Skip to main content

Overview

WAAP security rules provide flexible protection mechanisms using CEL (Common Expression Language) expressions. Rules can be applied at different phases of request/response processing and support multiple action types.

Rule Types

WAAP supports two main categories of rules:
  1. Advanced Rules - Domain-specific rules using CEL expressions
  2. Advanced Rule Descriptors - Schema definitions for available rule objects and attributes

Advanced Rules

Advanced rules use CEL syntax to define complex conditions and actions for request/response handling.

New

Create a new advanced rule for a domain.

Method

func (r *DomainAdvancedRuleService) New(
    ctx context.Context,
    domainID int64,
    body DomainAdvancedRuleNewParams,
    opts ...option.RequestOption,
) (*WaapAdvancedRule, error)

Parameters

domainID
int64
required
The domain ID
name
string
required
The name assigned to the rule
source
string
required
A CEL syntax expression containing the rule’s conditionsAllowed objects: request, whois, session, response, tags, user_defined_tags, user_agent, client_dataLearn more: https://gcore.com/docs/waap/waap-rules/advanced-rules
enabled
bool
required
Whether the rule is enabled
action
Action
required
The action that the rule takes when triggered. Only one action can be set per rule
allow
map[string]any
Allow the request to proceed
block
Block
Block the request
status_code
int64
Custom HTTP status code: 403, 405, 418, or 429
action_duration
string
How long the block applies to subsequent requestsFormat: number followed by ‘s’, ‘m’, ‘h’, or ‘d’ (seconds, minutes, hours, days)Example: “5m”, “1h”, “24h”
captcha
map[string]any
Present a CAPTCHA challenge
handshake
map[string]any
Perform automatic browser validation
monitor
map[string]any
Monitor the request but take no action
tag
Tag
Tag the request for tracking
tags
[]string
required
List of user-defined tags to apply
description
string
Optional description for the rule
phase
string
The request/response phase for applying the rule. Default: accessAvailable values:
  • access - Modify the request before sending to origin
  • header_filter - Modify response HTTP headers
  • body_filter - Modify response body

Response

id
int64
required
The unique identifier for the rule
name
string
required
The name of the rule
source
string
required
The CEL expression defining the rule conditions
enabled
bool
required
Whether the rule is enabled
action
Action
required
The configured action for this rule
description
string
The rule description
phase
string
The processing phase: access, header_filter, or body_filter

Example

package main

import (
    "context"
    "fmt"
    "log"
    
    "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/waap"
    "github.com/G-Core/gcore-go/packages/param"
)

func main() {
    client := gcore.NewClient()
    
    // Create a rule to block requests from specific countries
    rule, err := client.Waap.Domains.AdvancedRules.New(
        context.Background(),
        12345, // domain ID
        waap.DomainAdvancedRuleNewParams{
            Name:    "Block Suspicious Countries",
            Source:  "whois.country in ['CN', 'RU']",
            Enabled: true,
            Action: waap.DomainAdvancedRuleNewParamsAction{
                Block: waap.DomainAdvancedRuleNewParamsActionBlock{
                    StatusCode:     403,
                    ActionDuration: param.Opt("1h"),
                },
            },
            Description: param.Opt("Block traffic from high-risk countries"),
            Phase:       waap.DomainAdvancedRuleNewParamsPhaseAccess,
        },
    )
    if err != nil {
        log.Fatalf("Failed to create rule: %v", err)
    }
    
    fmt.Printf("Created rule ID: %d\n", rule.ID)
}

// Create a rule to add custom tags
rule, err := client.Waap.Domains.AdvancedRules.New(
    context.Background(),
    12345,
    waap.DomainAdvancedRuleNewParams{
        Name:    "Tag Mobile Users",
        Source:  "user_agent.is_mobile == true",
        Enabled: true,
        Action: waap.DomainAdvancedRuleNewParamsAction{
            Tag: waap.DomainAdvancedRuleNewParamsActionTag{
                Tags: []string{"mobile_traffic", "requires_analysis"},
            },
        },
    },
)

List

Retrieve a list of advanced rules for a domain with filtering and pagination.

Method

func (r *DomainAdvancedRuleService) List(
    ctx context.Context,
    domainID int64,
    query DomainAdvancedRuleListParams,
    opts ...option.RequestOption,
) (*pagination.OffsetPage[WaapAdvancedRule], error)

Parameters

domainID
int64
required
The domain ID
limit
int64
Number of items to return
offset
int64
Number of items to skip
name
string
Filter by rule name. Supports ’*’ wildcard
description
string
Filter by description. Supports ’*’ wildcard
enabled
bool
Filter by enabled status
action
string
Filter by action typeAvailable values: allow, block, captcha, handshake, monitor, tag
phase
string
Filter by processing phaseAvailable values: access, header_filter, body_filter
ordering
string
Sort field. Prefix with - for descending orderAvailable values: id, name, description, enabled, action, phase, -id, -name, -description, -enabled, -action, -phase

Example

// List all enabled block rules
rules, err := client.Waap.Domains.AdvancedRules.List(
    context.Background(),
    12345,
    waap.DomainAdvancedRuleListParams{
        Enabled: param.Opt(true),
        Action:  waap.DomainAdvancedRuleListParamsActionBlock,
        Limit:   param.Opt(int64(20)),
    },
)
if err != nil {
    log.Fatalf("Failed to list rules: %v", err)
}

for _, rule := range rules.Data {
    fmt.Printf("Rule: %s (ID: %d)\n", rule.Name, rule.ID)
    fmt.Printf("  Source: %s\n", rule.Source)
}

// Auto-pagination
iter := client.Waap.Domains.AdvancedRules.ListAutoPaging(
    context.Background(),
    12345,
    waap.DomainAdvancedRuleListParams{},
)
for iter.Next() {
    rule := iter.Current()
    fmt.Printf("%s: %s\n", rule.Name, rule.Source)
}

Get

Retrieve a specific advanced rule by ID.

Method

func (r *DomainAdvancedRuleService) Get(
    ctx context.Context,
    ruleID int64,
    query DomainAdvancedRuleGetParams,
    opts ...option.RequestOption,
) (*WaapAdvancedRule, error)

Parameters

ruleID
int64
required
The rule ID
domain_id
int64
required
The domain ID

Example

rule, err := client.Waap.Domains.AdvancedRules.Get(
    context.Background(),
    67890,
    waap.DomainAdvancedRuleGetParams{
        DomainID: 12345,
    },
)
if err != nil {
    log.Fatalf("Failed to get rule: %v", err)
}

fmt.Printf("Rule: %s\n", rule.Name)
fmt.Printf("Source: %s\n", rule.Source)
fmt.Printf("Enabled: %v\n", rule.Enabled)

Update

Update an existing advanced rule. Only provided properties will be updated.

Method

func (r *DomainAdvancedRuleService) Update(
    ctx context.Context,
    ruleID int64,
    params DomainAdvancedRuleUpdateParams,
    opts ...option.RequestOption,
) error

Parameters

ruleID
int64
required
The rule ID
domain_id
int64
required
The domain ID
name
string
Updated rule name
source
string
Updated CEL expression
enabled
bool
Updated enabled status
description
string
Updated description
action
Action
Updated action configuration
phase
string
Updated processing phase

Example

// Update rule to change block duration
err := client.Waap.Domains.AdvancedRules.Update(
    context.Background(),
    67890,
    waap.DomainAdvancedRuleUpdateParams{
        DomainID:    12345,
        Description: param.Opt("Updated block rule with longer duration"),
        Action: waap.DomainAdvancedRuleUpdateParamsAction{
            Block: waap.DomainAdvancedRuleUpdateParamsActionBlock{
                ActionDuration: param.Opt("24h"),
                StatusCode:     429,
            },
        },
    },
)
if err != nil {
    log.Fatalf("Failed to update rule: %v", err)
}

Delete

Delete an advanced rule.

Method

func (r *DomainAdvancedRuleService) Delete(
    ctx context.Context,
    ruleID int64,
    body DomainAdvancedRuleDeleteParams,
    opts ...option.RequestOption,
) error

Parameters

ruleID
int64
required
The rule ID to delete
domain_id
int64
required
The domain ID

Example

err := client.Waap.Domains.AdvancedRules.Delete(
    context.Background(),
    67890,
    waap.DomainAdvancedRuleDeleteParams{
        DomainID: 12345,
    },
)
if err != nil {
    log.Fatalf("Failed to delete rule: %v", err)
}

fmt.Println("Rule deleted successfully")

Toggle

Enable or disable an advanced rule without modifying its configuration.

Method

func (r *DomainAdvancedRuleService) Toggle(
    ctx context.Context,
    action DomainAdvancedRuleToggleParamsAction,
    body DomainAdvancedRuleToggleParams,
    opts ...option.RequestOption,
) error

Parameters

action
string
required
The toggle action to performAvailable values: enable, disable
domain_id
int64
required
The domain ID
rule_id
int64
required
The rule ID to toggle

Example

// Disable a rule temporarily
err := client.Waap.Domains.AdvancedRules.Toggle(
    context.Background(),
    waap.DomainAdvancedRuleToggleParamsActionDisable,
    waap.DomainAdvancedRuleToggleParams{
        DomainID: 12345,
        RuleID:   67890,
    },
)
if err != nil {
    log.Fatalf("Failed to disable rule: %v", err)
}

// Re-enable the rule
err = client.Waap.Domains.AdvancedRules.Toggle(
    context.Background(),
    waap.DomainAdvancedRuleToggleParamsActionEnable,
    waap.DomainAdvancedRuleToggleParams{
        DomainID: 12345,
        RuleID:   67890,
    },
)

Advanced Rule Descriptors

Descriptors provide schema information about available CEL objects and their attributes.

List Descriptors

Retrieve the advanced rules descriptor schema.

Method

func (r *AdvancedRuleService) List(
    ctx context.Context,
    opts ...option.RequestOption,
) (*WaapAdvancedRuleDescriptorList, error)

Response

version
string
required
The descriptor schema version
objects
[]Descriptor
List of available CEL objects
name
string
The object’s name (e.g., “request”, “whois”, “session”)
type
string
The object’s type
description
string
Description of the object
attrs
[]Attr
Available attributes for this object
name
string
Attribute name
type
string
Attribute type
description
string
Attribute description
hint
string
Usage hint
args
[]Arg
Arguments for the attribute
name
string
Argument name
type
string
Argument type
description
string
Argument description

Example

descriptor, err := client.Waap.AdvancedRules.List(context.Background())
if err != nil {
    log.Fatalf("Failed to get descriptor: %v", err)
}

fmt.Printf("Descriptor Version: %s\n", descriptor.Version)

for _, obj := range descriptor.Objects {
    fmt.Printf("\nObject: %s (%s)\n", obj.Name, obj.Type)
    if obj.Description != "" {
        fmt.Printf("  Description: %s\n", obj.Description)
    }
    
    if len(obj.Attrs) > 0 {
        fmt.Println("  Attributes:")
        for _, attr := range obj.Attrs {
            fmt.Printf("    - %s: %s\n", attr.Name, attr.Type)
            if attr.Description != "" {
                fmt.Printf("      %s\n", attr.Description)
            }
            if attr.Hint != "" {
                fmt.Printf("      Hint: %s\n", attr.Hint)
            }
        }
    }
}

CEL Expression Examples

Block by Country

// Block requests from specific countries
"whois.country in ['CN', 'RU', 'KP']"

Rate Limiting by IP

// Block IPs that exceed 100 requests per minute
"session.rate('1m') > 100"

User Agent Filtering

// Block suspicious bots
"user_agent.is_bot && !user_agent.is_known_bot"

Path-Based Rules

// Protect admin endpoints
"request.path.startsWith('/admin/') && !request.ip in ['1.2.3.4']"

Method-Based Rules

// Allow only GET and POST
"request.method in ['GET', 'POST']"

Header-Based Rules

// Require authentication header
"!request.headers.has('Authorization')"

Tag-Based Rules

// Check if request has specific tag
"'suspicious_activity' in user_defined_tags"

Complex Conditions

// Combine multiple conditions
"whois.country == 'US' && request.path.contains('/api/') && session.rate('1m') < 50"

Rule Actions Reference

Allow

Permits the request to proceed without further inspection. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Allow: map[string]any{},
}

Block

Blocks the request with optional status code and duration. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Block: waap.DomainAdvancedRuleNewParamsActionBlock{
        StatusCode:     403, // 403, 405, 418, or 429
        ActionDuration: param.Opt("1h"),
    },
}

Captcha

Presents a CAPTCHA challenge to verify human interaction. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Captcha: map[string]any{},
}

Handshake

Performs automatic browser validation using JavaScript challenges. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Handshake: map[string]any{},
}

Monitor

Logs the event for analysis without blocking. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Monitor: map[string]any{},
}

Tag

Adds custom tags to requests for tracking and analytics. 
Action: waap.DomainAdvancedRuleNewParamsAction{
    Tag: waap.DomainAdvancedRuleNewParamsActionTag{
        Tags: []string{"high_risk", "requires_review"},
    },
}

Processing Phases

Access Phase (Default)

Applied before the request reaches the origin server. Use for:
  • Request filtering and blocking
  • Rate limiting
  • Authentication checks
  • Request modification

Header Filter Phase

Applied to response headers before sending to the client. Use for:
  • Security header injection
  • Header modification
  • Response classification

Body Filter Phase

Applied to the response body before sending to the client. Use for:
  • Content filtering
  • Response modification
  • Data sanitization
Most rules should use the default access phase. Use header_filter and body_filter only when you need to inspect or modify responses.

Build docs developers (and LLMs) love

Get started for freeTalk to us