Enhanced Protection Handler

Purpose

The Enhanced Protection Handler inspects incoming requests for a wide range of web application attacks, including SQL injection, cross-site scripting (XSS), remote and local file inclusion, path traversal, remote code execution, and protocol anomalies. If a request matches an attack pattern, vWAF either denies the request or logs it without blocking, depending on the configured rule engine mode.

This handler is currently in PREVIEW. It is disabled by default and must be manually enabled.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are reported with High severity.

(For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

The Enhanced Protection Handler provides a deep inspection layer that covers attack categories not addressed by the Baseline Protection Handler alone. It examines request URIs, arguments, headers, and when request body inspection is enabled the body of the request.

It is recommended to run the handler in DetectionOnly mode initially. This allows you to review the log files and confirm that no valid requests are being flagged before switching to enforcement mode.

You can exclude specific paths, IP addresses, or URI patterns from inspection if required, for example to prevent false positives for trusted internal services or known-safe upload endpoints.

The order in which handlers are executed depends on the sequence in which the handlers are listed on the tabs Global Handlers / Handler Templates / Handlers of the administration interface. Handlers listed on top are always executed first. The order is fixed and cannot be changed.

Interaction with other handlers

The Enhanced Protection Handler operates independently and does not share state with other handlers. It does not inherit exclusions from the Whitelist Handler; exclusions must be configured directly within this handler using the excluded paths, excluded IP addresses, and excluded URIs attributes.

Requests that have already been denied by a handler earlier in the execution sequence are not passed to the Enhanced Protection Handler.

Attributes

Attribute	Meaning
protection engine	Enables or disables the protection engine. If disabled, no inspection occurs and all requests pass through unfiltered.
rule engine	Controls the operating mode of the protection engine: •On: Requests that match an attack pattern are denied. •DetectionOnly: Matching requests are logged but not blocked; useful for testing and tuning. •Off: All rule evaluation is skipped.
request body inspection	When enabled, the handler inspects the body of incoming requests in addition to URIs, arguments, and headers. This setting is recommended for applications that accept POST data or file uploads. Disabling this option can improve performance but will reduce inspection coverage.
excluded paths	A list of URL path prefixes to be excluded from inspection. Requests with URIs that start with any of the specified paths are passed through without inspection. This option can be used to exclude known-safe paths, such as health check endpoints.
excluded IP addresses	A list of client IP addresses that are excluded from inspection. Requests originating from any of the specified IP addresses are passed through without inspection. Use this option to exclude trusted internal clients or monitoring systems.
excluded URIs	A list of regular expression patterns used to exclude requests from inspection. Requests with URIs matching any of these patterns are not inspected. If a pattern is invalid, vWAF logs a warning and ignores the entry.

Attack categories

The handler inspects requests for the following attack categories:

Category	Description
SQL Injection	Detects attempts to manipulate database queries through user-supplied input, including UNION-based, boolean-based, and time-based SQL injection techniques.
Cross-Site Scripting (XSS)	Detects attempts to inject client-side scripts into requests, such as inline script tags, event handler attributes, and JavaScript URI schemes.
Remote Code Execution (RCE)	Detects attempts to execute arbitrary operating system commands via user-supplied input, including shell command injection and the use of dangerous function calls.
Local File Inclusion (LFI)	Detects attempts to access local files on the server by manipulating paths, such as using directory traversal sequences or file URI schemes.
Remote File Inclusion (RFI)	Detects attempts to include remote resources by supplying external URLs as file or include parameters.
Path Traversal	Detects attempts to navigate outside the intended directory structure using ../ sequences, including URL-encoded variants.
Protocol Anomalies	Detects malformed or non-compliant HTTP requests, including null byte injection, HTTP response splitting, duplicate Content-Length headers, the presence of a Content-Length header on GET or HEAD requests, a missing Host header, and the use of dangerous HTTP methods such as TRACE or CONNECT.
Scanner and Bot Detection	Detects requests originating from known web vulnerability scanners and automated attack tools, as identified by their User-Agent strings.

Log entries

If the rule engine is set to On and a request is denied, vWAF creates a log entry containing the matched attack category, the affected request component (such as URI, argument, or header), the anomaly score, and the HTTP error code returned to the client.

If the rule engine is set to DetectionOnly, vWAF creates a log entry but does not deny the request.

For more information about log entries generated by this handler, see the relevant section in Entries in Application-Specific Log Files.

The anomaly scoring system assigns a numeric score to each matched pattern within a single request. If the total score for a request reaches or exceeds the defined threshold, vWAF takes the action specified by the rule engine mode. As a result, multiple weak signals in a single request can lead to a denial, even if no single pattern alone would be sufficient.