

Increasing DownstreamConnectionBufferLimits significantly increases gateway memory usage. Adjust this value with caution.