Understanding Block Codes

What Are Block Codes?

When the Expedited WAF blocks a request to your application, it assigns a block code that identifies the type of threat detected. These codes appear in your WAF logs and dashboard, helping you understand what kinds of attacks your application is facing and why specific requests were stopped.

Why Requests Get Blocked

The WAF evaluates every incoming request against multiple security layers before it reaches your application. A request is blocked when it matches one or more threat signatures, including:

Known attack patterns — requests that match signatures for SQL injection, cross-site scripting, remote code execution, and other well-documented attack techniques
Malicious sources — requests from IP addresses with poor reputation scores, known botnets, or anonymous proxies
Protocol violations — requests with malformed HTTP structures, unusual methods, or evasion techniques designed to bypass security filters
Access violations — requests targeting restricted directories, attempting unauthorized uploads, or failing authentication requirements
Custom rules — requests blocked by rules you have configured, such as IP blocklists, country blocks, or URL restrictions

One Block Code Per Request

Block codes are accurate but imprecise. The WAF evaluates every request against all of its security layers simultaneously, and a single malicious request will often violate multiple rules at once. However, only one block code is assigned to each blocked request.

For example, imagine a single request that the WAF would catch on four separate grounds:

Geographic or Proxy Block — the request originates from a country on your geo-block list
SQL Injection — the request contains a SQL injection payload in its query parameters
Denial of Service — the request is arriving at a rate consistent with an automated attack
IP Reputation — the request comes from an IP address with a poor reputation score from launching attacks against other sites

Your logs will show just one of those block codes, not all four.

This means the block code you see tells you one confirmed reason the request was stopped, but it may not be the only reason. A request labeled as “SQL Injection” may also have come from a blocked country or a known-bad IP address. The WAF stopped it regardless, and the single block code gives you the most useful signal about what that request was attempting to do.

Block Code Reference

Injection Attacks

Block Code	Description
SQL Injection	Attempt to exfiltrate or manipulate data via SQL injection
Cross Site Scripting	Attempt to execute malicious scripts in visitors’ browsers
PHP Injection Blocked	Attempt to manipulate PHP language features
Server Side Injection	Server Side Include attack attempt
Remote Command Execution	Attempt to invoke remote commands within the application
Remote File Inclusion	Attempt to download and execute an external resource

Bot Protection

Block Code	Description
Brute Force Bot	Request from a bot known for brute force attacks
Bad Bot Access	Request from a banned bot, SEO scraper, or script
Fake Bot Access	Request impersonating a legitimate bot like Googlebot
Denial of Service	Request matching denial of service attack patterns

IP and Geographic Blocking

Block Code	Description
IP Reputation	Request from an IP address involved in recent attacks
Geographic or Proxy Block	Request from a blocked country or anonymous proxy
Blacklisted IP	Request from an IP on your WAF’s blocklist
IP Address Not Whitelisted	Request to a protected directory from a non-allowlisted IP

Access Control

Block Code	Description
Two Factor Failure	Request failed additional authentication requirements
Unauthorized Request	Request to a path that requires authorization
Directory Listing	Attempt to list files in a directory
Restricted Directory	Request to a restricted directory
Unauthorized Upload	Attempt to upload files into the application

Protocol and Request Anomalies

Block Code	Description
Non Standard POST Request	POST request with data matching exploit patterns
Evasion Request	Request formatted to bypass WAF security filters
Obfuscated Attack Payload	Request with altered data designed to bypass filters
HTTP Protocol Anomaly	Malformed HTTP request inconsistent with proper structure
HTTP Method Not Allowed	Request using a disallowed HTTP method
URL Request Manipulation	URL paths or parameters modified to bypass security filters

Exploits and Malware

Block Code	Description
Exploit Blocked	Request matching a known exploit blocked by virtual patching or hardening
Backdoor Access	Attempt to access known backdoor files
Intrusion Attempt	Attempt to gain further unauthorized access
Malicious Request	Potentially malicious request blocked
Malicious JavaScript	Attempt to insert malicious JavaScript
Malicious Cookie Payload	Cookie containing potentially dangerous commands
User Agent Injection	User agent string containing an exploit payload

Spam

Block Code	Description
Spam Request	Attempt to inject spam into the application

Custom and Configuration

Block Code	Description
Custom URL Block	Request blocked by a custom WAF configuration rule
Site in Lockdown	Request blocked because the site is in lockdown mode
Other	All other blocked requests

Need Help?

If you see block codes in your logs that you do not understand, or if the WAF is blocking legitimate traffic:

Use IP Allowlisting or Path Allowlisting to create exceptions for trusted traffic
Contact us at support@expeditedsecurity.com