AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/waf-oversize-request-components.md

Summary

Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' for consistency and clarity throughout the document.

Security assessment

The changes are purely terminological clarifications (adding parentheses to associate 'protection pack' with 'web ACL'). No security vulnerabilities, configurations, or features were modified or added. The documentation still describes the same security mechanisms without altering their functionality or implications.

Diff

diff --git a/waf/latest/developerguide/waf-oversize-request-components.md b/waf/latest/developerguide/waf-oversize-request-components.md
index 3616c0ee9..75c8d5db8 100644
--- a//waf/latest/developerguide/waf-oversize-request-components.md
+++ b//waf/latest/developerguide/waf-oversize-request-components.md
@@ -23 +23 @@ The component inspection size limits are as follows:
-  * **`Body` and `JSON Body`** – For Application Load Balancer and AWS AppSync, AWS WAF can inspect the first 8 KB of the body of a request. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, by default, AWS WAF can inspect the first 16 KB, and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. For more information, see [Managing body inspection size limits for AWS WAF](./web-acl-setting-body-inspection-limit.html). 
+  * **`Body` and `JSON Body`** – For Application Load Balancer and AWS AppSync, AWS WAF can inspect the first 8 KB of the body of a request. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, by default, AWS WAF can inspect the first 16 KB, and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. For more information, see [Managing body inspection size limits for AWS WAF](./web-acl-setting-body-inspection-limit.html). 
@@ -42 +42 @@ The options for handling oversize components are as follows:
-  * **No match** – Treat the web request as not matching the rule statement without evaluating it against the rule's inspection criteria. AWS WAF continues its inspection of the web request using the rest of the rules in the protection pack or web ACL like it would do for any non-matching rule. 
+  * **No match** – Treat the web request as not matching the rule statement without evaluating it against the rule's inspection criteria. AWS WAF continues its inspection of the web request using the rest of the rules in the protection pack (web ACL) like it would do for any non-matching rule. 
@@ -49 +49 @@ In the AWS WAF console, you're required to choose one of these handling options.
-If you use the Match option in a rule that has its action set to Block, the rule will block a request whose inspected component is oversize. With any other configuration, the final disposition of the request depends on various factors, such as the configuration of the other rules in your protection pack or web ACL and the protection pack or web ACL's default action setting. 
+If you use the Match option in a rule that has its action set to Block, the rule will block a request whose inspected component is oversize. With any other configuration, the final disposition of the request depends on various factors, such as the configuration of the other rules in your protection pack (web ACL) and the protection pack (web ACL)'s default action setting. 
@@ -53 +53 @@ If you use the Match option in a rule that has its action set to Block, the rule
-Component size and count limitations apply to all rules that you use in your protection pack or web ACL. This includes any rules that you use but don't manage, in managed rule groups and in rule groups that are shared with you by another account. 
+Component size and count limitations apply to all rules that you use in your protection pack (web ACL). This includes any rules that you use but don't manage, in managed rule groups and in rule groups that are shared with you by another account. 
@@ -57 +57 @@ When you use a rule group that you don't manage, the rule group might have a rul
-###### Guidelines for managing oversize components in your protection pack or web ACL
+###### Guidelines for managing oversize components in your protection pack (web ACL)
@@ -59 +59 @@ When you use a rule group that you don't manage, the rule group might have a rul
-The way you handle oversize components in your protection pack or web ACL can depend on a number of factors such as the expected size of your request component contents, your protection pack or web ACL's default request handling, and how other rules in your protection pack or web ACL match and handle requests. 
+The way you handle oversize components in your protection pack (web ACL) can depend on a number of factors such as the expected size of your request component contents, your protection pack (web ACL)'s default request handling, and how other rules in your protection pack (web ACL) match and handle requests. 
@@ -63 +63 @@ The general guidelines for managing oversized web request components are as foll
-  * If you need to allow some requests with oversize component contents, if possible, add rules to explicitly allow only those requests. Prioritize those rules so that they run before any other rules in the protection pack or web ACL that inspect the same component types. With this approach, you won't be able to use AWS WAF to inspect the entire contents of the oversize components that you allow to pass to your protected resource.
+  * If you need to allow some requests with oversize component contents, if possible, add rules to explicitly allow only those requests. Prioritize those rules so that they run before any other rules in the protection pack (web ACL) that inspect the same component types. With this approach, you won't be able to use AWS WAF to inspect the entire contents of the oversize components that you allow to pass to your protected resource.
@@ -67 +67 @@ The general guidelines for managing oversized web request components are as foll
-    * **Your rules and rule groups** – In your rules that inspect components with size limits, configure oversize handling so that you block requests that go over the limit. For example, if your rule blocks requests with specific header contents, set the oversize handling to match on requests that have oversize header content. Alternately, if your protection pack or web ACL blocks requests by default and your rule allows specific header contents, then configure your rule's oversize handling to not match on any request that has oversize header content. 
+    * **Your rules and rule groups** – In your rules that inspect components with size limits, configure oversize handling so that you block requests that go over the limit. For example, if your rule blocks requests with specific header contents, set the oversize handling to match on requests that have oversize header content. Alternately, if your protection pack (web ACL) blocks requests by default and your rule allows specific header contents, then configure your rule's oversize handling to not match on any request that has oversize header content. 
@@ -69 +69 @@ The general guidelines for managing oversized web request components are as foll
-    * **Rule groups that you don't manage** – To prevent rule groups that you don't manage from allowing oversize request components, you can add a separate rule that inspects the request component type and blocks requests that go over the limits. Prioritize the rule in your protection pack or web ACL so that it runs before the rule groups. For example, you can block requests with oversize body content before any of your body inspection rules run in the protection pack or web ACL. The following procedure describes how to add this type of rule.
+    * **Rule groups that you don't manage** – To prevent rule groups that you don't manage from allowing oversize request components, you can add a separate rule that inspects the request component type and blocks requests that go over the limits. Prioritize the rule in your protection pack (web ACL) so that it runs before the rule groups. For example, you can block requests with oversize body content before any of your body inspection rules run in the protection pack (web ACL). The following procedure describes how to add this type of rule.
@@ -76 +76 @@ The general guidelines for managing oversized web request components are as foll
-You can add a rule in your protection pack or web ACL that blocks requests with oversized components. 
+You can add a rule in your protection pack (web ACL) that blocks requests with oversized components. 
@@ -80 +80 @@ You can add a rule in your protection pack or web ACL that blocks requests with
-  1. When you create or edit your protection pack or web ACL, in the rules settings, choose **Add rules** , **Add my own rules and rule groups** , **Rule builder** , then **Rule visual editor**. For guidance on creating or editing a protection pack or web ACL, see [Viewing web traffic metrics in AWS WAF](./web-acl-working-with.html).
+  1. When you create or edit your protection pack (web ACL), in the rules settings, choose **Add rules** , **Add my own rules and rule groups** , **Rule builder** , then **Rule visual editor**. For guidance on creating or editing a protection pack (web ACL), see [Viewing web traffic metrics in AWS WAF](./web-acl-working-with.html).
@@ -90 +90 @@ You can add a rule in your protection pack or web ACL that blocks requests with
-    3. For **Size** , type a number that's at least the minimum size for the component type. For headers and cookies, type `8192`. In Application Load Balancer or AWS AppSync protection pack or web ACLs, for bodies, type `8192`. For bodies in CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access protection pack or web ACLs, if you're using the default body size limit, type `16384`. Otherwise, type the body size limit that you've defined for your protection pack or web ACL. 
+    3. For **Size** , type a number that's at least the minimum size for the component type. For headers and cookies, type `8192`. In Application Load Balancer or AWS AppSync protection packs (web ACLs), for bodies, type `8192`. For bodies in CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access protection packs (web ACLs), if you're using the default body size limit, type `16384`. Otherwise, type the body size limit that you've defined for your protection pack (web ACL). 
@@ -98 +98 @@ You can add a rule in your protection pack or web ACL that blocks requests with
-  6. After you add the rule, on the **Set rule priority** page, move it above any rules or rule groups in your protection pack or web ACL that inspect the same component type. This gives the new rule a lower numeric priority setting, which causes AWS WAF to evaluate it first. For more information, see [Setting rule priority](./web-acl-processing-order.html).
+  6. After you add the rule, on the **Set rule priority** page, move it above any rules or rule groups in your protection pack (web ACL) that inspect the same component type. This gives the new rule a lower numeric priority setting, which causes AWS WAF to evaluate it first. For more information, see [Setting rule priority](./web-acl-processing-order.html).