What the WAF inspects
The WAF analyzes the full request: URL path, query string, request headers, cookies, and request body. It looks for known attack payloads embedded in any of these fields.SQL injection (SQLi)
Detects attempts to manipulate database queries via user-supplied input, including UNION-based, error-based, and blind injection techniques.
Cross-site scripting (XSS)
Catches reflected, stored, and DOM-based XSS payloads targeting browsers that process your responses.
Remote code execution (RCE)
Blocks payloads that attempt to execute shell commands or server-side code through vulnerable input handlers.
Path traversal
Stops requests that use
../ sequences and encoded variants to read files outside the web root.Server-side template injection (SSTI)
Identifies template expression syntax (e.g.,
{{7*7}}) that exploits template engines running on your server.Protocol & encoding abuse
Normalizes and decodes requests before matching, catching double-encoded and obfuscated payloads that bypass naive filters.
OWASP Core Rule Set matching
Recon44’s WAF is built on the OWASP Core Rule Set (CRS) — the same rule set used by Cloudflare and AWS WAF. Each rule has a unique identifier so you can trace exactly which pattern triggered a block.Example WAF rule IDs
Example WAF rule IDs
| Rule ID | Category | What it matches |
|---|---|---|
WAF-SQLI-01 | SQL injection | Classic ' OR 1=1 and boolean-based payloads |
WAF-SQLI-02 | SQL injection | UNION SELECT extraction attempts |
WAF-SQLI-03 | SQL injection | Time-based blind injection (SLEEP, WAITFOR) |
WAF-XSS-01 | Cross-site scripting | <script> tag injection and event handler attributes |
WAF-XSS-02 | Cross-site scripting | JavaScript URI schemes and data URIs |
WAF-RCE-01 | Remote code execution | Shell metacharacters and command separators |
WAF-PT-01 | Path traversal | ../ sequences and URL-encoded equivalents |
WAF-SSTI-01 | Template injection | Template expression syntax for common engines |
How rule matching works
How rule matching works
Recon44 normalizes each request before matching — decoding URL encoding, HTML entities, and common obfuscation patterns. This ensures attackers cannot bypass rules by encoding their payloads.Matching runs in parallel across all rule categories. If any rule fires, the WAF acts according to your plan’s configured mode before the request continues.
Inspection latency
Average WAF inspection latency is 47ms. This is the time added to a request for full rule evaluation — Recon44 adds no perceptible delay to legitimate users.
WAF modes by plan
Your WAF operates in one of two modes depending on your plan.- Free plan — Log only
- Pro and above — Active blocking
On the Free plan, the WAF runs in read-only mode:
- Every request is inspected against the full rule set.
- Matching requests are logged and visible in your Threat Feed.
- No traffic is blocked — requests pass through to your origin.
You can still manually block specific IPs from the dashboard on the Free plan. WAF auto-blocking requires Pro or above.
Handling false positives
If the WAF blocks legitimate traffic, you have two options:Check the Threat Feed
Open your dashboard and find the blocked request. The entry shows the source IP, the matched rule ID, and the full request path.
Whitelist the IP
If the blocked IP belongs to a trusted source (a monitoring service, your own office, a payment provider), click Whitelist next to the entry. Whitelisted IPs bypass WAF inspection entirely.
Related pages
Live Threat Feed
See every WAF event in real time, including the rule ID and action taken.
IP Blocking
Manage automatic and manual IP blocks, whitelists, and geo rules.