Customizing OWASP Rules in Application Gateway
There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.
Doug Munford commented
I have the same issue with, Rule 920420 from the OWASP 3.1 set limits accepted content types. Microsoft have implemented the default set without any way to add overrides. This is a shame as the OWASP codebase allows configuration but this is not exposed to us in the current implementation.
Is here any possibility now to allow further methods?