Cloud Armor SQLi rule blocks legitimate login requests
Resolved 💬 3 comments Opened Jan 2, 2026 by leo1ardo Closed Feb 17, 2026
Problem
Cloud Armor's SQL Injection WAF rule (owasp-crs-v030301-id942200-sqli) blocks legitimate login requests to /api/auth/login.
Root Cause
The SQLi rule detects patterns in the login POST body (email/password) that look like SQL injection attempts.
Current Workaround
Added a bypass rule (priority 999) that allows all /api/auth/* endpoints before WAF rules apply:
rule {
action = "allow"
priority = 999
match {
expr {
expression = "request.path.matches('/api/auth/.*') || request.path.matches('/api/login') || request.path.matches('/api/register')"
}
}
description = "Allow auth endpoints (bypass WAF)"
}
Security Concern
Auth endpoints now bypass all WAF protection (SQLi, XSS, RCE, etc.). This is a potential security risk.
Better Solution (TODO)
Instead of bypassing all WAF rules, we should:
- Use sensitivity tuning for the SQLi rule on auth endpoints
- Or exclude only the specific rule ID
942200for auth paths - Or implement input validation on the backend to sanitize before WAF sees it
Related Files
app-configs/terraform-cloudrun/shared/main.tf- Cloud Armor policy
Log Evidence
statusDetails: "body_denied_by_security_policy"
preconfiguredExprIds: ["owasp-crs-v030301-id942200-sqli"]
priority: 1000This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗