This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 43%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hi community,
I am trying to make an exclusion for a ruleid which is triggered for [REQUEST_HEADERS:Content-Type:application/scim+json; charset=UTF-8]}. It seems pretty straightforward:
However the rule continues to be triggered. It seems the exclusion is not working at all. Also tried by changing the match for RequestHeaderName contains 'scim+json' but still no success. If I use a match for Content-type it will basically allow any content-type which is not the purpose.
I will appreciate any advise if someone has done this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi eenchev,
Thanks for your question on the Microsoft Q&A portal!
To help us investigate and resolve this for you quickly, could you please provide a few additional details:
Looking forward to your response so we can assist you further.
Thanks,
Pranitha
Hi Pranitha,
The exact log from the Application gateway is:
{application/scim+json found within [REQUEST_HEADERS:Content-Type:application/scim+json; charset=utf-8]}
The policy is WAF v2 on Application gateway v2 using latest Azure DRS 2.1 ruleset. The Specific ruleid which is matched is 920420. Here are the rule exclusions implemented both global and specific for the ruleid. I have tried only specific and only the global with no success.
{ matchVariable: 'RequestHeaderValues' selectorMatchOperator: 'Contains' selector: 'scim+json'
exclusionManagedRuleSets: [] } { matchVariable: 'RequestHeaderValues' selectorMatchOperator: 'Contains' selector: 'scim+json'
exclusionManagedRuleSets: [ { ruleSetType: 'Microsoft_DefaultRuleSet' ruleSetVersion: '2.1' ruleGroups: [ { ruleGroupName: 'PROTOCOL-ENFORCEMENT' rules: [ { ruleId: '920420' } ] } ] }
I have tried with match selector : application/scim+json as well. WAF logs show only the message provided above: {application/scim+json found within [REQUEST_HEADERS:Content-Type:application/scim+json; charset=utf-8]} . I understand it that specifically the request header value application/scim+json is the reason for the match.
I have to check about specific custom-rules. Besides the kql query in the ApplicationGatewayFirewallLog is there a way to see more in depth information about the rule matches?
Thank you for the suggestions.
Hi eenchev,
Thanks for the detailed follow-up and for sharing your configuration and logs!
You're using Azure Application Gateway WAF v2 with the latest Microsoft Default Rule Set (DRS) 2.1. A managed rule (ID 920420) is being triggered by the Content-Type header value:
application/scim+json; charset=utf-8
You've tried to exclude this header using the match variable RequestHeaderValues with a selector like scim+json, but the rule continues to fire. You've tested both global and rule-specific exclusions and confirmed that the WAF logs show the match is happening on the full header value.
This is because:
The issue is likely due to how WAF exclusions match the full header value, including case sensitivity and exact formatting. The match variable RequestHeaderValues expects a full and exact match (or a substring match depending on the operator), but the presence of charset=utf-8 and potential case differences may cause the exclusion to fail.
Also, the Content-Type header is not split automatically into MIME type and charset—so your selector must account for the full string.
Here is the recommended steps:
To exclude this specific header value from triggering rule 920420, try the following:
Use RequestHeaderValues with full value match
{
"matchVariable": "RequestHeaderValues",
"selectorMatchOperator": "Equals",
"selector": "application/scim+json; charset=utf-8",
"exclusionManagedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.1",
"ruleGroups": [
{
"ruleGroupName": "PROTOCOL-ENFORCEMENT",
"rules": [
{
"ruleId": "920420"
}
]
}
]
}
]
}
Ensure the casing and spacing match exactly what appears in the WAF logs. If the logs show charset=utf-8, do not use charset=UTF-8. Useful microsoft documents:
I hope this helps to resolve the issue.
Thanks!
Hi eenchev,
Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
Thanks!
Hi Pranitha,
I tried to add the exclusion as per your recommendation (both via bicep code and azure arm). Apparently the whole string is not allowed: spaces and special characters like semi-column are not allowed. Have you tested it ?
I am trying to substitute with selector: 'application/scim+json%3B%20charset=utf-8'
Hi eenchev,
Thank you for detailing your scenario and for testing various exclusion options.
What's happening:
Azure Application Gateway WAF does not currently allow spaces, semicolons, or some other special characters in the selector field when creating exclusions for request headers. This is why trying to use the full string (e.g., application/scim+json; charset=utf-8) as the selector gives you an error, even though the log clearly shows this is the value being matched.
Why does this happen?
This is a documented product limitation. The selector field in an exclusion must only have letters, numbers, and some punctuation. Spaces, semicolons (;), slashes (/), and plus (+) symbols are not supported in the selector as of the latest WAF version. For reference, please see the https://free.blessedness.top/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal , and the known issues thread.
What can you do?
Unfortunately, there is no direct workaround to match the full header value with forbidden characters in the selector. Here are your current options:
Useful Microsoft document:
I hope this helps to resolve the issue.
Thanks!
Hi,
Thank you for confirming that special symbols are not allowed. As already mentioned initially I tried with partial match in the RequestHeaderValues and it seems it is not working.
Hi eenchev,
Hope you are doing well.
I’m looking into this for you and will follow up soon with a resolution.
Thanks
Hi eenchev,Hope you are doing well.
We have requested some details in a private message. Could you please check and share them in message with us?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 38%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
I have the same problem. Why isn't the recommendation public? the partial match operators don't work. I can only use "Equals Any" which is too broad for our use.