AWS – AWS WAF now supports URI fragment field matching

AWS WAF now supports URI fragment field matching, enabling customers to match against the URI fragment and along with the already supported URI path. With this feature, customers can create rules that inspect and match against the content of the URI fragment within the URI path.

Customers previously could use WAF match conditions to inspect requests and compare their origin against provided criteria. As customers strive to enhance security, they have requested the ability to match against the URI fragment – the part of the URL often after the “#” symbol. URI fragment is often used to identify specific sections or anchors within a web page and is not typically sent to the server during the initial request. For example, if you have a login page with a dynamic fragment like “foo://login.aspx#myFragment”, you can create a rule that only allows requests with the “myFragment” fragment and denies all others. This enables targeted security controls, such as blocking access to sensitive areas, detecting unauthorized access attempts, and implementing enhanced bot detection by analyzing fragment patterns used by malicious actors.

There is no additional cost, but standard WAF charges still apply. For more information about pricing, visit the AWS WAF Pricing page. The feature is available in all AWS Regions where WAF is available for all supported origins. For more information about URI field for matching, visit the Developer Guide.
 

Read More for the details.