Introduction WAF false positives block legitimate API requests, causing application errors for end users. This is particularly problematic for APIs with complex request bodies that trigger SQL injection or XSS detection rules.

Symptoms - API returns 403 Forbidden with WAF error code - Error: "Request blocked by WAF rule: SQL injection detected" - Requests with JSON bodies blocked unexpectedly - POST requests blocked but GET works - Specific API endpoints consistently blocked

Common Causes - WAF SQL injection rule triggering on JSON with SQL-like strings - XSS rule flagging HTML content in API responses - Request body size exceeding WAF limit - Custom headers triggering WAF rules - WAF rule set updated with new false-positive-prone rules

Step-by-Step Fix 1. **Check WAF logs for blocked request details': ```bash # AWS WAF aws wafv2 get-logging-configuration --resource-arn <arn> # Check CloudWatch Logs for WAF logs ```

  1. 1.**Add exclusion rule for specific API path':
  2. 2.```bash
  3. 3.# AWS WAF: add rule to skip inspection for specific path
  4. 4.# Or add to allowed list
  5. 5.`
  6. 6.**Test the request without WAF':
  7. 7.```bash
  8. 8.curl -X POST https://api-direct.example.com/endpoint \
  9. 9.-H 'Content-Type: application/json' \
  10. 10.-d '{"query": "SELECT * FROM users"}'
  11. 11.`

Prevention - Run WAF in count mode before enforcing rules - Monitor WAF blocked request rate for false positives - Create custom exclusion rules for known patterns - Test WAF rules against API test suite - Implement WAF rule change approval process