Web Application Firewall:Custom responses

Prerequisites

Before you begin, ensure that you have:

• A WAF instance deployed in the target region

• Access to the Web Application Firewall (WAF) 3.0 console

How it works

When WAF blocks a request, it returns a block response to the client. Without a custom response configured, WAF returns the default block page with a 405 status code.

A custom response overrides this default and lets you control the Status Code, Custom Header, and Response Body of the block response.

Create a custom response

1. Log on to the WAF 3.0 console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for your WAF instance.

2. In the navigation pane, choose Protection Configuration > AI Application Protection. On the Custom Response page, click Create.

3. In the Create panel, configure the following parameters and click OK.

   Parameter	Description
   Name	A name for the custom response.
   Status Code	The HTTP status code returned to the client when a request is blocked. Valid range: 200–600. Default: 405. Important Do not use 204 or 304 — WAF falls back to the default 405 block response if you do.
   Custom Header	Response header fields to include in the block response. Each field has a Header Name and a Header Value. Add up to 10 header fields. To specify the format of the response body, add a content-type header field.
   Response Body	The source code for the block response page. Supported formats: HTML and JSON. Maximum size: 4,000 characters. To include the request ID on the page, add {::trace_id::} at the appropriate location in the body. The request ID lets you look up the blocked request in Simple Log Service.

Manage custom responses

On the Custom Response page, view each rule's Rule ID, Rule Name, and Status Code. To modify or remove a rule, click Edit or Delete.