> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WAAP rules

WAAP rules allow you to specify how to inspect web requests to your domain and what actions to take when a request matches certain criteria. This helps protect your applications from common threats such as SQL injection, cross-site scripting (XSS), and other malicious activities.

For example, you can create a rule to block any request with common SQL injection patterns or require CAPTCHA validation to prevent spam.

## Types of WAAP rules

Depending on your [plan](https://gcore.com/pricing/security#waap), you can create the following rules:

* [Firewall rules](/waap/firewall/access-control#allowed-ips-and-blocked-ips) (allow and block IP addresses): Easy to configure and designed for use cases when you need a straightforward, simple tool to manage IP access to your domain. These rules form access control lists (ACLs) and are free for any plan that includes our WAAP product.

* [Custom rules](/waap/waap-rules/custom-rules): These rules contain "if/then" statements and cover more complicated scenarios, such as filtering requests from specified countries or organizations.

* [Advanced rules](/waap/waap-rules/advanced-rules): Designed for technical users who need even more control over rule creation. These rules can be configured in the Gcore Customer Portal or via API.

## Rule criteria

For any WAAP rule, it's important to define the criteria that trigger the rule. You can create WAAP rules based on a variety of conditions:

* Origin of the IP or IP range.

* Country or geographical location of the request.

* Length of a specified part of the request, such as query string.

* Strings that appear in the request. For example, values that appear in the user-agent header or text strings from the query string.

* Specific [tags](/waap/waap-rules/custom-rules/tag-rules/predefined-tags).

* Potentially malicious SQL code used to extract data from your database, also known as SQL injection.

* Requests with potentially malicious scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).

* Some rule types take sets of criteria. For example, you can specify up to 10,000 IP addresses or IP address ranges in an IP address rule.
