From b348dae4beb4d45ce74d49d6728afc714a4dc88c Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Fri, 6 Mar 2026 17:27:08 +0100
Subject: [PATCH] remove DetectionOnly WAF mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

DetectionOnly was fundamentally broken in coraza-caddy (actually blocks
requests via anomaly scoring), caused massive audit log flooding, and the
threshold workaround had several issues:
- t:none is meaningless in a SecAction (no target to transform)
- SecRuleEngine directive ordering relative to SecAction is implementation-
  defined, making the override fragile
- host.mode ?? 'DetectionOnly' fallbacks silently gave any host without an
  explicit mode the broken DetectionOnly behaviour

Changes:
- Remove DetectionOnly from UI (global settings radio, per-host engine mode)
- Coerce legacy DB values of 'DetectionOnly' to 'On' in buildWafHandler
- Fix fallback defaults: host.mode ?? 'DetectionOnly' → host.mode ?? 'On'
- Fix action parsers: unknown mode defaults to 'On' (was 'DetectionOnly')
- Fix global settings defaultValue: ?? 'DetectionOnly' → ?? 'On' (or 'Off')
- Remove the fragile threshold SecAction workaround
- Update types: mode is now 'Off' | 'On' throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/(dashboard)/proxy-hosts/actions.ts         |  2 +-
 app/(dashboard)/settings/SettingsClient.tsx    |  6 ++----
 app/(dashboard)/settings/actions.ts            |  2 +-
 app/(dashboard)/waf-events/WafEventsClient.tsx |  2 +-
 src/components/proxy-hosts/WafFields.tsx       |  6 +++---
 src/lib/caddy.ts                               | 14 ++++----------
 src/lib/models/proxy-hosts.ts                  |  2 +-
 src/lib/settings.ts                            |  2 +-
 8 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/app/(dashboard)/proxy-hosts/actions.ts b/app/(dashboard)/proxy-hosts/actions.ts
index bc438b06..0e54ed4d 100644
--- a/app/(dashboard)/proxy-hosts/actions.ts
+++ b/app/(dashboard)/proxy-hosts/actions.ts
@@ -393,7 +393,7 @@ function parseWafConfig(formData: FormData): { waf?: WafHostConfig | null } {
   const wafMode: WafHostConfig["waf_mode"] = rawMode === "override" ? "override" : "merge";
   const rawEngineMode = formData.get("waf_engine_mode");
   const engineMode: WafHostConfig["mode"] =
-    rawEngineMode === "On" ? "On" : rawEngineMode === "Off" ? "Off" : rawEngineMode === "DetectionOnly" ? "DetectionOnly" : undefined;
+    rawEngineMode === "On" ? "On" : rawEngineMode === "Off" ? "Off" : undefined;
   const loadCrs = parseCheckbox(formData.get("waf_load_owasp_crs"));
   const customDirectives = typeof formData.get("waf_custom_directives") === "string"
     ? (formData.get("waf_custom_directives") as string).trim()
diff --git a/app/(dashboard)/settings/SettingsClient.tsx b/app/(dashboard)/settings/SettingsClient.tsx
index dc22a172..cbdf68fd 100644
--- a/app/(dashboard)/settings/SettingsClient.tsx
+++ b/app/(dashboard)/settings/SettingsClient.tsx
@@ -811,9 +811,8 @@ export default function SettingsClient({
               <FormLabel sx={{ fontSize: "0.75rem", fontWeight: 600, textTransform: "uppercase", letterSpacing: 0.5 }}>
                 Engine Mode
               </FormLabel>
-              <RadioGroup row name="waf_mode" defaultValue={globalWaf?.mode ?? "DetectionOnly"}>
+              <RadioGroup row name="waf_mode" defaultValue={globalWaf?.mode === "Off" ? "Off" : "On"}>
                 <FormControlLabel value="Off" control={<Radio size="small" />} label="Off" />
-                <FormControlLabel value="DetectionOnly" control={<Radio size="small" />} label="Detection Only" />
                 <FormControlLabel value="On" control={<Radio size="small" />} label="On (Blocking)" />
               </RadioGroup>
             </FormControl>
@@ -874,8 +873,7 @@ export default function SettingsClient({
               </Collapse>
             </Box>
             <Alert severity="info" sx={{ fontSize: "0.8rem" }}>
-              WAF events (blocked requests) are stored for 90 days and viewable under <strong>WAF Events</strong> in the sidebar.
-              Events only appear when the engine is set to <em>On (Blocking)</em> — Detection Only mode matches rules without blocking and produces no events here.
+              WAF events are stored for 90 days and viewable under <strong>WAF Events</strong> in the sidebar.
             </Alert>
             <Box sx={{ display: "flex", justifyContent: "flex-end" }}>
               <Button type="submit" variant="contained">
diff --git a/app/(dashboard)/settings/actions.ts b/app/(dashboard)/settings/actions.ts
index c5f77500..15235d69 100644
--- a/app/(dashboard)/settings/actions.ts
+++ b/app/(dashboard)/settings/actions.ts
@@ -697,7 +697,7 @@ export async function updateWafSettingsAction(_prevState: ActionResult | null, f
     const enabled = formData.get("waf_enabled") === "on";
     const rawMode = formData.get("waf_mode");
     const mode: WafSettings["mode"] =
-      rawMode === "On" ? "On" : rawMode === "Off" ? "Off" : "DetectionOnly";
+      rawMode === "Off" ? "Off" : "On";
     const loadOwasp = formData.get("waf_load_owasp_crs") === "on";
     const customDirectives = typeof formData.get("waf_custom_directives") === "string"
       ? (formData.get("waf_custom_directives") as string).trim()
diff --git a/app/(dashboard)/waf-events/WafEventsClient.tsx b/app/(dashboard)/waf-events/WafEventsClient.tsx
index cb9ac8e1..4714a8bb 100644
--- a/app/(dashboard)/waf-events/WafEventsClient.tsx
+++ b/app/(dashboard)/waf-events/WafEventsClient.tsx
@@ -469,7 +469,7 @@ export default function WafEventsClient({ events, pagination, initialSearch, glo
             columns={columns}
             data={events}
             keyField="id"
-            emptyMessage="No WAF events found. Enable the WAF in Settings and send some traffic — blocked requests appear when the engine is On, detected-only events appear in Detection Only mode."
+            emptyMessage="No WAF events found. Enable the WAF in Settings and send some traffic to see events here."
             pagination={pagination}
             onRowClick={setSelected}
           />
diff --git a/src/components/proxy-hosts/WafFields.tsx b/src/components/proxy-hosts/WafFields.tsx
index 773ab8cf..bfafe36f 100644
--- a/src/components/proxy-hosts/WafFields.tsx
+++ b/src/components/proxy-hosts/WafFields.tsx
@@ -20,7 +20,7 @@ import { type WafHostConfig } from "@/src/lib/models/proxy-hosts";
 import { WafRuleExclusions } from "./WafRuleExclusions";
 
 type WafMode = "merge" | "override";
-type EngineMode = "Off" | "DetectionOnly" | "On" | "inherit";
+type EngineMode = "Off" | "On" | "inherit";
 
 const QUICK_TEMPLATES = [
   { label: "Allow IP", snippet: `SecRule REMOTE_ADDR "@ipMatch 1.2.3.4" "id:9000,phase:1,allow,nolog,msg:'Allow IP'"` },
@@ -154,7 +154,7 @@ export function WafFields({ value, showModeSelector = true }: Props) {
             Engine Mode
           </Typography>
           <Stack direction="row" spacing={1} mt={0.75}>
-            {(["inherit", "Off", "DetectionOnly", "On"] as EngineMode[]).map((v) => (
+            {(["inherit", "Off", "On"] as EngineMode[]).map((v) => (
               <Box
                 key={v}
                 onClick={() => setEngineMode(v)}
@@ -187,7 +187,7 @@ export function WafFields({ value, showModeSelector = true }: Props) {
                   color={engineMode === v ? "error.main" : "text.secondary"}
                   sx={{ transition: "all 0.15s ease", fontSize: "0.8rem" }}
                 >
-                  {v === "DetectionOnly" ? "Detect only" : v === "inherit" ? "Global default" : v}
+                  {v === "inherit" ? "Global default" : v}
                 </Typography>
               </Box>
             ))}
diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index d05a5e38..c22ceff0 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -798,7 +798,7 @@ function resolveEffectiveWaf(
     if (!hostEnabled) return null;
     return {
       enabled: true,
-      mode: host.mode ?? 'DetectionOnly',
+      mode: host.mode ?? 'On',
       load_owasp_crs: host.load_owasp_crs ?? false,
       custom_directives: host.custom_directives ?? '',
       excluded_rule_ids: host.excluded_rule_ids,
@@ -822,7 +822,7 @@ function resolveEffectiveWaf(
   if (host?.enabled) {
     return {
       enabled: true,
-      mode: host.mode ?? 'DetectionOnly',
+      mode: host.mode ?? 'On',
       load_owasp_crs: host.load_owasp_crs ?? false,
       custom_directives: host.custom_directives ?? '',
       excluded_rule_ids: host.excluded_rule_ids,
@@ -844,14 +844,8 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
       'Include @owasp_crs/*.conf',
     ] : []),
     ...(waf.excluded_rule_ids?.length ? [`SecRuleRemoveById ${waf.excluded_rule_ids.join(' ')}`] : []),
-    `SecRuleEngine ${waf.mode}`,
-    // In DetectionOnly mode, coraza-caddy has a bug where it still blocks requests if the anomaly
-    // score exceeds the threshold (is_interrupted becomes true). Work around this by setting the
-    // inbound/outbound anomaly score thresholds to an unreachable value so rule 949110/980130
-    // never fires and no request is ever interrupted in DetectionOnly mode.
-    ...(waf.mode === 'DetectionOnly' ? [
-      'SecAction "id:9998001,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=9999999,setvar:tx.outbound_anomaly_score_threshold=9999999"',
-    ] : []),
+    // DetectionOnly is no longer exposed in the UI; legacy DB values are coerced to On.
+    `SecRuleEngine ${waf.mode === 'DetectionOnly' ? 'On' : waf.mode}`,
     // RelevantOnly logs transactions where a rule fired with the auditlog action (which all OWASP
     // CRS rules include via SecDefaultAction), covering both blocked and DetectionOnly hits.
     // Clean requests with no rule matches are silently skipped, avoiding massive log growth.
diff --git a/src/lib/models/proxy-hosts.ts b/src/lib/models/proxy-hosts.ts
index b8b1470d..d432aa71 100644
--- a/src/lib/models/proxy-hosts.ts
+++ b/src/lib/models/proxy-hosts.ts
@@ -29,7 +29,7 @@ export type WafMode = "merge" | "override";
 
 export type WafHostConfig = {
   enabled?: boolean;
-  mode?: 'Off' | 'DetectionOnly' | 'On';
+  mode?: 'Off' | 'On';
   load_owasp_crs?: boolean;
   custom_directives?: string;
   excluded_rule_ids?: number[];
diff --git a/src/lib/settings.ts b/src/lib/settings.ts
index 75bd1c77..d156a278 100644
--- a/src/lib/settings.ts
+++ b/src/lib/settings.ts
@@ -213,7 +213,7 @@ export async function saveGeoBlockSettings(settings: GeoBlockSettings): Promise<
 
 export type WafSettings = {
   enabled: boolean;
-  mode: 'Off' | 'DetectionOnly' | 'On';
+  mode: 'Off' | 'On';
   load_owasp_crs: boolean;
   custom_directives: string;
   excluded_rule_ids?: number[];