False-positive management

WAF-style controls can produce false positives. Dhal provides several controls.

Monitor first

Keep global mode monitor until real traffic has been reviewed.

Suppressions

Use suppressions for reviewed exceptions.

{
  "policy": {
    "suppressions": [
      {
        "ruleId": "signature.xss",
        "route": "/api/content",
        "reason": "Known rich text editor payloads",
        "expiresAt": "2026-12-31T00:00:00.000Z"
      }
    ]
  }
}

Sampling

Use sampling to control event volume while preserving blocked events.

{
  "policy": {
    "sampling": {
      "enabled": true,
      "rate": 0.2,
      "includeBlocked": true,
      "includeWouldBlock": true
    }
  }
}

Replay fixtures

Turn every known false positive into a replay fixture.

npx dhal replay fixtures.replay.json --fail-on-block