Simulate
Simulate HTTP requests through a workspace's WAF configuration without sending actual traffic. This allows testing and validating WAF rule behavior in a safe, non-production context.
IMPORTANT: The Fastly Next-Gen WAF API is only available to customers with access to the Next-Gen WAF product in the Fastly control panel. If you have access to the Next-Gen WAF control panel, check out the Next-Gen WAF API.
Known limitations
The simulator is stateless and processes one request at a time. It uses the on-prem agent WAF engine, not the edge-deployed WebAssembly runtime. As a result, it cannot evaluate:
- Rate limiting rules (require cross-request state)
- Deception actions (require traffic routing infrastructure)
- Edge WAF rules (different runtime)
- Informational signal filtering (signals converted to metrics counters by the WAF engine)
Data model
Request body for simulating a WAF request. The total request body must not exceed 100 KB.
request | string | The raw HTTP request in wire format to simulate through the WAF. Must include the request line, headers, and optionally a body, separated by CRLF sequences. Required. | |
response | string | The raw HTTP response in wire format. The WAF engine inspects response headers during its PostRequest phase and may generate signals from them. When omitted, a default response of HTTP/1.1 200 OK\r\n\r\n is used. | |
signals | array | List of signals detected by the WAF during simulation. Empty array when no signals are detected. | |
waf_response | integer | The HTTP status code the WAF would return for the simulated request (e.g., 200 for allowed, 406 for blocked). | |
detector | string | The detector engine that identified the signal (e.g., SQLI, LIBINJECTIONV5, LIBINJECTIONJS, or a rule ID). | |
location | string | Where in the request the signal was detected (e.g., QUERYSTRING, POSTBODY, HEADER, HEADEROUT, POSTARG). Present for detection signals; absent for custom and action signals. | |
name | string | The parameter or header name that triggered detection. Present when the WAF engine identifies a specific parameter or header. | |
redaction | string | The redaction level applied to the detected value. Clients should handle unexpected string values gracefully, as new redaction types may be added. | |
type | string | The type of signal detected (e.g., SQLI, XSS, CMDEXE, TRAVERSAL, BACKDOOR, LOG4J-JNDI, BLOCKED). | |
value | string | The matched payload value that triggered signal detection. For detection signals, contains the matched content. For BLOCKED signals, carries the WAF response code as a string. Absent for custom signals. |
