Posted On: Jun 21, 2022

AWS WAF now supports evaluating multiple headers in the HTTP request, without the need to specify each header individually in AWS WAF rules. You can also use this new capability to easily inspect all cookies in the HTTP request, without the need to specify each cookie in WAF rules. This capability helps you protect your applications or API endpoints from attacks that try to exploit a custom header or cookie, or a common header for which you may not have created a WAF rule. You can also limit the scope of inspection to only included or excluded headers, and inspect only the keys or only the values for the headers or cookies you want to inspect.

For HTTP requests that may include more headers than WAF can inspect, you can provide oversize handling instructions when you define your rule statement. Oversize handling tells WAF what to do with a web request when the number or size of request headers is over the limits. With oversize handling, you can choose whether to continue inspection or skip inspection and mark the request as matching or not matching the WAF rule. For more information about handling oversize content, see oversize request component handling documentation.

There is no additional cost for matching against all headers or cookie details, but standard service charges for AWS WAF still apply. These features are available in all AWS WAF regions and for each supported service, including Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync. For full list of request component options that are supported, see the AWS WAF developer guide.