---
title: Simulate
summary: Simulate HTTP requests through a workspace's WAF configuration without sending actual traffic. This allows testing and validating WAF rule behavior in a safe, non-production context.
url: https://www.fastly.com/documentation/reference/api/ngwaf/simulate
---

Simulate HTTP requests through a workspace's WAF configuration without sending actual traffic.
This allows testing and validating WAF rule behavior in a safe, non-production context.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `request` | string | The raw HTTP request in wire format to simulate through the WAF. Must include the request line, headers, and optionally a body, separated by CRLF sequences. |
| `response` | string | The raw HTTP response in wire format. The WAF engine inspects response headers during its PostRequest phase and may generate signals from them. When omitted, a default response of <code>HTTP/1.1 200 OK\r\n\r\n</code> is used. |
| `signals` | array | List of signals detected by the WAF during simulation. Empty array when no signals are detected. |
| `waf_response` | integer | The HTTP status code the WAF would return for the simulated request (e.g., <code>200</code> for allowed, <code>406</code> for blocked). |
| `detector` | string | The detector engine that identified the signal (e.g., <code>SQLI</code>, <code>LIBINJECTIONV5</code>, <code>LIBINJECTIONJS</code>, or a rule ID). |
| `location` | string | Where in the request the signal was detected (e.g., <code>QUERYSTRING</code>, <code>POSTBODY</code>, <code>HEADER</code>, <code>HEADEROUT</code>, <code>POSTARG</code>). Present for detection signals; absent for custom and action signals. |
| `name` | string | The parameter or header name that triggered detection. Present when the WAF engine identifies a specific parameter or header. |
| `redaction` | string | The redaction level applied to the detected value. Clients should handle unexpected string values gracefully, as new redaction types may be added. |
| `type` | string | The type of signal detected (e.g., <code>SQLI</code>, <code>XSS</code>, <code>CMDEXE</code>, <code>TRAVERSAL</code>, <code>BACKDOOR</code>, <code>LOG4J-JNDI</code>, <code>BLOCKED</code>). |
| `value` | string | The matched payload value that triggered signal detection. For detection signals, contains the matched content. For <code>BLOCKED</code> signals, carries the WAF response code as a string. Absent for custom signals. |

## API endpoints

### Simulate a WAF request

**POST** `/ngwaf/v1/workspaces/{workspace_id}/simulate`

Simulates a request through the workspace's WAF configuration and returns
the WAF response code and any signals that would be detected. The operation
is stateless — no simulation data is persisted.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `workspace_id` | string | path | Yes | The ID of the workspace. |