We have a web app hosted in AWS. I want users to only reach specifics URIs not but not the home page of the app. For instance, if the app is reachable at https://mypublicapp.com, I only want the users to access https://mypublicapp.com/submit/d131dd02c5e6eec4/. The "d131dd02c5e6eec4" example hash value is different for different resources. When I take a look at how the app works using the DEV tools of the browser, the "Requested URL" is https://mypublicapp.com/submit**?key=**d131dd02c5e6eec4/ so the hash is sent as a query string in the headers under the value "key". At this point I could simply use the AWS waf to inspect the request header and reject everything that has no key as a query string. But the problem is that the web app, which I do not have control over, also does a request to the "/", so If I restrict the home page, I also restrict the access to the submit resource mentioned above. Any ideas on how to do the home block without blocking the resource?