Skip to main content

Release 1.12.1

Release Date: June 11, 2026

info

This release extends list references ("{{list.<key>}}") to WAF security exceptions, allowing reusable named lists for exception paths, IPs, and ASNs. It also deprecates the rule_ids exception field.

New Features -> Security Configuration

List References in WAF Exceptions

WAF security exception fields now support {{list.<key>}} references, the same list syntax introduced in Release 1.12.0 for delivery match conditions. This allows you to manage exception values centrally using named lists defined in the tenant or common config.

Supported exception fields:

  • paths — URL path prefixes to exclude
  • v4_ips — IPv4 addresses/CIDR ranges to exclude
  • v6_ips — IPv6 addresses/CIDR ranges to exclude
  • asn — Autonomous System Numbers to exclude

List references work in two forms:

Standalone reference — the entire field value is a single list reference:

JSON
{
"security_config": {
  "exceptions": {
    "SQL-INJECTION-ANOMALY": {
      "v4_ips": "{{list.internal_ips}}"
    }
  }
}
}

Mixed array — list references and inline values in the same array, merged at evaluation time:

JSON
{
"security_config": {
  "exceptions": {
    "SQL-INJECTION-ANOMALY": {
      "paths": ["{{list.health_check_paths}}", "/internal/metrics"],
      "v6_ips": ["{{list.internal_v6_ips}}", "2001:db8::/32"]
    },
    "IPBLOCK-BURST": {
      "asn": ["{{list.trusted_asns}}", "55555"]
    }
  }
}
}

The same precedence rules apply as for delivery lists: local tenant lists override global (common) lists with the same key. If a referenced list key is not found, it resolves to an empty array and the exception is not applied.

Example: WAF List Ref Exceptions

Deprecations

warning

The rule_ids field in WAF security exceptions is now deprecated. It will be removed in a future release. Use paths, IP-based, or ASN-based exceptions instead.

Schema Changes

  • WAF exception fields (paths, v4_ips, v6_ips, asn) now accept either an array of values or a single {{list.<key>}} reference string
  • Array items in exception fields can include {{list.<key>}} references mixed with inline values
  • rule_ids exception field marked as deprecated in the schema
  • v6_ips description corrected from "IPv4 CIDR" to "IPv6 CIDR"

Migration Guide

info

All changes are backward compatible. No breaking changes were introduced.

Use list references for shared WAF exception values

If you have the same IP ranges or paths repeated across multiple WAF exception groups, extract them into named lists:

JSON
{
"lists": {
  "internal_ips": ["198.51.100.0/24", "203.0.113.0/24"],
  "health_check_paths": ["/health", "/status", "/ready"]
},
"security_config": {
  "deny_groups": ["SQL-INJECTION-ANOMALY", "XSS-ANOMALY"],
  "exceptions": {
    "SQL-INJECTION-ANOMALY": {
      "paths": "{{list.health_check_paths}}",
      "v4_ips": "{{list.internal_ips}}"
    },
    "XSS-ANOMALY": {
      "paths": "{{list.health_check_paths}}",
      "v4_ips": "{{list.internal_ips}}"
    }
  }
}
}

Resources

note

Questions or feedback? Please refer to the documentation or contact support.