Cloud Armor preconfigured WAF rules overview Stay organized with collections Save and categorize content based on your preferences.
Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Each signature corresponds to an attack detection rule in the ruleset. Google offers these rules as is. The rules let Cloud Armor evaluate dozens of distinct traffic signatures by referring to conveniently named rules rather than requiring you to define each signature manually.
The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Cloud Armor security policy. The rule sources are OWASP Core Rule Set (CRS) 3.3.2. We recommend that you use version 3.3 for increased sensitivity and for an increased breadth of protected attack types. Support for CRS 3.0 is ongoing.
CRS 3.3
Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-v33-stable
In sync with sqli-v33-canary
sqli-v33-canary
Latest
Cross-site scripting
xss-v33-stable
In sync with xss-v33-canary
xss-v33-canary
Latest
Local file inclusion
lfi-v33-stable
In sync with lfi-v33-canary
lfi-v33-canary
Latest
Remote file inclusion
rfi-v33-stable
In sync with rfi-v33-canary
rfi-v33-canary
Latest
Remote code execution
rce-v33-stable
In sync with rce-v33-canary
rce-v33-canary
Latest
Method enforcement
methodenforcement-v33-stable
In sync with methodenforcement-v33-canary
methodenforcement-v33-canary
Latest
Scanner detection
scannerdetection-v33-stable
In sync with scannerdetection-v33-canary
scannerdetection-v33-canary
Latest
Protocol attack
protocolattack-v33-stable
In sync with protocolattack-v33-canary
protocolattack-v33-canary
Latest
PHP injection attack
php-v33-stable
In sync with php-v33-canary
php-v33-canary
Latest
Session fixation attack
sessionfixation-v33-stable
In sync with sessionfixation-v33-canary
sessionfixation-v33-canary
Latest
Java attack
java-v33-stable
In sync with java-v33-canary
java-v33-canary
Latest
NodeJS attack
nodejs-v33-stable
In sync with nodejs-v33-canary
nodejs-v33-canary
Latest
CRS 3.0
Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-stable
In sync with sqli-canary
sqli-canary
Latest
Cross-site scripting
xss-stable
In sync with xss-canary
xss-canary
Latest
Local file inclusion
lfi-stable
In sync with lfi-canary
lfi-canary
Latest
Remote file inclusion
rfi-stable
In sync with rfi-canary
rfi-canary
Latest
Remote code execution
rce-stable
In sync with rce-canary
rce-canary
Latest
Method enforcement
methodenforcement-stable
In sync with methodenforcement-canary
methodenforcement-canary
Latest
Scanner detection
scannerdetection-stable
In sync with scannerdetection-canary
scannerdetection-canary
Latest
Protocol attack
protocolattack-stable
In sync with protocolattack-canary
protocolattack-canary
Latest
PHP injection attack
php-stable
In sync with php-canary
php-canary
Latest
Session fixation attack
sessionfixation-stable
In sync with sessionfixation-canary
sessionfixation-canary
Latest
Java attack
Not included
NodeJS attack
Not included
In addition, the following cve-canary rules are available to all Cloud Armor customers to help detect and optionally block the following vulnerabilities:
CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
942550-sqli JSON-formatted content vulnerability
Cloud Armor rule name
Covered vulnerability types
cve-canary
Log4j vulnerability
json-sqli-canary
JSON-based SQL injection bypass vulnerability
Preconfigured OWASP rules
Each preconfigured WAF rule has a sensitivity level that corresponds to a OWASP CRS paranoia level. A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and description of each supported signature in the SQLi preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id942100-sqli
1
SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942140-sqli
1
SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli
1
Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli
1
Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030301-id942190-sqli
1
Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli
1
Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli
1
Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli
1
Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli
1
Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli
1
Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli
1
Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli
1
Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli
1
Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli
1
Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030301-id942360-sqli
1
Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli
1
MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli
2
SQL injection attack: Common Injection Testing Detected
Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli
4
Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss
2
Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss
2
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941340-xss
2
IE XSS Filters - Attack Detected
Not included
2
AngularJS client side template injection detected
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the LFI preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030301-id930130-lfi
1
Restricted File Access Attempt
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030001-id930130-lfi
1
Restricted File Access Attempt
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:
The following table provides the signature ID, sensitivity level, and description of each supported signature in the RFI preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id931100-rfi
1
URL Parameter using IP Address
owasp-crs-v030301-id931110-rfi
1
Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030301-id931120-rfi
1
URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030301-id931130-rfi
2
Off-Domain Reference/Link
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id931100-rfi
1
URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi
1
Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi
1
URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi
2
Off-Domain Reference/Link
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the method enforcement preconfigured rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id911100-methodenforcement
1
Method is not allowed by policy
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id911100-methodenforcement
1
Method is not allowed by policy
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the scanner detection preconfigured rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the protocol attack preconfigured rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack
1
HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack
1
LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack
3
HTTP Parameter Pollution
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id921100-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included
1
HTTP Splitting (CR/LF in request filename detected)
Not included
1
LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack
3
HTTP Parameter Pollution
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the PHP preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id933100-php
1
PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030301-id933110-php
1
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933120-php
1
PHP Injection Attack: Configuration Directive Found
owasp-crs-v030301-id933130-php
1
PHP Injection Attack: Variables Found
owasp-crs-v030301-id933140-php
1
PHP Injection Attack: I/O Stream Found
owasp-crs-v030301-id933200-php
1
PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030301-id933150-php
1
PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030301-id933160-php
1
PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030301-id933170-php
1
PHP Injection Attack: Serialized Object Injection
owasp-crs-v030301-id933180-php
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933210-php
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933151-php
2
PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030301-id933131-php
3
PHP Injection Attack: Variables Found
owasp-crs-v030301-id933161-php
3
PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030301-id933111-php
3
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933190-php
3
PHP Injection Attack: PHP Closing Tag Found
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id933100-php
1
PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030001-id933110-php
1
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030001-id933120-php
1
PHP Injection Attack: Configuration Directive Found
owasp-crs-v030001-id933130-php
1
PHP Injection Attack: Variables Found
owasp-crs-v030001-id933140-php
1
PHP Injection Attack: I/O Stream Found
Not included
1
PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030001-id933150-php
1
PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030001-id933160-php
1
PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030001-id933170-php
1
PHP Injection Attack: Serialized Object Injection
owasp-crs-v030001-id933180-php
1
PHP Injection Attack: Variable Function Call Found
Not included
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030001-id933151-php
2
PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030001-id933131-php
3
PHP Injection Attack: Variables Found
owasp-crs-v030001-id933161-php
3
PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030001-id933111-php
3
PHP Injection Attack: PHP Script File Upload Found
Not included
3
PHP Injection Attack: PHP Closing Tag Found
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the session fixation preconfigured rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for session fixation are at sensitivity level 1. The following configuration works for all sensitivity levels:
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of each supported signature in the NodeJS attack preconfigured rule.
The following preconfigured WAF rule signatures are only included in CRS 3.3.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id934100-nodejs
1
Node.js Injection Attack
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
Node.js Injection Attack
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for NodeJS attack are at sensitivity level 1. The following configuration works for other sensitivity levels:
The following table provides the signature ID, sensitivity level, and description of each supported signature in the CVE Log4j RCE vulnerability preconfigured rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id044228-cve
1
Base rule to help detect exploit attempts of CVE-2021-44228 & CVE-2021-45046
owasp-crs-v030001-id144228-cve
1
Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve
3
Increased sensitivity of detection to target even more bypass and obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve
3
Increased sensitivity of detection to target even more bypass and obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection
You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Cloud Armor evaluates all signatures.
The following table provides the signature ID, sensitivity level, and description of the supported signature 942550-sqli, which covers the vulnerability in which malicious attackers can bypass WAF by appending JSON syntax to SQL injection payloads.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-id942550-sqli
2
Detects all JSON-based SQLi vectors, including SQLi signatures found in the URL
Use the following expression to deploy the signature:
We recommend that you also enable sqli-v33-stable at sensitivity level 2 to fully address JSON-based SQL injection bypasses.
Limitations
Cloud Armor preconfigured WAF rules have the following limitations:
WAF rule changes typically take several minutes to propagate.
Among the HTTP request types with a request body, Cloud Armor processes only requests with a body. Cloud Armor evaluates preconfigured rules against the first 8 KB of request body content. For more information, see Request body inspection limitation.
Cloud Armor can parse and apply preconfigured WAF rules to JSON-formatted content (including properly formatted GraphQL over HTTP requests) when JSON parsing is enabled with a matching Content-Type header value. For more information, see JSON parsing.
When you have a request field exclusion attached to a preconfigured WAF rule, you can't use the allow action. Requests matching the exception are automatically allowed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-11-24 UTC."],[],[]]
