Application exclusions

Exclusions are used to suppress events, usually because there's a compensating control that isn't visible from the application perspective. For example:

  • As an administrator, you need to change the HTML that shows up on your web page, even though this qualifies as a cross-site scripting (XSS) vulnerability. In this case, you can create an exclusion that prevents these changes from being reported.

  • You use an edge device to place the correct headers on outbound HTTP responses to stop clickjacking attacks. However, the issue might be appropriately report because the application never provided the required protection. By using an exclusion, you prevent your developers from having to worry about understanding a complicated security issue that you've handled upstream.

  • When you test beta rules or rolling out new rules, exclusions can be used to suppress false positives.

You can add an application exclusion under policy management or from the list of attack events.

You can view a list of existing exclusions either at Applications > Your application name > Policy > Exclusions or in the user menu > Policy management > Application exclusions.