Note
AWS WAF Classic support will end on September 30, 2025.
This is AWS WAF Classic documentation. For more information, see AWS WAF Classic in the developer guide.
For the latest version of AWS WAF , use the AWS WAFV2 API and see the AWS WAF Developer Guide. With the latest version, AWS WAF has a single set of endpoints for regional and global use.
A complex type that contains XssMatchTuple objects, which specify the parts of web requests that you
want AWS WAF to inspect for cross-site scripting attacks and, if you want AWS WAF to inspect a header, the name of the header. If a
XssMatchSet contains more than one XssMatchTuple object, a request needs to
include cross-site scripting attacks in only one of the specified parts of the request to be considered a match.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::WAF::XssMatchSet",
"Properties" : {
"Name" : String,
"XssMatchTuples" : [ XssMatchTuple, ... ]
}
}
YAML
Type: AWS::WAF::XssMatchSet
Properties:
Name: String
XssMatchTuples:
- XssMatchTuple
Properties
Name-
The name, if any, of the
XssMatchSet.Required: Yes
Type: String
Pattern:
.*\S.*Minimum:
1Maximum:
128Update requires: Replacement
XssMatchTuples-
Specifies the parts of web requests that you want to inspect for cross-site scripting attacks.
Required: Yes
Type: Array of XssMatchTuple
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Examples
Define Which Part of a Request to Check for Cross-site Scripting
The following example looks for cross-site scripting in the URI or query string of an HTTP request.
JSON
"DetectXSS": {
"Type": "AWS::WAF::XssMatchSet",
"Properties": {
"Name": "XssMatchSet",
"XssMatchTuples": [
{
"FieldToMatch": {
"Type": "URI"
},
"TextTransformation": "NONE"
},
{
"FieldToMatch": {
"Type": "QUERY_STRING"
},
"TextTransformation": "NONE"
}
]
}
}YAML
DetectXSS:
Type: "AWS::WAF::XssMatchSet"
Properties:
Name: "XssMatchSet"
XssMatchTuples:
-
FieldToMatch:
Type: "URI"
TextTransformation: "NONE"
-
FieldToMatch:
Type: "QUERY_STRING"
TextTransformation: "NONE"Associate an XssMatchSet with a Web ACL Rule
The following example associates the DetectXSS match set with a web access control list (ACL) rule.
JSON
"XSSRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "XSSRule",
"MetricName" : "XSSRule",
"Predicates": [
{
"DataId" : { "Ref" : "DetectXSS" },
"Negated" : false,
"Type" : "XssMatch"
}
]
}
}YAML
XSSRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "XSSRule"
MetricName: "XSSRule"
Predicates:
-
DataId:
Ref: "DetectXSS"
Negated: false
Type: "XssMatch"Create a Web ACL
The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests except for ones that contain cross-site scripting in the URI or query string of an HTTP request.
JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "Web ACL to block cross-site scripting",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "DetectXSSWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "XSSRule" }
}
]
}
}YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "Web ACL to block cross-site scripting"
DefaultAction:
Type: "ALLOW"
MetricName: "DetectXSSWebACL"
Rules:
-
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "XSSRule"