IBM Cloud Docs
CIS rule sets

CIS rule sets

Select View CIS rules to reveal the rule sets of this package. Rule sets are as follows:

  • Drupal - Enable this rule set only if the Drupal CMS is used for this domain.
  • Flash[1] - Enable this rule set only if Adobe Flash content is used for this domain.
  • Joomla[2] - Enable this rule set only if the Joomla CMS is used for this domain.
  • Magento[3] - Enable this rule set only if the Magento CMS is used for this domain.
  • Miscellaneous - Contains rules to deal with known malicious traffic, or fix flaws in specific web applications.
  • PHP[4] - Enable this rule set if PHP is used for this domain.
  • Plone[5] - Enable this rule set only if the Plone CMS is used for this domain.
  • Specials - Contains a number of rules that were created to deal with specific attack types.
  • WHMCS[6] - Enable this rule set only if WHMCS is used for this domain.
  • Wordpress - Enable this rule set only if the WordPress CMS is used for this domain.

The Specials rule set contains a number of rules appropriate for virtually all applications and websites on the internet. This rule set is the core of the security that our WAF offers, with rules that target common attacks like SQLi, XSS, and LFI. It is recommended that you always enable Specials.

Enable only the rule sets that correspond to your technology stack. For instance, if you use Wordpress, but no other technologies, enable only the Specials and Wordpress rule sets. Avoid enabling rule sets that are not relevant to your tech stack.

Select any of the specific rule sets to see further details about each of the rules included.

Use the CIS rule set to perform the following actions on each rule:

  • Disable turns off the rule.
  • Log logs the event and does not block or challenge the visitor. You can still decide to set to Block or Challenge after you review the logs.
  • Block blocks the request entirely, with no option to bypass it for that request.
  • Challenge displays a challenge (CAPTCHA) page that must be completed before the request in question is allowed access.

You might notice that the names of the rules don't reveal exactly how they work and that they are mostly a general summary of their function. This is deliberate. For security purposes, CIS does not reveal the code (or other exact information) used to filter traffic. Doing so prevents malicious actors from reverse-engineering it to bypass our defenses.


  1. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎

  2. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎

  3. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎

  4. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎

  5. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎

  6. This rule set contains more rules that complement the technology-specific protections provided by similar rules in the OWASP rule set. ↩︎