# Release 1.12.1

**Release Date**: June 11, 2026

> **INFO**
This release extends **list references** (`"{{list.<key>}}"`) to WAF security exceptions, allowing reusable named lists for exception paths, IPs, and ASNs. It also deprecates the `rule_ids` exception field.

## New Features -> Security Configuration

### List References in WAF Exceptions

WAF security exception fields now support `{{list.<key>}}` references, the same list syntax introduced in [Release 1.12.0](/tenant-schemas/releases/1.12.0) for delivery match conditions. This allows you to manage exception values centrally using named lists defined in the tenant or common config.

**Supported exception fields**:
- `paths` — URL path prefixes to exclude
- `v4_ips` — IPv4 addresses/CIDR ranges to exclude
- `v6_ips` — IPv6 addresses/CIDR ranges to exclude
- `asn` — Autonomous System Numbers to exclude

List references work in two forms:

**Standalone reference** — the entire field value is a single list reference:

```json
{
  "security_config": {
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "v4_ips": "{{list.internal_ips}}"
      }
    }
  }
}
```

**Mixed array** — list references and inline values in the same array, merged at evaluation time:

```json
{
  "security_config": {
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "paths": ["{{list.health_check_paths}}", "/internal/metrics"],
        "v6_ips": ["{{list.internal_v6_ips}}", "2001:db8::/32"]
      },
      "IPBLOCK-BURST": {
        "asn": ["{{list.trusted_asns}}", "55555"]
      }
    }
  }
}
```

The same precedence rules apply as for delivery lists: local tenant lists override global (common) lists with the same key. If a referenced list key is not found, it resolves to an empty array and the exception is not applied.

**Example**: [WAF List Ref Exceptions](/examples#waf-list-ref-exceptions)

## Deprecations

> **WARNING**
The `rule_ids` field in WAF security exceptions is now **deprecated**. It will be removed in a future release. Use `paths`, IP-based, or ASN-based exceptions instead.

## Schema Changes

- WAF exception fields (`paths`, `v4_ips`, `v6_ips`, `asn`) now accept either an array of values or a single `{{list.<key>}}` reference string
- Array items in exception fields can include `{{list.<key>}}` references mixed with inline values
- `rule_ids` exception field marked as `deprecated` in the schema
- `v6_ips` description corrected from "IPv4 CIDR" to "IPv6 CIDR"

## Migration Guide

> **INFO**
All changes are backward compatible. No breaking changes were introduced.

### Recommended Actions

#### Use list references for shared WAF exception values

If you have the same IP ranges or paths repeated across multiple WAF exception groups, extract them into named lists:

```json
{
  "lists": {
    "internal_ips": ["198.51.100.0/24", "203.0.113.0/24"],
    "health_check_paths": ["/health", "/status", "/ready"]
  },
  "security_config": {
    "deny_groups": ["SQL-INJECTION-ANOMALY", "XSS-ANOMALY"],
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "paths": "{{list.health_check_paths}}",
        "v4_ips": "{{list.internal_ips}}"
      },
      "XSS-ANOMALY": {
        "paths": "{{list.health_check_paths}}",
        "v4_ips": "{{list.internal_ips}}"
      }
    }
  }
}
```

## Resources

- [Delivery Configuration Documentation](/tenant-schemas/delivery-config)
- [Match Conditions Documentation](/tenant-schemas/match-conditions)
- [Security Configuration Documentation](/tenant-schemas/security-config)
- [Lists Reference](/tenant-schemas/lists)
- [Configuration Examples](/examples)
- [Tenant Schema (JSON)](/tenant-schema.json)

> **NOTE**
Questions or feedback? Please refer to the documentation or contact support.
