AWAF policy-diff hole checker
Paste a before and an after declarative WAF policy and it classifies every security-relevant change as a relaxation or a tightening, then answers the question that matters after tuning: did this open a hole? It flags relaxations that widen protection beyond a single entity apart from a properly-scoped single-entity allow. Runs entirely in your browser.
Security & WAFTwo declarative WAF policies to compare
Compared in your browser. Neither policy is uploaded.
A deterministic diff of the security-relevant sections F5's declarative policy schema defines. It reads enforcement mode, signature staging, X-Forwarded-For trust, Data Guard, CSRF, per-violation block flags, per-evasion enablement, and the URL / parameter / file-type entities. It never contacts a BIG-IP.
References
- F5 Advanced WAF declarative policy schema (enforcementMode, signature-settings, blocking-settings evasions/violations, data-guard, general.trustXff, entity arrays)
- F5 K70544352: Reducing false positive violations (relax only where a false positive occurred, and scope it)
- F5 BIG-IP ASM: Working with Violations (a transparent policy and a disabled block flag stop enforcement)