checkrd

Contradictory rules

An allow rule and a deny rule overlap — matching requests will always be denied because deny is evaluated first.

Contradictory rules

Deny rules are always evaluated before allow rules. When an allow rule and a deny rule both match the same request, the deny wins every time — the allow rule is effectively dead. This is almost always a policy authoring mistake.

The engine flags any allow rule whose match conditions overlap with a deny rule's match conditions in the same policy.

Example

yaml
rules:
  - name: deny-stripe
    deny:
      method: [DELETE]
      url: "api.stripe.com/**"
  - name: allow-stripe # contradicts deny-stripe — deny is evaluated first
    allow:
      method: [DELETE]
      url: "api.stripe.com/**"

Fix

Narrow the match on one of the rules so they no longer overlap. In most cases the deny rule should be broader and the allow rule should target a more specific sub-path:

yaml
rules:
  - name: deny-stripe-bulk-deletes
    deny:
      method: [DELETE]
      url: "api.stripe.com/v1/customers/**"
  - name: allow-stripe-refunds
    allow:
      method: [DELETE]
      url: "api.stripe.com/v1/charges/*/refund"