This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Armor Method Enforcement Additional HTTP Methods

Posted on 01-03-2024 06:14 AM
Nathan-Scott
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The methodenforcement-v33-stable has a rule (only one in entire set - owasp-crs-v030301-id911100-methodenforcement) that is triggering on HTTP methods our system requires.

Found this within the online docs (https://cloud.google.com/armor/docs/waf-rules#method_enforcement)

NathanScott_1-1704290964619.png

But the CRS ruleset itself allows for additonal methods to be added within a config file -

NathanScott_2-1704291157682.png

Is this functionality not supported in Cloud Armor? If not it seems only solution is disabling entirely.

1 1 2,742
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @Nathan-Scott ,

There is no official documentation stating that Cloud Armor does not support the functionality to add additional HTTP methods to the method enforcement rule within the OWASP Core Rule Set (CRS) version 3.0.2.

@Nathan-Scott wrote:

Is this functionality not supported in Cloud Armor? If not it seems only solution is disabling entirely.

We can say that if the HTTP methods required by your system are not supported by the preconfigured method enforcement rule, and you cannot modify the CRS configuration file, then disabling the rule entirely may be the only solution. You may also refer to this documentation for the explanation of it, as it is a limitation. So, it really is either "disable" or "enable".

You may need to set a custom WAF rule to allow those methods for specific URLs or IP addresses. You can check my example code for allowing a specific HTTP method for a specific URL :

gcloud compute security-policies rules create 1000 \
--security-policy my-security-policy \
--expression "request.method == 'PATCH' && request.url.path == '/my-api/resource'" \
--action allow

In this example, the custom WAF rule allows the PATCH method for the URL "/my-api/resource" and denies all other requests. You can adjust the expression to fit your specific requirements. 

For reference, you can check this documentation. Let me know if this helps.

Top Labels in this Space
Top Solution Authors
View all