Disable protections¶
Every protection is on by default. To turn one off, name it.
routes:
- match:
paths: ["/search"]
upstream: http://search:8000
disable:
- sql-injection-union # false positive: search field uses UNION literally
Categories vs sub-protections¶
- Category — disable the whole class.
sql-injectionturns off all SQL-injection detection on this route. - Sub-protection — disable one technique.
sql-injection-unionturns off only UNION-based detection; everything else stays on.
Always prefer the most specific name that fixes your false positive.
disable:
- sql-injection-union # specific technique
- data-leakage-php # specific category (no sub-protections)
Finding the right name¶
- See the full protection catalog.
- After a false-positive request, check the audit log:
matched_protectionslists exactly the names you can put underdisable.
Workflow for a false positive¶
- Run in
detect_only: trueso the request is logged but not blocked. - Reproduce the false positive.
- Read
matched_protectionsfrom the audit log. - Add the most specific name to
disable. - Switch back to blocking.
Disable narrows your protection
Every name in disable is a class of attacks no longer detected on that route. Disable on a single route, not globally, and revisit periodically.