**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Working with conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Conditions specify when you want to allow or block requests.
+ To allow or block requests based on whether the requests appear to contain malicious scripts, create cross-site scripting match conditions. For more information, see [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md).
+ To allow or block requests based on the IP addresses that they originate from, create IP match conditions. For more information, see [Working with IP match conditions](classic-web-acl-ip-conditions.md).
+ To allow or block requests based on the country that they originate from, create geo match conditions. For more information, see [Working with geographic match conditions](classic-web-acl-geo-conditions.md).
+ To allow or block requests based on whether the requests exceed a specified length, create size constraint conditions. For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
+ To allow or block requests based on whether the requests appear to contain malicious SQL code, create SQL injection match conditions. For more information, see [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md).
+ To allow or block requests based on strings that appear in the requests, create string match conditions. For more information, see [Working with string match conditions](classic-web-acl-string-conditions.md).
+ To allow or block requests based on a regex pattern that appear in the requests, create regex match conditions. For more information, see [Working with regex match conditions](classic-web-acl-regex-conditions.md).
**Topics**
+ [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md)
+ [Working with IP match conditions](classic-web-acl-ip-conditions.md)
+ [Working with geographic match conditions](classic-web-acl-geo-conditions.md)
+ [Working with size constraint conditions](classic-web-acl-size-conditions.md)
+ [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md)
+ [Working with string match conditions](classic-web-acl-string-conditions.md)
+ [Working with regex match conditions](classic-web-acl-regex-conditions.md)
# Working with cross-site scripting match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Attackers sometimes insert scripts into web requests in an effort to exploit vulnerabilities in web applications. You can create one or more cross-site scripting match conditions to identify the parts of web requests, such as the URI or the query string, that you want AWS WAF Classic to inspect for possible malicious scripts. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious scripts.
**Topics**
+ [Creating cross-site scripting match conditions](#classic-web-acl-xss-conditions-creating)
+ [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values)
+ [Adding and deleting filters in a cross-site scripting match condition](#classic-web-acl-xss-conditions-editing)
+ [Deleting cross-site scripting match conditions](#classic-web-acl-xss-conditions-deleting)
## Creating cross-site scripting match conditions
When you create cross-site scripting match conditions, you specify filters. The filters indicate the part of web requests that you want AWS WAF Classic to inspect for malicious scripts, such as the URI or the query string. You can add more than one filter to a cross-site scripting match condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **More than one filter per cross-site scripting match condition (recommended)** – When you add a cross-site scripting match condition that contains multiple filters to a rule and add the rule to a web ACL, a web request must match only one of the filters in the cross-site scripting match condition for AWS WAF Classic to allow or block the request based on that condition.
For example, suppose you create one cross-site scripting match condition, and the condition contains two filters. One filter instructs AWS WAF Classic to inspect the URI for malicious scripts, and the other instructs AWS WAF Classic to inspect the query string. AWS WAF Classic allows or blocks requests if they appear to contain malicious scripts *either* in the URI *or* in the query string.
+ **One filter per cross-site scripting match condition** – When you add the separate cross-site scripting match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
Suppose you create two conditions, and each condition contains one of the two filters in the preceding example. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both the URI and the query string appear to contain malicious scripts.
**Note**
When you add a cross-site scripting match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* appear to contain malicious scripts.
**To create a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're done adding filters, choose **Create**.
## Values that you specify when you create or edit cross-site scripting match conditions
When you create or update a cross-site scripting match condition, you specify the following values:
**Name**
The name of the cross-site scripting match condition.
The name can contain only the characters A-Z, a-z, 0-9, and the special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for malicious scripts:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
For cross-site scripting match conditions, we recommend that you choose **All query parameters (values only)** instead of **Query string** for **Part of the request to filter on**.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)**, you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the values of a single parameter, AWS WAF Classic inspects all parameter values within the query string for possible malicious scripts. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if either the value of *UserName* or *SalesRegion* contain possible malicious scripts.
**Header**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect for malicious scripts.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a cross-site scripting match condition
You can add or delete filters in a cross-site scripting match condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting cross-site scripting match conditions
If you want to delete a cross-site scripting match condition, you must first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. In the **Cross-site scripting match conditions** pane, choose the cross-site scripting match condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this cross-site scripting match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the cross-site scripting match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the cross-site scripting match condition that you want to delete.
1. In the right pane, select the cross-site scripting match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the cross-site scripting match condition that you want to delete.
1. In the navigation pane, choose **Cross-site scripting**.
1. In the **Cross-site scripting match conditions** pane, choose the cross-site scripting match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with IP match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.
**Topics**
+ [Creating an IP Match Condition](#classic-web-acl-ip-conditions-creating)
+ [Editing IP match conditions](#classic-web-acl-ip-conditions-editing)
+ [Deleting IP match conditions](#classic-web-acl-ip-conditions-deleting)
## Creating an IP Match Condition
If you want to allow some web requests and block others based on the IP addresses that the requests originate from, create an IP match condition for the IP addresses that you want to allow and another IP match condition for the IP addresses that you want to block.
**Note**
When you add an IP match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* originate from the IP addresses that you specify in the condition.
**To create an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. Choose **Create condition**.
1. Enter a name in the **Name** field.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
1. Select the correct IP version and specify an IP address or range of IP addresses by using CIDR notation. Here are some examples:
+ To specify the IPv4 address 192.0.2.44, type **192.0.2.44/32**.
+ To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, type **0:0:0:0:0:ffff:c000:22c/128**.
+ To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, type **192.0.2.0/24**.
+ To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter **2620:0:2d0:200::/64**.
AWS WAF Classic supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF Classic supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
1. Choose **Add another IP address or range**.
1. If you want to add another IP address or range, repeat steps 5 and 6.
1. When you're finished adding values, choose **Create IP match condition**.
## Editing IP match conditions
You can add an IP address range to an IP match condition or delete a range. To change a range, add a new one and delete the old one.
**To edit an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to edit.
1. To add an IP address range:
1. In the right pane, choose **Add IP address or range**.
1. Select the correct IP version and enter an IP address range by using CIDR notation. Here are some examples:
+ To specify the IPv4 address 192.0.2.44, enter **192.0.2.44/32**.
+ To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter **0:0:0:0:0:ffff:c000:22c/128**.
+ To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, enter **192.0.2.0/24**.
+ To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter **2620:0:2d0:200::/64**.
AWS WAF Classic supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF Classic supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
1. To add more IP addresses, choose **Add another IP address** and enter the value.
1. Choose **Add**.
1. To delete an IP address or range:
1. In the right pane, select the values that you want to delete.
1. Choose **Delete IP address or range**.
## Deleting IP match conditions
If you want to delete an IP match condition, you must first delete all IP addresses and ranges in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to delete.
1. In the right pane, choose the **Rules** tab.
If the list of rules using this IP match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the IP match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the IP match condition that you want to delete.
1. In the right pane, select the IP match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the IP match condition that you want to delete.
1. In the navigation pane, choose **IP match conditions**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with geographic match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the country that the requests originate from, create one or more geo match conditions. A geo match condition lists countries that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those countries.
You can use geo match conditions with other AWS WAF Classic conditions or rules to build sophisticated filtering. For example, if you want to block certain countries, but still allow specific IP addresses from that country, you could create a rule containing a geo match condition and an IP match condition. Configure the rule to block requests that originate from that country and do not match the approved IP addresses. As another example, if you want to prioritize resources for users in a particular country, you could include a geo match condition in two different rate-based rules. Set a higher rate limit for users in the preferred country and set a lower rate limit for all other users.
**Note**
If you are using the CloudFront geo restriction feature to block a country from accessing your content, any request from that country is blocked and is not forwarded to AWS WAF Classic. So if you want to allow or block requests based on geography plus other AWS WAF Classic conditions, you should *not* use the CloudFront geo restriction feature. Instead, you should use an AWS WAF Classic geo match condition.
**Topics**
+ [Creating a geo match condition](#classic-web-acl-geo-conditions-creating)
+ [Editing geo match conditions](#classic-web-acl-geo-conditions-editing)
+ [Deleting geo match conditions](#classic-web-acl-geo-conditions-deleting)
## Creating a geo match condition
If you want to allow some web requests and block others based on the countries that the requests originate from, create a geo match condition for the countries that you want to allow and another geo match condition for the countries that you want to block.
**Note**
When you add a geo match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* originate from the country that you specify in the condition.
**To create a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Geo match**.
1. Choose **Create condition**.
1. Enter a name in the **Name** field.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
1. Choose a **Region**.
1. Choose a **Location type** and a country. **Location type** can currently only be **Country**.
1. Choose **Add location**.
1. Choose **Create**.
## Editing geo match conditions
You can add countries to or delete countries from your geo match condition.
**To edit a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Geo match**.
1. In the **Geo match conditions** pane, choose the geo match condition that you want to edit.
1. To add a country:
1. In the right pane, choose **Add filter**.
1. Choose a **Location type** and a country. **Location type** can currently only be **Country**.
1. Choose **Add**.
1. To delete a country:
1. In the right pane, select the values that you want to delete.
1. Choose **Delete filter**.
## Deleting geo match conditions
If you want to delete a geo match condition, you must first remove all countries in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Remove the geo match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the geo match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the geo match condition that you want to delete.
1. Remove the filters from the condition you want to delete:
1. In the navigation pane, choose **Geo match**.
1. Choose the name of the geo match condition that you want to delete.
1. In the right pane, choose the check box next to **Filter** in order to select all of the filters.
1. Choose the **Delete filter**.
1. In the navigation pane, choose **Geo match**.
1. In the **Geo match conditions** pane, choose the geo match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with size constraint conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the length of specified parts of requests, create one or more size constraint conditions. A size constraint condition identifies the part of web requests that you want AWS WAF Classic to look at, the number of bytes that you want AWS WAF Classic to look for, and an operator, such as greater than (>) or less than (<). For example, you can use a size constraint condition to look for query strings that are longer than 100 bytes. Later in the process, when you create a web ACL, you specify whether to allow or block requests based on those settings.
Note that if you configure AWS WAF Classic to inspect the request body, for example, by searching the body for a specified string, AWS WAF Classic inspects only the first 8192 bytes (8 KB). If the request body for your web requests will never exceed 8192 bytes, you can create a size constraint condition and block requests that have a request body greater than 8192 bytes.
**Topics**
+ [Creating size constraint conditions](#classic-web-acl-size-conditions-creating)
+ [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values)
+ [Adding and deleting filters in a size constraint condition](#classic-web-acl-size-conditions-editing)
+ [Deleting size constraint conditions](#classic-web-acl-size-conditions-deleting)
## Creating size constraint conditions
When you create size constraint conditions, you specify filters that identify the part of web requests for which you want AWS WAF Classic to evaluate the length. You can add more than one filter to a size constraint condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **One filter per size constraint condition** – When you add the separate size constraint conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
For example, suppose you create two conditions. One matches web requests for which query strings are greater than 100 bytes. The other matches web requests for which the request body is greater than 1024 bytes. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both conditions are true.
+ **More than one filter per size constraint condition** – When you add a size constraint condition that contains multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the size constraint condition for AWS WAF Classic to allow or block the request based on that condition.
Suppose you create one condition instead of two, and the one condition contains the same two filters as in the preceding example. AWS WAF Classic allows or blocks requests if either the query string is greater than 100 bytes or the request body is greater than 1024 bytes.
**Note**
When you add a size constraint condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
**To create a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraints**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create size constraint condition**.
## Values that you specify when you create or edit size constraint conditions
When you create or update a size constraint condition, you specify the following values:
**Name**
Enter a name for the size constraint condition.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request for which you want AWS WAF Classic to evaluate the length:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)**, you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the values of all parameters within the query string for the size constraint. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match the value of if either *UserName* or *SalesRegion* exceed the specified size.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or type the name of a header for which you want AWS WAF Classic to evaluate the length.
**Comparison operator**
Choose how you want AWS WAF Classic to evaluate the length of the query string in web requests with respect to the value that you specify for **Size**.
For example, if you choose **Is greater than** for **Comparison operator** and type **100** for **Size**, AWS WAF Classic evaluates web requests for a query string that is longer than 100 bytes.
**Size**
Enter the length, in bytes, that you want AWS WAF Classic to watch for in query strings.
If you choose **URI** for the value of **Part of the request to filter on**, the **/** in the URI counts as one character. For example, the URI path `/logo.jpg` is nine characters long.
**Transformation**
A transformation reformats a web request before AWS WAF Classic evaluates the length of the specified part of the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
If you choose **Body** for **Part of the request to filter on**, you can't configure AWS WAF Classic to perform a transformation because only the first 8192 bytes are forwarded for inspection. However, you can still filter your traffic based on the size of the HTTP request body and specify a transformation of **None**. (AWS WAF Classic gets the length of the body from the request headers.)
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before checking the length.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a size constraint condition
You can add or delete filters in a size constraint condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraint**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting size constraint conditions
If you want to delete a size constraint condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraints**.
1. In the **Size constraint conditions** pane, choose the size constraint condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this size constraint condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the size constraint condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the size constraint condition that you want to delete.
1. In the right pane, select the size constraint condition that you want to remove from the rule, and then choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the size constraint condition that you want to delete.
1. In the navigation pane, choose **Size constraint**.
1. In the **Size constraint conditions** pane, choose the size constraint condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with SQL injection match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Attackers sometimes insert malicious SQL code into web requests in an effort to extract data from your database. To allow or block web requests that appear to contain malicious SQL code, create one or more SQL injection match conditions. A SQL injection match condition identifies the part of web requests, such as the URI path or the query string, that you want AWS WAF Classic to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code.
**Topics**
+ [Creating SQL injection match conditions](#classic-web-acl-sql-conditions-creating)
+ [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values)
+ [Adding and deleting filters in a SQL injection match condition](#classic-web-acl-sql-conditions-editing)
+ [Deleting SQL injection match conditions](#classic-web-acl-sql-conditions-deleting)
## Creating SQL injection match conditions
When you create SQL injection match conditions, you specify filters, which indicate the part of web requests that you want AWS WAF Classic to inspect for malicious SQL code, such as the URI or the query string. You can add more than one filter to a SQL injection match condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **More than one filter per SQL injection match condition (recommended)** – When you add a SQL injection match condition containing multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the SQL injection match condition for AWS WAF Classic to allow or block the request based on that condition.
For example, suppose you create one SQL injection match condition, and the condition contains two filters. One filter instructs AWS WAF Classic to inspect the URI for malicious SQL code, and the other instructs AWS WAF Classic to inspect the query string. AWS WAF Classic allows or blocks requests if they appear to contain malicious SQL code *either* in the URI *or* in the query string.
+ **One filter per SQL injection match condition** – When you add the separate SQL injection match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
Suppose you create two conditions, and each condition contains one of the two filters in the preceding example. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both the URI and the query string appear to contain malicious SQL code.
**Note**
When you add a SQL injection match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* appear to contain malicious SQL code.
**To create a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create**.
## Values that you specify when you create or edit SQL injection match conditions
When you create or update a SQL injection match condition, you specify the following values:
**Name**
The name of the SQL injection match condition.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for malicious SQL code:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
For SQL injection match conditions, we recommend that you choose **All query parameters (values only)** instead of **Query string** for **Part of the request to filter on**.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for possible malicious SQL code. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if the value of either *UserName* or *SalesRegion* contain possible malicious SQL code.
**Header**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect for malicious SQL code.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a SQL injection match condition
You can add or delete filters in a SQL injection match condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting SQL injection match conditions
If you want to delete a SQL injection match condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. In the **SQL injection match conditions** pane, choose the SQL injection match condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this SQL injection match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the SQL injection match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the SQL injection match condition that you want to delete.
1. In the right pane, select the SQL injection match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all of the remaining rules that are using the SQL injection match condition that you want to delete.
1. In the navigation pane, choose **SQL injection**.
1. In the **SQL injection match conditions** pane, choose the SQL injection match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with string match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on strings that appear in the requests, create one or more string match conditions. A string match condition identifies the string that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF Classic to inspect for the string. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the string.
**Topics**
+ [Creating a string match condition](#classic-web-acl-string-conditions-creating)
+ [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values)
+ [Adding and deleting filters in a string match condition](#classic-web-acl-string-conditions-editing)
+ [Deleting string match conditions](#classic-web-acl-string-conditions-deleting)
## Creating a string match condition
When you create string match conditions, you specify filters that identify the string that you want to search for and the part of web requests that you want AWS WAF Classic to inspect for that string, such as the URI or the query string. You can add more than one filter to a string match condition, or you can create a separate string match condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **One filter per string match condition** – When you add the separate string match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
For example, suppose you create two conditions. One matches web requests that contain the value `BadBot` in the `User-Agent` header. The other matches web requests that contain the value `BadParameter` in query strings. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when they contain both values.
+ **More than one filter per string match condition** – When you add a string match condition that contains multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the string match condition for AWS WAF Classic to allow or block the request based on the one condition.
Suppose you create one condition instead of two, and the one condition contains the same two filters as in the preceding example. AWS WAF Classic allows or blocks requests if they contain *either* `BadBot` in the `User-Agent` header *or* `BadParameter` in the query string.
**Note**
When you add a string match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
**To create a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values).
1. Choose **Add filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create**.
## Values that you specify when you create or edit string match conditions
When you create or update a string match condition, you specify the following values:
**Name**
Enter a name for the string match condition. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Type**
Choose **String match**.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for the string that you specify in **Value to match**:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If duplicate parameters appear in the query string, the values are evaluated as an "OR." That is, either value will trigger a match. For example, in the URL "www.xyz.com?SalesRegion=boston&SalesRegion=seattle", either "boston" or "seattle" in **Value to match** will trigger a match.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for the **Value to match**. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if the value of either *UserName* or *SalesRegion* is specified as the **Value to match**.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** from the **Part of the request to filter on** list, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect.
**Match type**
Within the part of the request that you want AWS WAF Classic to inspect, choose where the string in **Value to match** must appear to match this filter:
**Contains**
The string appears anywhere in the specified part of the request.
**Contains word**
The specified part of the web request must include **Value to match**, and **Value to match** must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or \$1). In addition, **Value to match** must be a word, which means one of the following:
+ **Value to match** exactly matches the value of the specified part of the web request, such as the value of a header.
+ **Value to match** is at the beginning of the specified part of the web request and is followed by a character other than an alphanumeric character or underscore (\$1), for example, `BadBot;`.
+ **Value to match** is at the end of the specified part of the web request and is preceded by a character other than an alphanumeric character or underscore (\$1), for example, `;BadBot`.
+ **Value to match** is in the middle of the specified part of the web request and is preceded and followed by characters other than alphanumeric characters or underscore (\$1), for example, `-BadBot;`.
**Exactly matches**
The string and the value of the specified part of the request are identical.
**Starts with**
The string appears at the beginning of the specified part of the request.
**Ends with**
The string appears at the end of the specified part of the request.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
When you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
**Value is base64 encoded**
If the value in **Value to match** is base64-encoded, select this check box. Use base64-encoding to specify non-printable characters, such as tabs and linefeeds, that attackers include in their requests.
**Value to match**
Specify the value that you want AWS WAF Classic to search for in web requests. The maximum length is 50 bytes. If you're base64-encoding the value, the 50-byte maximum length applies to the value before you encode it.
## Adding and deleting filters in a string match condition
You can add filters to a string match condition or delete filters. To change a filter, add a new one and delete the old one.
**To add or delete filters in a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete Filter**.
## Deleting string match conditions
If you want to delete a string match condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Remove the string match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the string match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the string match condition that you want to delete.
1. Remove the filters from the condition you want to delete:
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the string match condition that you want to delete.
1. In the right pane, choose the check box next to **Filter** in order to select all of the filters.
1. Choose the **Delete filter**.
1. In the navigation pane, choose **String and regex matching**.
1. In the **String and regex match conditions** pane, choose the string match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with regex match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on strings that match a regular expression (regex) pattern that appears in the requests, create one or more regex match conditions. A regex match condition is a type of string match condition that identifies the pattern that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF Classic to inspect for the pattern. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the pattern.
**Topics**
+ [Creating a regex match condition](#classic-web-acl-regex-conditions-creating)
+ [Values that you specify when you create or edit RegEx match conditions](#classic-web-acl-regex-conditions-values)
+ [Editing a regex match condition](#classic-web-acl-regex-conditions-editing)
## Creating a regex match condition
When you create regex match conditions, you specify pattern sets that identify the string (using a regular expression) that you want to search for. You then add those pattern sets to filters that specify the part of web requests that you want AWS WAF Classic to inspect for that pattern set, such as the URI or the query string.
You can add multiple regular expressions to a single pattern set. If you do so, those expressions are combined with an *OR*. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.
When you add a regex match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
AWS WAF Classic supports most [standard Perl Compatible Regular Expressions (PCRE)](http://www.pcre.org/). However, the following are not supported:
+ Backreferences and capturing subexpressions
+ Arbitrary zero-width assertions
+ Subroutine references and recursive patterns
+ Conditional patterns
+ Backtracking control verbs
+ The \$1C single-byte directive
+ The \$1R newline match directive
+ The \$1K start of match reset directive
+ Callouts and embedded code
+ Atomic grouping and possessive quantifiers
**To create a regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit RegEx match conditions](#classic-web-acl-regex-conditions-values).
1. Choose **Create pattern set and add filter** (if you created a new pattern set) or **Add filter** if you used an existing pattern set.
1. Choose **Create**.
## Values that you specify when you create or edit RegEx match conditions
When you create or update a regex match condition, you specify the following values:
**Name**
Enter a name for the regex match condition. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Type**
Choose **Regex match**.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for the pattern that you specify in **Value to match**:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If duplicate parameters appear in the query string, the values are evaluated as an "OR." That is, either value will trigger a match. For example, in the URL "www.xyz.com?SalesRegion=boston&SalesRegion=seattle", a pattern that matches either "boston" or "seattle" in **Value to match** will trigger a match.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for the pattern specified in the **Value to match**. For example, in the URL "www.xyz.com?UserName=abc&SalesRegion=seattle", a pattern in **Value to match** that matches either the value in *UserName* or *SalesRegion* will trigger a match.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** from the **Part of the request to filter on** list, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
When you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
**Regex pattern to match to request**
You can choose an existing pattern set, or create a new one. If you create a new one specify the following:
New pattern set name
Enter a name and then specify the regex pattern that you want AWS WAF Classic to search for.
If you add multiple regular expressions to a pattern set, those expressions are combined with an *OR*. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.
The maximum length of **Value to match** is 70 characters.
## Editing a regex match condition
You can make the following changes to an existing regex match condition:
+ Delete a pattern from an existing pattern set
+ Add a pattern to an existing pattern set
+ Delete a filter to an existing regex match condition
+ Add a filter to an existing regex match condition (You can have only one filter in a regex match condition. Therefore, in order to add a filter, you must delete the existing filter first.)
+ Delete an existing regex match condition
**Note**
You cannot add or delete a pattern set from an existing filter. You must either edit the pattern set, or delete the filter and create a new filter with a new pattern set.
**To delete a pattern from an existing pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **View regex pattern sets**.
1. Choose the name of the pattern set you want to edit.
1. Choose **Edit**.
1. Choose the **X** next to the pattern you want to delete.
1. Choose **Save**.
**To add a pattern to an existing pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **View regex pattern sets**.
1. Choose the name of the pattern set to edit.
1. Choose **Edit**.
1. Enter a new regex pattern.
1. Choose the **\$1** next to the new pattern.
1. Choose **Save**.
**To delete a filter from an existing regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the condition with the filter you want to delete.
1. Choose the box next to the filter you want to delete.
1. Choose **Delete filter**.
**To delete a regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Delete the filter from the regex condition. See [To delete a filter from an existing regex match condition](#classic-web-acl-regex-conditions-editing-procedure-delete-filter) for instructions to do this.)
1. Remove the regex match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the regex match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the regex match condition that you want to delete.
1. In the navigation pane, choose **String and regex matching**.
1. Select the button next to the condition you want to delete.
1. Choose **Delete**.
**To add or change a filter to an existing regex match condition**
You can have only one filter in a regex match condition. If you want to add or change the filter, you must first delete the existing filter.
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Delete the filter from the regex condition you want to change. See [To delete a filter from an existing regex match condition](#classic-web-acl-regex-conditions-editing-procedure-delete-filter) for instructions to do this.)
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the condition you want to change.
1. Choose **Add filter**.
1. Enter the appropriate values for the new filter and choose **Add**.