All Products
Search

This Product

    API Gateway:Request block plugin

    Document Center

    API Gateway:Request block plugin

    Last Updated:Feb 27, 2026

    The request block plugin blocks HTTP requests that match specified URLs, headers, or body content. Use it to protect website resources from external access.

    Plugin type

    Security protection plugin.

    Configuration fields

    Configure at least one of block_urls, block_headers, or block_bodys.

    FieldTypeRequiredDefaultDescription
    block_urlsarray of stringNo-URL patterns to match against request URLs. Matches the path and query string.
    block_headersarray of stringNo-Header patterns to match against request header names and values.
    block_bodysarray of stringNo-Body patterns to match against request body content.
    blocked_codenumberNo403HTTP status code returned when a request is blocked.
    blocked_messagestringNo-HTTP response body returned when a request is blocked.
    case_sensitiveboolNotrueWhether matching is case-sensitive. Set to false for case-insensitive matching.

    Examples

    Block requests by URL

    block_urls:
- swagger.html
- foo=bar
case_sensitive: false

    Blocked requests:

    curl http://example.com?foo=Bar
curl http://example.com/Swagger.html

    Because case_sensitive is false, foo=Bar matches the foo=bar rule and Swagger.html matches the swagger.html rule.

    Block requests by header

    block_headers:
- example-key
- example-value

    Blocked requests:

    curl http://example.com -H 'example-key: 123'
curl http://example.com -H 'my-header: example-value'

    The first request matches because its header name contains example-key. The second matches because its header value contains example-value.

    Block requests by body

    block_bodys:
- "hello world"
case_sensitive: false

    Blocked requests:

    curl http://example.com -d 'Hello World'
curl http://example.com -d 'hello world'

    Both requests match because case_sensitive is set to false.

    Apply rules to specific routes or domains

    Configure separate blocking rules for different routes and domain names. Rules take effect in sequence. If the first rule matches a request, subsequent rules are ignored.

    Apply the following plugin configuration to the route-a and route-b routes:

    block_bodys:
- "hello world"

    Apply the following plugin configuration to the *.example.com and test.com domain names:

    block_urls:
- "swagger.html"
block_bodys:
- "hello world"
    Note

    • route-a and route-b refer to routes specified when gateway routes are created. If a client request matches one of the routes, the corresponding rules take effect.

    • *.example.com and test.com match domain names in requests. If a client request matches one of the domain names, the corresponding rules take effect.

    • Rules take effect in sequence. If the first rule matches, subsequent rules are ignored.

    Request body size limit

    When block_bodys is configured, body matching applies only to requests with bodies smaller than 32 MB. Requests with bodies larger than 32 MB that do not match any block_urls or block_headers rules pass through unblocked.

    If block_bodys is configured and the request body exceeds the DownstreamConnectionBufferLimits value configured for the gateway, the gateway returns a 413 Payload Too Large error. To increase this limit, adjust DownstreamConnectionBufferLimits on the parameter configuration page.

    Warning

    Increasing DownstreamConnectionBufferLimits significantly increases gateway memory usage. Adjust this value with caution.