Rule expressions use comparison operators to match request values and logical operators to combine conditions.
Comparison operators
Comparison operators compare an incoming request value against a value specified in an expression.
eq
Checks if the request value equals the specified value.
-
Operator name:
Equal to -
Value type:
String -
Example:
(http.host eq "www.example.com")
ne
Checks if the request value does not equal the specified value.
-
Operator name:
Not equal to -
Value type:
String -
Example:
(http.host ne "www.example.com")
contains
Checks if the request value contains the specified string.
-
Operator name:
Contains -
Value type:
String -
Example:
(http.host contains "example.com")
not...contains
Checks if the request value does not contain the specified string.
-
Operator name:
Does not contain -
Value type:
String -
Example:
(not http.host contains "example.com")
matches
Checks if the request value matches a specified regular expression (PCRE-compatible).
Only the Advanced and Enterprise plans support regular expressions.
-
Operator name:
Matches regex -
Value type:
String -
Example:
(http.host matches "(www|blog)\.example\.com")
not...matches
Checks if the request value does not match a specified regular expression (PCRE-compatible).
Only the Advanced and Enterprise plans support regular expressions.
-
Operator name:
Does not match regex -
Value type:
String -
Example:
(not http.host matches "(www|blog)\.example\.com")
in
Checks if the request value matches any value in a specified set. Use the $ symbol to reference a list.
-
Operator name:
Is in -
Value type:
Array -
Example:
(http.host in {"www.example-1.com" "www.example-2.com"})( ip.src in $<LIST_NAME>)
not...in
Checks if the request value does not match any value in a specified set. Use the $ symbol to reference a list.
-
Operator name:
Is not in -
Value type:
Array -
Example:
(not http.host in {"www.example-1.com" "www.example-2.com"})(not ip.src in $<LIST_NAME>)
starts_with
Checks if the request value starts with the specified string.
-
Operator name:
Starts with -
Value type:
String -
Example:
(starts_with(http.host, "blog"))
not starts_with
Checks if the request value does not start with the specified string.
-
Operator name:
Does not start with -
Value type:
String -
Example:
(not starts_with(http.host, "blog"))
ends_with
Checks if the request value ends with the specified string.
-
Operator name:
Ends with -
Value type:
String -
Example:
(ends_with(http.host, "cn"))
not ends_with
Checks if the request value does not end with the specified string.
-
Operator name:
Does not end with -
Value type:
String -
Example:
(not ends_with(http.host, "cn"))
le
Checks if the request value is less than or equal to the specified numeric value.
-
Operator name:
Less than or equal to -
Value type:
int -
Example:
(ip.geoip.asnum le 45104)
ge
Checks if the request value is greater than or equal to the specified numeric value.
-
Operator name:
Greater than or equal to -
Value type:
int -
Example:
(ip.geoip.asnum ge 45104)
lt
Checks if the request value is less than the specified numeric value.
-
Operator name:
Less than -
Value type:
int -
Example:
(ip.geoip.asnum lt 45104)
gt
Checks if the request value is greater than the specified numeric value.
-
Operator name:
Greater than -
Value type:
int -
Example:
(ip.geoip.asnum gt 45104)
len eq
Checks if the length of the request value equals the specified numeric value.
-
Operator name:
Length equals -
Value type:
String -
Example:
(len(http.request.cookies["session"]) eq 330688)
len gt
Checks if the length of the request value is greater than the specified numeric value.
-
Operator name:
Length is greater than -
Value type:
String -
Example:
(len(http.request.cookies["session"]) gt 330688)
len lt
Checks if the length of the request value is less than the specified numeric value.
-
Operator name:
Length is less than -
Value type:
String -
Example:
(len(http.request.cookies["session"]) lt 330688)
exists
Checks if a specified field or attribute exists in the request.
-
Operator name:
Exists -
Value type:
String -
Example:
(exists(http.request.headers["user-agent"]))
not exists
Checks if a specified field or attribute does not exist in the request.
-
Operator name:
Does not exist -
Value type:
String -
Example:
(not exists(http.request.headers["user-agent"]))
Other operators
lower
Converts the request value to lowercase for case-insensitive matching.
-
Operator name:
Case-insensitive -
Value type:
String -
Example:
(lower(http.request.uri))
Logical operators
Logical operators combine multiple expressions into a composite expression.
not
Negates an expression result, inverting true to false and vice versa.
-
Operator name:
Logical NOT -
Example:
not (http.host eq "www.example.com")
and
Returns true only when all combined expressions are true.
-
Operator name:
Logical AND -
Example:
((http.host eq "www.example.com") and (ip.geoip.country eq "CN"))
or
Returns true if any combined expression is true.
-
Operator name:
Logical OR -
Example:
((http.host eq "www.example.com") or (ip.geoip.country eq "CN"))
Grouping symbols
Use parentheses ( and ) to group expression parts and control evaluation order.
Grouping symbols are supported in the expression editor and the ESA API, but not in the expression builder.
Nested expression example:
(http.host eq "www.example.com" and ((http.referer in {"download.example.com"}) or (http.referer in {"image.example.com"})))