Whilst Bunny Shield is aimed as a robust and simple-to-use feature, there sometimes can be 'False Positive' triggers. In essence, this means a rule within the Shield ecosystem has been triggered where you would not expect to be. There are normally a few steps to take to help identify what the trigger is and how to action the trigger.
Event Logs
Event logs include how the asset/URL got triggered. This is currently only available via the API (Shield event documentation can be found here).
When these logs are pulled up, the json response includes a 'Triggermatch' flag that can be analyzed for scrutiny to determine how your file got blocked/logged
Log Example:
{
"logId": "c5c09fe1-2071-486c-b6ba-4c43b45aeb09",
"timestamp": 1759913310543,
"log": "{\"ServerZoneId\":4,\"Message\":\"Restricted File Access Attempt\",\"Url\":\"https://bunnyexample.test/.env\",\"RemoteIp\":\"1.2.3.*\",\"UrlEncodedBody\":null,\"Headers\":[{\"Name\":\"Accept\",\"Value\":\"*/*\"},{\"Name\":\"Host\",\"Value\":\"bunnyexample.txt\"},{\"Name\":\"User-Agent\",\"Value\":\"Python/3.10 aiohttp/3.12.15\"},{\"Name\":\"Accept-Encoding\",\"Value\":\"identity\"},{\"Name\":\"X-Forwarded-Proto\",\"Value\":\"https\"},{\"Name\":\"CDN-RequestId\",\"Value\":\"e139c9b1d59675e24a8a25fadf9c324b\"}],\"TriggerMatch\":{\"Key\":\"PMF\",\"Value\":\"/.env\"}}",
"labels": {
"asn": "48090",
"country": "BG",
"ruleId": "930130",
"severity": "",
"method": "GET",
"ruleGroup": "",
"status": "Blocked",
"serverZone": "SG"
}In this example, '/.env\' is caught as its determined to be a common vector of attack. The ruleID is an owasp security standard rule (ruleset here, and the env trigger data file is here). This would be considered a valid block.
For more complex triggers, if necessary, you may need to verify matching triggers similar to the above. For example, PHP rules can be triggered as a false positive, due to open ended php code (for example <?php without a closed parenthesis(or ?>)). This will be shown in the triggermatch (sometimes it can often contain larger body of content to analyze.
Mitigating the Trigger
There are 2 ways usually to mitigate the trigger.
Action the Rule triggered in Shield: This can be done by either adding exceptions for your file/IP/user-agent in one of the Shield features.
Add an Edge Rule Exception: Edge Rules have the capability to disable parts (or all) of Shield based on a conditional trigger (ie disable WAF for jpeg extensions).
Disable the Shield Rule: This is not recommended, as it may expose valid bad actors to your domain unintentionally. Use with caution.
If you have any doubts about possible false positive matches, please feel free to reach out to our Super Bunnies (support@bunny.net)