AWS WAF now includes support for URI fragment field matching, allowing customers to inspect and apply rules based on the URI fragment in addition to the already supported URI path.
Previously, AWS WAF allowed users to inspect requests and compare them against predefined conditions, but matching against the URI fragment (the portion of a URL after the # symbol) was not possible. Since URI fragments are often used to navigate to specific sections within a webpage and are generally not included in the initial request to the server, customers have sought the ability to analyze and filter them for enhanced security.
With this new feature, users can define rules that check for specific fragments. For example, if a login page includes a dynamic fragment like “foo://login.aspx#myFragment“, a rule can be created to permit only requests containing #myFragment while blocking others. This improves security by restricting access to sensitive sections, detecting unauthorized attempts, and enhancing bot mitigation through fragment pattern analysis.
This feature is available in all AWS regions where WAF is supported and does not incur additional costs beyond the standard AWS WAF pricing. For more details on pricing and implementation, refer to the AWS WAF Pricing page and the Developer Guide.
Why This Matters?
- Previously: AWS WAF could only inspect the URI path, not the fragment.
- Now: You can create rules that inspect and enforce conditions based on the fragment (e.g., example.com/page#section).
Use Cases
- Restricting Access: Allow only specific users or systems to access certain fragments (#admin-panel).
- Bot & Threat Detection: Malicious actors often use unique URI fragments in attacks. Now, AWS WAF can inspect them.
- Enhanced Security Controls: Prevent unauthorized access attempts to sensitive areas of a site.
What to Keep in Mind?
- Fragments (#xyz) are not sent to the server in standard HTTP requests. AWS WAF must be analyzing requests at the application level (e.g., via JavaScript, headers, or other mechanisms).
- Available in all AWS Regions where AWS WAF is supported.
- No extra cost, but standard AWS WAF pricing applies.
What is AWS WAF ?
AWS Web Application Firewall (AWS WAF) is a cloud-native security service that helps protect web applications and APIs from common threats such as SQL injection, cross-site scripting (XSS), and bot attacks. It allows users to define custom security rules to filter and monitor incoming traffic based on criteria like IP addresses, HTTP headers, query strings, and now URI fragments. AWS WAF integrates seamlessly with services like Amazon CloudFront, Application Load Balancer (ALB), and API Gateway, providing real-time protection without impacting application performance. With managed rules, rate limiting, and bot mitigation, AWS WAF enables organizations to strengthen security, prevent unauthorized access, and reduce malicious traffic at scale.
