Update content/controller/app-delivery/security/concepts/app-sec-defa…

…ult-policy-original.md
smeetpt · quantstruct-canvas-preview · Sep 5, 2025 · Sep 5, 2025 · ee2bd668ee45e6fc87ed2103e922d1d0c88dcdd7
commit ee2bd668ee45e6fc87ed2103e922d1d0c88dcdd7
diff --git a/...nt/controller/app-delivery/security/concepts/app-sec-default-policy-original.md b/...nt/controller/app-delivery/security/concepts/app-sec-default-policy-original.md
@@ -1,7 +1,7 @@
 ---
 description: Learn about the default protections provided by F5 NGINX Controller App
   Security.
-docs: DOCS-479
+nd-docs: DOCS-479
 title: Default WAF Policy
 toc: true
 weight: 200
@@ -34,7 +34,7 @@ The default policy for NGINX Controller App Security WAF includes these security
 | Malformed cookie | Validates that the cookie format is RFC compliant. |
 | Illegal status code | Responses in the 400–500 range -- except for `400`, `401`, `404`, `407`, `417`, `503` -- are rejected. |
 | Request size exceeds the buffer | Requests that exceed the buffer size |
-| Maximum length for URL, header, query string, cookie, and POST data | URL length: 2048<br>Header length: 4096<br>Query string length: 2048<br>Cookie length: 4096<br>Post data length: 4096<br><br>{{< note >}} The whole request length is not checked. The entire request cannot exceed the maximum buffer size of 10 MB.{{< /note >}} |
+| Maximum length for URL, header, query string, cookie, and POST data | URL length: 2048<br>Header length: 4096<br>Query string length: 2048<br>Cookie length: 4096<br>Post data length: 4096<br><br>{{< call-out "note" >}} The whole request length is not checked. The entire request cannot exceed the maximum buffer size of 10 MB.{{< /call-out >}} |
 | Disallowed file type extension | These file types are disallowed: <ul><li>bak, bat, bck, bkp, cfg, conf, config, ini, log, old, sav, save, temp, tmp</li><li>bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm</li><li>cer, crt, der, key, p12, p7b, p7c, pem, pfx</li><li>dat, eml, hta, htr, htw, ida, idc, idq, nws, pol, printer, reg, wmz</li></ul> |
 | Allowed methods | Only these HTTP methods are allowed:<ul><li>GET</li><li>HEAD</li><li>POST</li><li>PUT</li><li>PATCH</li><li>DELETE</li><li>OPTIONS</li></ul> |
 | Character/Metacharacter validation in URL and header | Metacharacters are checked in the URL and header. |
@@ -83,14 +83,18 @@ The Violation Rating is a dimension in Security Violation Events. NGINX App Prot
 - Threat campaigns
 - Malformed request: unparsable header, malformed cookie, and malformed body (JSON or XML).
 
-{{< note >}}
+{{< call-out "note" >}}
 
 With the default policy, all requests rejected by NGINX App Protect generate a Security Event in NGINX Controller. Requests with Violation Rating of `3 (Needs examination)` also generate a Security Event in NGINX Controller. All other requests do not generate a Security Event in NGINX Controller.
 
-{{< /note >}}
+{{< /call-out >}}
 
 ## Additional Information
 
+### Practical Rate Limiting Examples
+
+For practical, task-based examples of rate limiting configurations, see the dedicated examples page: [Rate Limiting Examples](https://docs.nginx.com/nginx/admin-guide/security-controls/rate-limiting-examples/).
+
 ### HTTP RFC Compliance Already Rejected By NGINX
 
 Note the following events are blocked by NGINX Plus and not by the NGINX Controller App Security policy. These events are not reported in NGINX Controller as security violation events.