Managed rules are intelligent built-in ESA protection rules that defend against OWASP attacks and the latest origin server vulnerabilities, including SQL injection, XSS, code execution, CRLF, remote file inclusion, and WebShell. Enable protection without manual rule configuration or updates.
Enable managed rules
Enable a rule set to protect your site with a single click.
-
In the ESA console, select Site Management, and in the Website column, click the target site.
-
On the site details page, navigate to Security > WAF > Managed Rules.
-
On the Managed Rules tab, in the Recommended Ruleset section, enable the Managed Ruleset to protect your entire site from common web attacks and vulnerabilities.
Edit a managed rule set
After enabling the Recommended Ruleset, you can edit its configuration.
-
In the ESA console, navigate to Site Management and click the target site in the Website column.
-
On the site details page, navigate to Security > WAF > Managed Rules, and click Edit. For Apply to, select All Requests or Filtered Requests. Custom rules follow the Rule expression structure.
-
Select a protection level (Intelligent rate limiting protection levels) and an action (Actions), then click OK.

Delete a managed rule set
After enabling the Recommended Ruleset, you can disable or delete it.
-
In the ESA console, navigate to Site Management and click the target site in the Website column.
-
On the site details page, navigate to Security > WAF > Managed Rules, and click Delete.
Availability by plan
The Entrance plan supports only 27 default basic protection rules and does not cover XSS, SQL injection, CSRF, RFI, protocol violation, WebShell, path traversal, deserialization, or expression injection.
|
Feature |
Entrance |
Pro |
Premium |
Enterprise |
|
Managed rules |
Supports basic rules |
Supports all rules |
Supports all rules |
Supports all rules |
Complete rule list
|
Rule |
Description |
|
Basic Protection Rules |
Defends against zero-day vulnerabilities and common attacks such as Log4j exploits. |
|
SQL Injection |
Inserts malicious SQL into input fields to execute unauthorized database queries, potentially leaking, deleting, or modifying data. |
|
Cross-site Scripting |
Injects malicious scripts into web pages that execute in a user's browser to steal cookies or plant malicious code. Categorized as reflected, stored, or DOM-based. |
|
Code Execution |
Executes arbitrary code on a target system by exploiting vulnerabilities, uploading malicious files, or injecting code. |
|
CRLF Injection |
Inserts extra headers into HTTP responses by manipulating the response structure, potentially enabling XSS or HTTP response splitting. |
|
Local File Inclusion |
Exploits application vulnerabilities to load local server files via malicious paths, potentially disclosing sensitive information or enabling code execution. |
|
Remote File Inclusion |
Makes an application include a remote malicious file via an external URL, potentially leading to code execution. |
|
WebShell |
A web-based backdoor uploaded to a compromised server that allows attackers to execute commands and manage files through a web interface. |
|
OS Command Injection |
Embeds malicious OS commands in an application for server-side execution. |
|
Expression Injection |
Embeds malicious expressions that the server executes to perform unauthorized actions. |
|
Java Deserialization |
Deserializes a malicious Java object to execute arbitrary code on the server. |
|
PHP Deserialization |
Deserializes a malicious PHP object to execute arbitrary code on the server. |
|
SSRF |
Tricks a server into making requests to internal or external resources on the attacker's behalf. |
|
Path Traversal |
A path traversal attack injects relative path sequences, such as |
|
Arbitrary File Upload |
Uploads malicious files for server-side execution. |
|
.NET Deserialization |
Exploits insecure deserialization in .NET applications to execute arbitrary code via malicious serialized data. |
|
Scanner Behavior |
Identifies web application scanner behavior that probes for vulnerabilities by generating large volumes of requests. |
|
Business Logic Flaw |
Detects vulnerabilities in business process implementation that allow attackers to manipulate workflows for unauthorized access. These flaws often bypass traditional input validation and output encoding. |
|
Arbitrary File Read |
Reads arbitrary system files via manipulated file path parameters, potentially exposing configuration files, credentials, and personal data. |
|
Arbitrary File Download |
Downloads arbitrary system files, potentially exposing sensitive information or enabling offline analysis of system backups. |
|
XML External Entity (XXE) Injection |
Exploits XML parser processing of external entities to read system files, perform SSRF attacks, or cause denial of service. |
|
Other Rules |
Targets vulnerability attacks against specific backend systems. |