Allowlisting URL Paths

Overview

Path allowlisting lets you exempt specific URL paths from WAF security checks. Requests matching an allowed path bypass WAF rules and flow directly through to your application. This is useful for webhooks, API endpoints, health checks, and other paths where the WAF may interfere with legitimate automated traffic.

Adding an Allowed Path

From your WAF dashboard, navigate to Path Rules > Allow. You will see a form to add paths with two fields:

1. Match Pattern — select how the path should be matched (see below)
2. Path — enter the path value to match against

Click Allow Path to add the rule. The path will immediately begin bypassing WAF security checks.

Match Types

The WAF supports four match patterns for path allowlisting:

Begins With

Matches any request path that starts with the specified value.

• /api matches /api/users, /api/data, /api/webhooks/stripe
• /webhooks matches /webhooks/payment, /webhooks/deploy

Ends With

Matches any request path that ends with the specified value.

• .json matches /data.json, /api/users.json
• /callback matches /auth/callback, /oauth/callback

Equals

Matches only the exact path specified — no partial matching.

• /contact matches only /contact (not /contact-us or /contact/form)
• /health matches only /health

Contains

Matches any request path that includes the specified value anywhere.

• webhook matches /api/webhook/handler, /webhooks, /stripe-webhook
• callback matches /auth/callback, /api/callback/process

Common Uses

• Webhooks — Allow /api/webhooks for payment processors (Stripe, PayPal), CI/CD pipelines, and third-party integrations that send automated POST requests
• API endpoints — Allow specific API paths that need to bypass rate limiting or bot detection for machine-to-machine traffic
• Health checks — Allow /health or /ping for uptime monitoring services like Pingdom, UptimeRobot, or Heroku’s own health checks
• OAuth callbacks — Allow callback URLs used by authentication providers

Path Restrictions

Paths containing “admin” cannot be allowed. This is a security restriction to prevent accidentally exposing admin panels to unfiltered traffic. If you need to allow a path that contains “admin”, contact support to discuss alternatives.

Allowed Characters

Paths may contain: letters, numbers, underscores (_), hyphens (-), forward slashes (/), periods (.), and equals signs (=).

Paths from the root should start with /. For URL parameters, specify the name and value (e.g., reset=true).

Resolving False Positives

If the WAF is blocking legitimate requests to a specific path, allowlisting that path is the recommended fix:

1. Check the WAF logs to identify which path is being blocked
2. Add the path to your allowlist using the most specific match pattern possible
3. Use Equals when you only need to allow one exact path, or Begins With for a path prefix

Using a more specific match pattern reduces the attack surface compared to broader patterns like Contains.

Removing an Allowed Path

From the Path Rules > Allow page, click the delete icon next to any allowed path to remove it. The WAF will immediately resume applying security checks to that path.

Need Help?

If you are unsure whether to allowlist a path or need help resolving false positives:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min