> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# OWASP CRS Response Action
> Block common web attacks with the `owasp-crs-response` action in Traffic Policy.
export const ConfigChildren = ({children}) => {
return
{children}
;
};
export const ConfigField = ({title, type, cel = false, defaultValue = false, required = false, children}) => {
const id = `config-${title.replace(/\.|\s|\*/g, "_")}`;
return
;
};
The `owasp-crs-response` action enables rule processing on HTTP responses from your upstream service.
To use rule processing to block malicious HTTP *requests*, enable the [OWASP CRS Request action](/traffic-policy/actions/owasp-crs-request/).
**Use both OWASP CRS actions for comprehensive protection.**
The Response action protects against data leaks or vulnerabilities in your upstream service's responses (such as exposed SQL error messages and sensitive data).
The Request action protects against malicious client requests (such as SQL injection and XSS attacks).
Together, they provide defense-in-depth security for both incoming and outgoing traffic.
[OWASP](https://owasp.org/) stands for the Open Web Application Security
Project, an online community that, among other things, maintains annual lists of
the most critical web application security risks. The [OWASP Core Rule
Set](https://owasp.org/www-project-modsecurity-core-rule-set/) (CRS) is a set of
attack detection rules exposed for use in your Traffic Policies.
It includes protections against attacks like SQL Injection, Cross Site
Scripting, Local File Inclusion, and many others.
### Configuration reference
This is the [Traffic Policy](/traffic-policy/) configuration
reference for this action.
#### Supported phases
`on_http_response`
#### Type
`owasp-crs-response`
#### Configuration fields
Behavior if there is an error processing rules. Must be one of either "continue" or "halt" (default "halt").
More information can be found in the [Managing Fallback Behavior](#managing-fallback-behavior-on-error) section.
If true, rules for the response body are evaluated. Default is false.
See [Body Processing](#body-processing) for details and limitations.
List of OWASP CRS rule IDs to exclude from evaluation.
The minimum value is 900000 and the maximum value is 999999.
## Behavior
This action evaluates rules for response headers and body (when `process_body` is enabled), and each matching rule adds to the overall score of a response. If the score exceeds the set score threshold, the action will block the response.
The tallying process is called Anomaly Scoring, and is detailed on [the CRS website.](https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/)
This action costs **10 [Traffic Policy Units (TPUs)](/pricing-limits/traffic-policy-unit-pricing/)** per response evaluated.
### Default behavior
The default behavior for this action is based on the following [Coraza](https://coraza.io/) directives and rules from v4.14.0 of the CRS:
* [coraza.conf-recommended](https://github.com/corazawaf/coraza/blob/main/coraza.conf-recommended)
* [crs-setup.conf.example](https://github.com/corazawaf/coraza-coreruleset/blob/main/rules/%40crs-setup.conf.example)
* [@owasp\_crs/\*.conf](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs)
Included in these rules is an outbound anomaly score threshold of 4 and a [paranoia level](https://coreruleset.org/docs/2-how-crs-works/2-2-paranoia_levels/) of 1.
### Managing fallback behavior (`on_error`)
If `on_error` is set to `halt` (default) and the action encounters an error while evaluating rules, the Traffic Policy chain will halt and no further actions will be executed. For example, if you have a `log` action after the `owasp-crs-response` action, the `log` action will not be run and the error will be returned.
However, if `on_error` is set to `continue`, actions that appear after the `owasp-crs-response` action will still be executed even if the `owasp-crs-response` action encounters an error.
### Body processing
When `process_body` is enabled, ngrok buffers and evaluates rules against the first 4KB of the body. If the body is larger than 4KB, the portion after the first 4KB is ignored.
Enabling `process_body` buffers the response body in memory, which may increase latency for large payloads.
### Rule exclusion
When `exclude_rule_ids` is configured, ngrok skips evaluation of the specified rule IDs. This allows you to disable specific OWASP CRS rules that may be causing false positives in your environment.
### Outbound anomaly score threshold exceeded
If the anomaly score accumulated from matching rules exceeds the threshold, ngrok blocks the request with a `HTTP 403` response. The response from your upstream does not make it to the client.
### Failure to process the body successfully
If ngrok is unable to read the response body successfully, ngrok blocks the response with a `HTTP 500` response. The response from your upstream does not make it to the client.
### Non-terminating action
This is a **Non-terminating action**. It does not return a response, and will allow Traffic Policy processing to continue to the next Action in the chain. All **Cloud Endpoint** Traffic Policies must end with a terminating action. This requirement does not apply to **Agent Endpoints**.
## Examples
### Running in block mode
The following configuration demonstrates how to run the `owasp-crs-response` action in block mode.
#### Example Traffic Policy document
```yaml policy.yml {5} theme={null}
on_http_response:
- actions:
- type: owasp-crs-response
config:
on_error: halt
```
```json policy.json {8} theme={null}
{
"on_http_response": [
{
"actions": [
{
"type": "owasp-crs-response",
"config": {
"on_error": "halt"
}
}
]
}
]
}
```
### Running in test mode
The following configuration demonstrates how to run the `owasp-crs-response` action in test mode where rules are evaluated but blocks are not enforced.
#### Example Traffic Policy document
```yaml policy.yml {5} theme={null}
on_http_response:
- actions:
- type: owasp-crs-response
config:
on_error: continue
- type: log
config:
metadata:
message: OWASP CRS response action would be ${actions.ngrok.owasp_crs_response.decision} for ${req.url}
error_code: ${actions.ngrok.owasp_crs_response.error.code}
error_message: ${actions.ngrok.owasp_crs_response.error.message}
matched_rules_first_id: ${actions.ngrok.owasp_crs_response.matched_rules[0].id}
matched_rules_first_message: ${actions.ngrok.owasp_crs_response.matched_rules[0].message}
matched_rules_first_data: ${actions.ngrok.owasp_crs_response.matched_rules[0].data}
```
```json policy.json {8} theme={null}
{
"on_http_response": [
{
"actions": [
{
"type": "owasp-crs-response",
"config": {
"on_error": "continue"
}
},
{
"type": "log",
"config": {
"metadata": {
"message": "OWASP CRS response action would be ${actions.ngrok.owasp_crs_response.decision} for ${req.url}",
"error_code": "${actions.ngrok.owasp_crs_response.error.code}",
"error_message": "${actions.ngrok.owasp_crs_response.error.message}",
"matched_rules_first_id": "${actions.ngrok.owasp_crs_response.matched_rules[0].id}",
"matched_rules_first_message": "${actions.ngrok.owasp_crs_response.matched_rules[0].message}",
"matched_rules_first_data": "${actions.ngrok.owasp_crs_response.matched_rules[0].data}"
}
}
}
]
}
]
}
```
### Example response from your upstream that ngrok would block
A `text/plain` response like the following will result in ngrok blocking the response due to potential security leaks that is, SQL Injection vulnerabilities.
```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM users WHERE id = 'abc'' at line 1
```
## Action result variables
The following variables are made available for use in subsequent expressions and
CEL interpolations after the action has run. Variable values will only apply
to the last action execution, results are not concatenated.
The action taken for this response.
`allow` - If the response was permitted.`deny` - If the response was denied.
The total anomaly score for the response. If it equals to or exceeds the set threshold, it will
block the response.
The total anomaly score threshold for the response. By default, it is set to 4.
The list of all rules matched by this response that have a non-zero score.
The ID of the rule.
The text message describing the rule.
The [severity](https://coraza.io/docs/seclang/actions/#severity) of the matched rule.
Any extra data about the rule and how it matched the response.
A machine-readable code describing an error that occurred during the
action's execution.
A human-readable message providing details about an error that occurred
during the action's execution.