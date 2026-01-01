Abnormal Path ABNORMALPATH Lists Rate Limit Rules Request Rules Signal Exclusion Abnormal Path indicates the original path differs from the normalized path (e.g., /foo/./bar is normalized to /foo/bar ).

API Spec Mismatch API-SPEC-MISMATCH Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request that deviates from a provided API specification. This signal is only compatible with OpenAPI Specification v3.0 and available to On-Prem WAF deployments of Next-Gen WAF. Contact your account manager or email sales@fastly.com to activate this feature.

Bad Hop Headers BHH Lists Rate Limit Rules Request Rules Signal Exclusion Bad Hop Headers indicate an HTTP smuggling attempt through either a malformed Transfer-Encoding (TE) or Content-Length (CL) header, or a well-formed TE and CL header. This signal is only available to On-Prem WAF and Cloud WAF deployments.

Blocked Requests BLOCKED None Requests blocked by the Next-Gen WAF

Code Injection PHP CODEINJECTION Lists Rate Limit Rules Request Rules Signal Exclusion Code Injection is the attempt to gain control or damage a target system through arbitrary application code commands.

Compression Detected COMPRESSED Lists Rate Limit Rules Request Rules Signal Exclusion The POST request body is compressed and cannot be inspected. For example, if a Content-Encoding: gzip request header is specified and the POST body is not plain text.

Deception Response DECEPTION None Indicates a request where the Next-Gen WAF returned a deceptive response. This signal is only available to customers with Edge WAF deployments on the Premier platform or as part of certain packaged offerings.

Fastly Unknown Backend FASTLY-UNKNOWN-BACKEND Indicates a request to a backend that does not exist in the Edge WAF.

Forceful Browsing FORCEFULBROWSING Signal Exclusion Forceful Browsing is the failed attempt to access admin pages.

GraphQL Duplicate Variables GRAPHQL-DUPLICATE-VARIABLES Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a GraphQL request that contains duplicated variables.

GraphQL Max Depth GRAPHQL-DEPTH Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request has reached or exceeded the maximum depth allowed on the server for GraphQL API queries.

GraphQL Missing Required Operation Name GRAPHQL-MISSING-REQUIRED-OPERATION-NAME Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request has multiple GraphQL operations but does not define which operation to execute.

GraphQL Syntax GRAPHQL-SYNTAX Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request that contains invalid GraphQL syntax. This may be related to a programming error or a malicious request.

GraphQL Undefined Variable GRAPHQL-UNDEFINED-VARIABLES Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request made to a GraphQL API containing more variables than expected by a function. This can be used to obfuscate malicious requests.

HTTP 403 Errors HTTP403 Signal Exclusion Forbidden. This is commonly seen when the request for a url has been protected by the server's configuration.

HTTP 404 Errors HTTP404 Signal Exclusion Not Found. This is commonly seen when the request for a page or asset does not exist or cannot be found by the server.

HTTP 429 Errors HTTP429 Signal Exclusion Too Many Requests. This is commonly seen when rate-limiting is used to slow down the number of active connections to a server.

HTTP 4XX Errors HTTP4XX Signal Exclusion 4xx Status Codes commonly refer to client request errors.

HTTP 500 Errors HTTP500 Signal Exclusion Internal Server Error. This is commonly seen when a request generates an unhandled application error.

HTTP 503 Errors HTTP503 Signal Exclusion Service Unavailable. This is commonly seen when a web service is overloaded or sometimes taken down for maintenance.

HTTP 5XX Errors HTTP5XX Signal Exclusion 5xx Status Codes commonly refer to server related issues.

HTTP Response Splitting RESPONSESPLIT Lists Rate Limit Rules Request Rules Signal Exclusion Identifies when CRLF characters are submitted as input to the application to inject headers into the HTTP response.

Insecure Authentication/Authorization INSECURE-AUTH Lists Rate Limit Rules Request Rules Signal Exclusion Insecure Authentication/Authorization, such as using JSON Web Tokens with the None Algorithm.

Invalid Encoding NOTUTF8 Lists Rate Limit Rules Request Rules Signal Exclusion Invalid Encoding can cause the server to translate malicious characters from a request into a response, causing either a denial of service or XSS.

Malformed Data in the request body MALFORMED-DATA Lists Rate Limit Rules Request Rules Signal Exclusion A POST, PUT or PATCH request body that is malformed according to the Content-Type request header. For example, if a Content-Type: application/x-www-form-urlencoded request header is specified and contains a POST body that is json. This is often a programming error, automated or malicious request.

Malicious IP Traffic SANS Lists Rate Limit Rules Request Rules Signal Exclusion The regularly imported SANS Internet Storm Center list of IP addresses that have been reported to have engaged in malicious activity.

SigSci Malicious IPs SIGSCI-IP Lists Rate Limit Rules Request Rules Signal Exclusion Whenever an IP is flagged due to a malicious signal by our decision engine, that IP will be propagated to all customers. We then log subsequent requests from those IP addresses that contain any additional signal for the duration of the flag.

Missing Content-Type request header NO-CONTENT-TYPE Lists Rate Limit Rules Request Rules Signal Exclusion A POST, PUT or PATCH request that does not have a Content-Type request header. By default application servers should assume Content-Type: text/plain; charset=us-ascii in this case. Many automated and malicious requests may be missing Content Type .

No User Agent NOUA Lists Rate Limit Rules Request Rules Signal Exclusion Indicates a request contained no User-Agent header or the header value was not set.

Null Byte NULLBYTE Lists Rate Limit Rules Request Rules Signal Exclusion Null bytes do not normally appear in a request and indicate the request is malformed and potentially malicious.

Out-of-Band Domain OOB-DOMAIN Lists Rate Limit Rules Request Rules Signal Exclusion Out-of-Band domains are generally used during penetration testing to identify vulnerabilities in which network access is allowed.

Private Files PRIVATEFILE Lists Rate Limit Rules Request Rules Signal Exclusion Private files are usually confidential in nature, such as an Apache .htaccess file, or a configuration file which could leak sensitive information.

Rate limited Request rate-limit None Identifies requests that have crossed the threshold of a rate limit rule.

Scanner SCANNER Lists Rate Limit Rules Request Rules Signal Exclusion Identifies popular scanning services and tools