Hiddos
Technical Deep Dive·

WAF Best Practices: Rule Configuration and False Positive Optimization

Practical experience in WAF rule configuration, covering OWASP Top 10 protection rules, custom rule writing techniques, and how to effectively reduce false positive rates.
Author avatar Hiddos Security Team

WAF Fundamentals

A Web Application Firewall (WAF) analyzes HTTP request content to identify and block malicious requests, protecting web applications from common attacks. Positioned before web applications, a WAF performs deep inspection on all inbound traffic and is a core component of the application security protection system.

Core Value of WAF: Unlike traditional firewalls, WAF operates at the application layer (OSI Layer 7), capable of understanding HTTP protocol semantics and detecting malicious content hidden within normal requests. It is the first line of defense against application-layer attacks such as SQL injection, XSS, and command injection.

OWASP Top 10 Protection Rules

SQL Injection Protection

SQL injection is one of the most common and destructive web attacks. Attackers insert malicious SQL statements into input fields to access, modify, or delete data in databases.

nginx.conf
# Example: Detecting common SQL injection patterns
SecRule ARGS "@detectSQLi" \
  "id:1001,phase:2,deny,status:403,\
  msg:'SQL Injection Detected',\
  severity:CRITICAL"
SQL injection protection should not rely solely on WAF rules. Best practice is to simultaneously use parameterized queries (Prepared Statements) to eliminate injection risk at the source. WAF serves as a supplementary layer in defense-in-depth.

XSS Cross-Site Scripting Protection

XSS attacks inject malicious scripts into web pages to steal sensitive information such as user cookies and session tokens.

waf-xss.conf
# Detect reflected and stored XSS
SecRule ARGS|REQUEST_HEADERS "@detectXSS" \
  "id:1002,phase:2,deny,status:403,\
  msg:'XSS Attack Detected',\
  severity:HIGH"
TypeInjection LocationPersistenceSeverity
Reflected XSSURL parametersNon-persistentMedium
Stored XSSDatabase contentPersistentHigh
DOM-based XSSFrontend JavaScriptNon-persistentMedium-High

Command Injection Protection

waf-cmd.conf
# Detect operating system command injection
SecRule ARGS "@rx [;\|\`&\$\(]" \
  "id:1003,phase:2,deny,status:403,\
  msg:'Command Injection Detected'"

File Inclusion Attack Protection

waf-lfi.conf
# Detect Local File Inclusion (LFI)
SecRule ARGS "@rx \.\.[\\/]" \
  "id:1004,phase:2,deny,status:403,\
  msg:'Path Traversal Detected'"

False Positive Optimization Strategies

False positives are one of the most common problems in WAF deployment. Excessively high false positive rates cause normal business requests to be blocked, severely impacting user experience.

Layered Validation Strategy

Whitelist Rules First

Known legitimate request patterns should be allowed first. For example, specific parameter formats for API interfaces, legitimate operations for admin backends, etc. Whitelist rules should be set with the highest priority.

Confidence Scoring

Set a confidence score (1-10) for each WAF rule, only executing blocking actions for high-confidence matches, while low-confidence matches are logged but not blocked.

Log Analysis Mode

When new rules go live, it is recommended to run them in "observation mode" for 1-2 weeks first, collecting match logs for analysis and confirming no false positives before switching to "blocking mode."

Continuous Tuning

Regularly review WAF logs, analyze whether blocked requests are false positives, and continuously optimize rules based on analysis results, forming a virtuous cycle of "deploy-observe-tune."

Custom Rule Writing

Recommendation: When writing custom rules, validate them in a test environment first to ensure they do not affect normal business traffic. Use the "Simulation Mode" in the Hiddos console to test rule effects without blocking requests.

Hiddos WAF Solution

The Hiddos platform includes enterprise-grade WAF capabilities, with pre-built protection rule sets covering the OWASP Top 10, continuously updated to address new attacks.

Intelligent Rule Engine

An AI-based rule matching engine supporting regular expressions, semantic analysis, and behavioral detection. Pre-loaded with 2,000+ protection rules covering common attacks including SQL injection, XSS, and command injection.

False Positive Self-Learning

Built-in false positive self-learning mechanism that automatically optimizes rule confidence scores based on user feedback, continuously reducing false positive rates.

Virtual Patching

Automatically generates virtual patch rules within 24 hours for publicly disclosed web application vulnerabilities, providing temporary protection before official patches are released.

Hiddos WAF provides one-click deployment capability, adding security protection to your web applications without code modifications. Log in to the console and enable it in "Protection Configuration > WAF."

Hiddos 2.0: Smarter Protection Engine and Brand New Console

Introducing the core upgrades in Hiddos 2.0, including an AI-driven intelligent protection engine, a completely redesigned management console, and more flexible policy configuration.

CDN and DDoS Protection Synergy: Building Highly Available Network Architecture

Exploring how CDN acceleration and DDoS protection work together, sharing how to achieve both fast and secure network infrastructure through proper architectural design.

© 0 Hiddos Corporation. All rights reserved