How to block cookies that are not asked by my Applications

Hello Street41akaFerro/Andrea,

I understand that you're facing an issue where unwanted cookies sent by browsers are being identified as SQL injections by the WAF policy.

Here are a few ways you might mitigate this kind of issue:

• Please check your application’s cookie policies and make sure you're only allowing cookies that are essential for your application functionality.
• Implementing a Content Security Policy can help mitigate the impact by specifying which domains are permitted to send cookies. While this might not completely block cookies, it can reduce the risk of injections by restricting where cookies can be loaded from.
• You can try to rewrite or filter out unwanted cookies at the application level. This may involve examining incoming requests and removing any cookies that were not expected from the browser.
• Log the cookies sent to your application to help identify patterns or specific browsers and configurations responsible for these unwanted requests.
• Although you can't control the browser settings, you should alert your users if they are sending unwanted cookies (such as through an error message) or provide guidance on adjusting their settings if they have control over them.
• You can try Rule Exclusions in your WAF policy which can help in this scenario. By using exclusions, you can fine-tune how OWASP 3.2 rules are applied so that legitimate traffic—like certain cookies that aren't actually malicious—doesn't get blocked.
• You can configure exclusions to ignore specific cookie headers that are falsely triggering SQL Injection detections. Instead of turning off entire rulesets, you can exclude traffic from triggering specific rules, reducing false positives.
• If certain browsers or known clients are sending these unintended cookies, you might be able to allow them without compromising security.
• Also, you should be cautious when applying exclusions—make sure you’re not inadvertently exposing your application to actual threats. Have you considered logging and analyzing these requests to pinpoint which cookies are problematic? That could help refine your exclusion strategy.

I hope this clarifies things! If you have any additional questions or need further assistance, just add a comment below. so that we shall address your questions.

Please click "Accept" the answer, if any answer/reply helped, so that others in the community facing similar issues can easily find the solution. This can be beneficial to other community members.

Hi Andrea,

Thanks for posting your question on the Q&A portal!

To block unwanted cookies at the gateway level, you can use Azure Application Gateway’s WAF (Web Application Firewall) to modify or strip headers, including unwanted cookies. A few thinks about it.

WAF Custom Rules – Block or modify specific cookies using rule groups or custom rules in Azure WAF. Azure WAF Custom Rules

Rewrite Headers – Use Application Gateway’s Rewrite feature to remove or modify cookies before they reach your app. Header Rewrite in Application Gateway

OWASP CRS Rules – Tune existing OWASP rules to reduce false positives while still blocking malicious cookies. OWASP CRS Tuning Guide

If you need more specific guidance, feel free to share additional details!

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment