Syntax
AppSec Configuration Files
AppSec configuration files define which rules are loaded, how they run, and how the WAF responds.
They are loaded by the AppSec acquisition datasource via appsec_configs (see the AppSec datasource).
Below is a minimal example followed by the full key reference.
name: custom/my-appsec-config
inband_rules:
- crowdsecurity/base-config
default_remediation: ban
Each AppSec configuration file controls how rules are loaded and processed.
You can create custom configuration files in /etc/crowdsec/appsec-configs/.
Configuration File Format
Configuration files share a common structure:
- a
name(required) - optional rule lists such as
inband_rulesandoutofband_rules - optional behavior keys like
default_remediationanddefault_pass_action - HTTP response codes (for example,
blocked_http_code) - optional performance settings (
inband_options,outofband_options) - optional hooks (
on_load,pre_eval,post_eval,on_match) - optional logging (
log_level)
name: custom/my-appsec-config
inband_rules:
- crowdsecurity/base-config
outofband_rules:
- crowdsecurity/crs
default_remediation: ban
default_pass_action: allow
blocked_http_code: 403
passed_http_code: 200
log_level: info
Configuration Structure
name
string
Unique identifier for the AppSec configuration, used for logging and referencing.
name: custom/my-appsec-config
inband_rules
array of strings
List of rule patterns to load as in-band rules. See in-band rule processing.
inband_rules:
- crowdsecurity/base-config
- crowdsecurity/vpatch-*
outofband_rules
array of strings
List of rule patterns to load as out-of-band rules. See out-of-band rule processing.
outofband_rules:
- crowdsecurity/crs
- custom/detection-rules
default_remediation
string
Default action for in-band rules that match. The special value allow disables blocking.
Common values include ban (block) and captcha (challenge), depending on what your remediation component supports.
default_remediation: ban
default_pass_action
string
Action for requests that do not match any rules, or match rules with pass actions.
default_pass_action: allow
blocked_http_code
integer
HTTP status code returned to the remediation component when a request is blocked.
blocked_http_code: 403
passed_http_code
integer
HTTP status code returned to the remediation component when a request is allowed.
passed_http_code: 200
user_blocked_http_code
integer
HTTP status code returned to the end user when a request is blocked.
user_blocked_http_code: 403
user_passed_http_code
integer
HTTP status code returned to the end user when a request is allowed.
user_passed_http_code: 200
inband_options
object
Performance tuning options for in-band rule processing.
disable_body_inspection(bool): Skip HTTP body inspection.request_body_in_memory_limit(integer): Max body size in memory (bytes, default: 1048576).
inband_options:
disable_body_inspection: false
request_body_in_memory_limit: 1048576
outofband_options
object
Performance tuning options for out-of-band rule processing.
disable_body_inspection(bool): Skip HTTP body inspection.request_body_in_memory_limit(integer): Max body size in memory (bytes, default: 1048576).
outofband_options:
disable_body_inspection: false
request_body_in_memory_limit: 1048576
log_level
string
Logging verbosity for this configuration. Available levels: debug, info, warn, error.
log_level: info
on_load
array
Executed when the configuration is loaded. Typically used for global rule changes.
on_load:
- apply:
- RemoveInBandRuleByName("problematic-rule")
pre_eval
array
Executed before rule evaluation for each request. Supports conditional logic.
pre_eval:
- filter: IsInBand && req.RemoteAddr == "192.168.1.100"
apply:
- RemoveInBandRuleByName("strict-rule")
post_eval
array
Executed after rule evaluation. Useful for debugging and analysis.
post_eval:
- filter: IsInBand
apply:
- DumpRequest().WithBody().ToJSON()
on_match
array
Executed when rules match. Used to adjust remediation or generate custom alerts.
on_match:
- filter: req.Host == "staging.example.com"
apply:
- SetRemediation("allow")
- CancelAlert()
For complete hook documentation, see AppSec Hooks.
