Cloud Armor SQLi rule blocks legitimate login requests

Resolved 💬 3 comments Opened Jan 2, 2026 by leo1ardo Closed Feb 17, 2026

Problem

Cloud Armor's SQL Injection WAF rule (owasp-crs-v030301-id942200-sqli) blocks legitimate login requests to /api/auth/login.

Root Cause

The SQLi rule detects patterns in the login POST body (email/password) that look like SQL injection attempts.

Current Workaround

Added a bypass rule (priority 999) that allows all /api/auth/* endpoints before WAF rules apply:

rule {
  action   = "allow"
  priority = 999
  match {
    expr {
      expression = "request.path.matches('/api/auth/.*') || request.path.matches('/api/login') || request.path.matches('/api/register')"
    }
  }
  description = "Allow auth endpoints (bypass WAF)"
}

Security Concern

Auth endpoints now bypass all WAF protection (SQLi, XSS, RCE, etc.). This is a potential security risk.

Better Solution (TODO)

Instead of bypassing all WAF rules, we should:

  1. Use sensitivity tuning for the SQLi rule on auth endpoints
  2. Or exclude only the specific rule ID 942200 for auth paths
  3. Or implement input validation on the backend to sanitize before WAF sees it

Related Files

  • app-configs/terraform-cloudrun/shared/main.tf - Cloud Armor policy

Log Evidence

statusDetails: "body_denied_by_security_policy"
preconfiguredExprIds: ["owasp-crs-v030301-id942200-sqli"]
priority: 1000

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗