Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::WAF::XssMatchSet

The AWS::WAF::XssMatchSet resource specifies the parts of web requests that you want AWS WAF to inspect for cross-site scripting attacks and the name of the header to inspect. For more information, see XssMatchSet in the AWS WAF API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::WAF::XssMatchSet", "Properties" : { "Name" : String, "XssMatchTuples" : [ XssMatchTuple, ... ] } }

YAML

Copy
Type: "AWS::WAF::XssMatchSet" Properties: Name: String XssMatchTuples: - XssMatchTuple

Properties

Name

A friendly name or description for the XssMatchSet.

Required: Yes

Type: String

Update requires: Replacement

XssMatchTuples

The parts of web requests that you want to inspect for cross-site scripting attacks.

Required: No

Type: List of AWS WAF XssMatchSet XssMatchTuple

Update requires: No interruption

Return Value

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Define Which Part of a Request to Check for Cross-site Scripting

The following example looks for cross-site scripting in the URI or query string of an HTTP request.

JSON

Copy
"DetectXSS": { "Type": "AWS::WAF::XssMatchSet", "Properties": { "Name": "XssMatchSet", "XssMatchTuples": [ { "FieldToMatch": { "Type": "URI" }, "TextTransformation": "NONE" }, { "FieldToMatch": { "Type": "QUERY_STRING" }, "TextTransformation": "NONE" } ] } }

YAML

Copy
DetectXSS: Type: "AWS::WAF::XssMatchSet" Properties: Name: "XssMatchSet" XssMatchTuples: - FieldToMatch: Type: "URI" TextTransformation: "NONE" - FieldToMatch: Type: "QUERY_STRING" TextTransformation: "NONE"

Associate an XssMatchSet with a Web ACL Rule

The following example associates the DetectXSS match set with a web access control list (ACL) rule.

JSON

Copy
"XSSRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "XSSRule", "MetricName" : "XSSRule", "Predicates": [ { "DataId" : { "Ref" : "DetectXSS" }, "Negated" : false, "Type" : "XssMatch" } ] } }

YAML

Copy
XSSRule: Type: "AWS::WAF::Rule" Properties: Name: "XSSRule" MetricName: "XSSRule" Predicates: - DataId: Ref: "DetectXSS" Negated: false Type: "XssMatch"

Create a Web ACL

The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests except for ones that contain cross-site scripting in the URI or query string of an HTTP request.

JSON

Copy
"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "Web ACL to block cross-site scripting", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "DetectXSSWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "XSSRule" } } ] } }

YAML

Copy
MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "Web ACL to block cross-site scripting" DefaultAction: Type: "ALLOW" MetricName: "DetectXSSWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "XSSRule"