Back to Reverse-Proxy security section
Match any URL that contains the parameter
a[]=four or more times
ΒΆ Deny and return a 444 return code for :
/index.php?a[]=1&a[]=2&a[]=3&a[]=4
/search?a[]=foo&a[]=bar&a[]=baz&a[]=qux&a[]=boom
This is a classic anti-abuse / anti-DoS / anti-PHP-array-bomb rule.
Attackers often send huge numbers of array parameters like a[]= to:
- Exhaust PHP memory
- Trigger slow parsing
- Bypass WAF rules
- Abuse legacy frameworks
use the pattern like this:
~(?:a\[\]=.*?){4,}
~means regex pattern(?: ... )is a non-capturing group, used only for grouping, not for storing a match.
Everything inside is treated as one repeatable unit.a\[\]=Matches the literal string:a[]=The brackets are escaped because[and]are special in regex..*?Match anything aftera[]=until the next possible match{4,}is a Repetition rule, means 4 or more times
So the full grouped expression must appear at least 4 times.
