What kind of Whitelisting can be done with different rules?

Last updated: July 10, 2026

Overview



In order to reduce the number of unwanted security events due to normal or expected application behaviour , you can configure whitelisting.
Please see below what kind of whitelisting can be done with our standard rules.

Please refer to the documentation for detailed descriptions.

Rule Category

Rule Whitelist Capability

Rule Reduce Scope Capability

Summary

CSRF

Yes (inbuilt)

Yes - Endpoint Reduction

XSS

Yes (inbuilt)

Yes - Endpoint Reduction

Deserialization

Yes (properties
e.g. com.waratek.AllowDeserialPrivileges="java.lang.ProcessBuilder.()")

No

DNS

Yes (allow)

Yes - Specific host, FQDN or IP

File I/O

Yes (allow)

Yes  - Path Reduction

Header Injection

No

Yes - Endpoint Reduction

Header Response Addition

No

Yes - Endpoint Reduction

Input Validation

Yes (allow)

Yes - Endpoint Reduction

Library Loading

Yes (allow)

Path Reduction

Open Redirection

Yes (allow)

Yes - Endpoint Reduction
Yes - Exclude subdomains
Yes - Taint Source Reduction

Path Traversal

No

Yes - Taint Source Reduction

Process Forking

Yes (allow)

Yes - Path Reduction

Sanitization

Yes (inbuilt)

Yes - Endpoint Reduction

Session Fixation

No

No

X

Socket Rules

Yes (inbuilt)

Yes - Endpoint Reduction

SQLi

Yes (properties
e.g. com.waratek.AllowSQLiPayloads=sql1_to_be_whitelisted, another_sql_statement, yet_another)

No

XXE

Yes (allow)

No