diff --git a/crowdsec-docs/docs/appsec/hooks.md b/crowdsec-docs/docs/appsec/hooks.md
index e21a7198..aff4a6c0 100644
--- a/crowdsec-docs/docs/appsec/hooks.md
+++ b/crowdsec-docs/docs/appsec/hooks.md
@@ -7,10 +7,11 @@ sidebar_position: 4
 The Application Security Component allows you to hook at different stages to change its behavior at runtime.
 
 The three phases are:
- - `on_load`: Called just after the rules have been loaded into the engine.
- - `pre_eval`: Called after a request has been received but before the rules are evaluated.
- - `post_eval`: Called after the rules have been evaluated.
- - `on_match`: Called after a successful match of a rule. If multiple rules, this hook will be called only once.
+
+- `on_load`: Called just after the rules have been loaded into the engine.
+- `pre_eval`: Called after a request has been received but before the rules are evaluated.
+- `post_eval`: Called after the rules have been evaluated.
+- `on_match`: Called after a successful match of a rule. If multiple rules, this hook will be called only once.
 
 ## Using hooks
 
@@ -22,27 +23,24 @@ Both `filter` and `apply` of the same phase have access to the same helpers.
 
 Except for `on_load`, hooks can be called twice per request: once for in-band processing and once for out-of-band processing, thus it is recommended to use the `IsInBand` and `IsOutBand` variables to filter the hook.
 
-
 Hooks have the following format:
 
 ```yaml
 on_match:
   - filter: IsInBand && 1 == 1
     apply:
-    - valid expression
-    - valid expression
+      - valid expression
+      - valid expression
 ```
 
 If the filter returns `true`, each of the expressions in the `apply` section are executed.
 
-
 <!-- once https://github.com/crowdsecurity/crowdsec-docs/issues/555 is fixed, document on_success-->
 
 ### `on_load`
 
 This hook is intended to be used to disable rules at loading (eg, to temporarily disable a rule that is causing false positives).
 
-
 #### Available helpers
 
 | Helper Name               | Type                                 | Description                                                                                             |
@@ -63,15 +61,14 @@ This hook is intended to be used to disable rules at loading (eg, to temporarily
 name: crowdsecurity/my-appsec-config
 default_remediation: ban
 inband_rules:
- - crowdsecurity/base-config
- - crowdsecurity/vpatch-*
+  - crowdsecurity/base-config
+  - crowdsecurity/vpatch-*
 on_load:
- - apply:
-    - RemoveInBandRuleByName("my_rule")
-    - SetRemediationByTag("my_tag", "captcha")
+  - apply:
+      - RemoveInBandRuleByName("my_rule")
+      - SetRemediationByTag("my_tag", "captcha")
 ```
 
-
 ### `pre_eval`
 
 This hook is intended to be used to disable rules only for this particular request (eg, to disable a rule for a specific IP).
@@ -92,6 +89,7 @@ This hook is intended to be used to disable rules only for this particular reque
 | `SetRemediationByID`      | `func(id int, remediation string)`   | Change the remediation of the in-band rule identified by the ID                                         |
 | `SetRemediationByName`    | `func(name str, remediation string)` | Change the remediation of the in-band rule identified by the name                                       |
 | `req`                     | `http.Request`                       | Original HTTP request received by the remediation component                                             |
+| `DropRequest`             | `func(reason str)`                   | Stop processing the request immediately and instruct the remediation component to block the request     |
 
 #### Example
 
@@ -99,12 +97,12 @@ This hook is intended to be used to disable rules only for this particular reque
 name: crowdsecurity/my-appsec-config
 default_remediation: ban
 inband_rules:
- - crowdsecurity/base-config
- - crowdsecurity/vpatch-*
+  - crowdsecurity/base-config
+  - crowdsecurity/vpatch-*
 pre_eval:
- - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1"
-   apply:
-    - RemoveInBandRuleByName("my_rule")
+  - filter: IsInBand == true && req.RemoteAddr == "192.168.1.1"
+    apply:
+      - RemoveInBandRuleByName("my_rule")
 ```
 
 ### `post_eval`
@@ -112,6 +110,7 @@ pre_eval:
 This hook is mostly intended for debugging or threat-hunting purposes.
 
 #### Available helpers
+
 | Helper Name   | Type           | Description                                                  |
 | ------------- | -------------- | ------------------------------------------------------------ |
 | `IsInBand`    | `bool`         | `true` if the request is in the in-band processing phase     |
@@ -124,25 +123,28 @@ This hook is mostly intended for debugging or threat-hunting purposes.
 In order to make `DumpRequest` write your request to a file, you have to call `DumpRequest().ToJSON()`, which will create a file in the OS temporary directory (eg, `/tmp` on Linux) with the following format: `crowdsec_req_dump_<RANDOM_PART>.json`.
 
 You can configure what is dumped with the following options:
- - `DumpRequest().NoFilters()`: Clear any previous filters (ie. dump everything)
- - `DumpRequest().WithEmptyHeadersFilters()`: Clear the headers filters, ie. dump all the headers
- - `DumpRequest().WithHeadersContentFilter(regexp string)`: Add a filter on the content of the headers, ie. dump only the headers that *do not* match the provided regular expression
- - `DumpRequest().WithHeadersNameFilter(regexp string)`: Add a filter on the name of the headers, ie. dump only the headers that *do not* match the provided regular expression
- - `DumpRequest().WithNoHeaders()`: Do not dump the request headers
- - `DumpRequest().WithHeaders()`: Dump all the request headers (override any previous filter)
- - `DumpRequest().WithBody()`: Dump the request body
- - `DumpRequest().WithNoBody()`: Do not dump the request body
- - `DumpRequest().WithEmptyArgsFilters()`: Clear the query parameters filters, ie. dump all the query parameters
- - `DumpRequest().WithArgsContentFilter(regexp string)`: Add a filter on the content of the query parameters, ie. dump only the query parameters that *do not* match the provided regular expression
- - `DumpRequest().WithArgsNameFilter(regexp string)`: Add a filter on the name of the query parameters, ie. dump only the query parameters that *do not* match the provided regular expression
+
+- `DumpRequest().NoFilters()`: Clear any previous filters (ie. dump everything)
+- `DumpRequest().WithEmptyHeadersFilters()`: Clear the headers filters, ie. dump all the headers
+- `DumpRequest().WithHeadersContentFilter(regexp string)`: Add a filter on the content of the headers, ie. dump only the headers that _do not_ match the provided regular expression
+- `DumpRequest().WithHeadersNameFilter(regexp string)`: Add a filter on the name of the headers, ie. dump only the headers that _do not_ match the provided regular expression
+- `DumpRequest().WithNoHeaders()`: Do not dump the request headers
+- `DumpRequest().WithHeaders()`: Dump all the request headers (override any previous filter)
+- `DumpRequest().WithBody()`: Dump the request body
+- `DumpRequest().WithNoBody()`: Do not dump the request body
+- `DumpRequest().WithEmptyArgsFilters()`: Clear the query parameters filters, ie. dump all the query parameters
+- `DumpRequest().WithArgsContentFilter(regexp string)`: Add a filter on the content of the query parameters, ie. dump only the query parameters that _do not_ match the provided regular expression
+- `DumpRequest().WithArgsNameFilter(regexp string)`: Add a filter on the name of the query parameters, ie. dump only the query parameters that _do not_ match the provided regular expression
 
 By default, everything is dumped.
 All regexps are case-insensitive.
 
-You can chain the options, for example: 
+You can chain the options, for example:
+
 ```
 DumpRequest().WithNoBody().WithArgsNameFilter("var1").WithArgsNameFilter("var2").ToJSON()
 ```
+
 This will discard the body of the request, remove the query parameters `var1` and `var2` from the dump, and dump everything else.
 
 #### Example
@@ -151,12 +153,12 @@ This will discard the body of the request, remove the query parameters `var1` an
 name: crowdsecurity/my-appsec-config
 default_remediation: ban
 inband_rules:
- - crowdsecurity/base-config
- - crowdsecurity/vpatch-*
+  - crowdsecurity/base-config
+  - crowdsecurity/vpatch-*
 post_eval:
- - filter: IsInBand == true
-   apply:
-    - DumpRequest().NoFilters().WithBody().ToJSON()
+  - filter: IsInBand == true
+    apply:
+      - DumpRequest().NoFilters().WithBody().ToJSON()
 ```
 
 ### `on_match`
@@ -165,19 +167,19 @@ This hook is intended to be used to change the behavior of the engine after a ma
 
 #### Available helpers
 
-| Helper Name      | Type                       | Description                                                               |
-| ---------------- | -------------------------- | ------------------------------------------------------------------------- |
-| `SetRemediation` | `func(remediation string)` | Change the remediation that will be returned to the remediation component |
-| `SetReturnCode`  | `func(code int)`           | Change the HTTP code that will be returned to the remediation component   |
-| `CancelAlert`    | `func()`                   | Prevent the Application Security Component to create a crowdsec alert     |
-| `SendAlert`      | `func()`                   | Force the Application Security Component to create a crowdsec alert       |
-| `CancelEvent`    | `func()`                   | Prevent the Application Security Component to create a crowdsec event     |
-| `SendEvent`      | `func()`                   | Force the Application Security Component to create a crowdsec event       |
-| `DumpRequest`    | `func()`                   | Dump the request to a file (see previous section for detailed usage)      |
-| `IsInBand`       | `bool`                     | `true` if the request is in the in-band processing phase                  |
-| `IsOutBand`      | `bool`                     | `true` if the request is in the out-of-band processing phase              |
-| `evt`            | `types.Event`              | [The event that has been generated](/docs/expr/event.md#appsec-helpers) by the Application Security Component   |
-| `req`            | `http.Request`             | Original HTTP request received by the remediation component               |
+| Helper Name      | Type                       | Description                                                                                                   |
+| ---------------- | -------------------------- | ------------------------------------------------------------------------------------------------------------- |
+| `SetRemediation` | `func(remediation string)` | Change the remediation that will be returned to the remediation component                                     |
+| `SetReturnCode`  | `func(code int)`           | Change the HTTP code that will be returned to the remediation component                                       |
+| `CancelAlert`    | `func()`                   | Prevent the Application Security Component to create a crowdsec alert                                         |
+| `SendAlert`      | `func()`                   | Force the Application Security Component to create a crowdsec alert                                           |
+| `CancelEvent`    | `func()`                   | Prevent the Application Security Component to create a crowdsec event                                         |
+| `SendEvent`      | `func()`                   | Force the Application Security Component to create a crowdsec event                                           |
+| `DumpRequest`    | `func()`                   | Dump the request to a file (see previous section for detailed usage)                                          |
+| `IsInBand`       | `bool`                     | `true` if the request is in the in-band processing phase                                                      |
+| `IsOutBand`      | `bool`                     | `true` if the request is in the out-of-band processing phase                                                  |
+| `evt`            | `types.Event`              | [The event that has been generated](/docs/expr/event.md#appsec-helpers) by the Application Security Component |
+| `req`            | `http.Request`             | Original HTTP request received by the remediation component                                                   |
 
 #### Example
 
@@ -209,8 +211,6 @@ post_eval:
 When using `SetRemediation*` helpers, the only special value is `allow`: the remediation component won't block the request.
 Any other values (including `ban` and `captcha`) are transmitted as-is to the remediation component.
 
-
-
 ### `req` object
 
 The `pre_eval`, `on_match` and `post_eval` hooks have access to a `req` variable that represents the HTTP request that was forwarded to the appsec.
@@ -218,7 +218,8 @@ The `pre_eval`, `on_match` and `post_eval` hooks have access to a `req` variable
 It's a Go [http.Request](https://pkg.go.dev/net/http#Request) object, so you can directly access all the details about the request.
 
 For example:
- - To get the requested URI: `req.URL.Path`
- - To get the client IP: `req.RemoteAddr`
- - To get the HTTP method: `req.Method`
- - To get the FQDN: `req.URL.Host`
+
+- To get the requested URI: `req.URL.Path`
+- To get the client IP: `req.RemoteAddr`
+- To get the HTTP method: `req.Method`
+- To get the FQDN: `req.URL.Host`
diff --git a/crowdsec-docs/docs/appsec/rules_examples.md b/crowdsec-docs/docs/appsec/rules_examples.md
index c543ea18..38c8ab05 100644
--- a/crowdsec-docs/docs/appsec/rules_examples.md
+++ b/crowdsec-docs/docs/appsec/rules_examples.md
@@ -11,21 +11,23 @@ This page showcases various WAF rule capabilities with real-world examples from
 ## 1. Header Analysis - Missing User Agent Detection
 
 ### Description
+
 Header inspection with count transform. Note that empty user agent-agent field or absent user-agent field is equivalent.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
       - zones:
-        - METHOD
+          - METHOD
         match:
           type: regex
-          value: '^GET|POST|PUT|DELETE|PATCH$'
+          value: "^GET|POST|PUT|DELETE|PATCH$"
       - zones:
-        - HEADERS
+          - HEADERS
         variables:
-         - "User-Agent"
+          - "User-Agent"
         transform:
           - count
         match:
@@ -34,6 +36,7 @@ rules:
 ```
 
 ### HTTP Request Example
+
 ```http
 GET / HTTP/1.1
 Host: example.com
@@ -41,47 +44,50 @@ User-Agent:
 ```
 
 ### Key Features Demonstrated
+
 - **Header inspection** using HEADERS zone
 - **Transform operations** with count() to check header existence
 - **HTTP method filtering** with regex patterns
 - **AND logic** combining multiple conditions
 
-
 ## 2. Request Body Analysis - JSON Path Extraction
 
 ### Description
+
 JSON path extraction with dot notation.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - METHOD
-      transform:
-      - uppercase
-      match:
-        type: equals
-        value: POST
-    - zones:
-      - URI
-      transform:
-      - lowercase
-      match:
-        type: contains
-        value: /rest/v1/guest-carts/1/estimate-shipping-methods
-    - zones:
-      - BODY_ARGS
-      variables:
-      - json.address.totalsCollector.collectorList.totalCollector.sourceData.data
-      transform:
-        - lowercase
-      match:
-        type: contains
-        value: "<!entity"
+      - zones:
+          - METHOD
+        transform:
+          - uppercase
+        match:
+          type: equals
+          value: POST
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /rest/v1/guest-carts/1/estimate-shipping-methods
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.address.totalsCollector.collectorList.totalCollector.sourceData.data
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: "<!entity"
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /rest/v1/guest-carts/1/estimate-shipping-methods HTTP/1.1
 Host: example.com
@@ -104,6 +110,7 @@ Content-Type: application/json
 ```
 
 ### Key Features Demonstrated
+
 - **Deep JSON path navigation** using dot notation
 - **Request body parsing** with BODY_ARGS zone
 - **Multiple transform operations** (uppercase, lowercase)
@@ -112,29 +119,33 @@ Content-Type: application/json
 ## 3. Query Parameter Inspection - SSTI Detection
 
 ### Description
+
 Multi-zone pattern matching (ARGS and RAW_BODY).
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - RAW_BODY
-      - ARGS
-      transform:
-      - lowercase
-      match:
-        type: contains
-        value: 'freemarker.template.utility.execute'
+      - zones:
+          - RAW_BODY
+          - ARGS
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: "freemarker.template.utility.execute"
 ```
 
 ### HTTP Request Example
+
 ```http
 GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d HTTP/1.1
 Host: example.com
 ```
 
 ### Key Features Demonstrated
+
 - **URL parameter parsing** with ARGS zone
 - **Multiple zone matching** (RAW_BODY and ARGS)
 - **String transformation** with lowercase normalization
@@ -143,29 +154,33 @@ Host: example.com
 ## 4. File Upload Detection - WordPress PHP Execution
 
 ### Description
+
 URI regex matching with multiple transforms.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - URI
-      transform:
-      - lowercase
-      - urldecode
-      match:
-        type: regex
-        value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)'
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: regex
+          value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)'
 ```
 
 ### HTTP Request Example
+
 ```http
 GET /wp-content/uploads/2024/10/test.php?exec=id HTTP/1.1
 Host: example.com
 ```
 
 ### Key Features Demonstrated
+
 - **URI path analysis** with regex pattern matching
 - **Multiple transforms** (lowercase and URL decoding)
 - **Complex regex patterns** for file extension detection
@@ -174,47 +189,50 @@ Host: example.com
 ## 5. HTTP Protocol Analysis - Form Data Validation
 
 ### Description
+
 Form data analysis with variable targeting.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - METHOD
-      transform:
-      - lowercase
-      match:
-        type: equals
-        value: post
-    - zones:
-      - URI
-      transform:
-      - lowercase
-      match:
-        type: endsWith
-        value: /boaform/admin/formlogin
-    - zones:
-      - BODY_ARGS
-      variables:
-       - username
-      transform:
-      - lowercase
-      match:
-        type: equals
-        value: "admin"
-    - zones:
-      - BODY_ARGS
-      variables:
-       - psd
-      transform:
-      - lowercase
-      match:
-        type: equals
-        value: "parks"
+      - zones:
+          - METHOD
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: post
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: endsWith
+          value: /boaform/admin/formlogin
+      - zones:
+          - BODY_ARGS
+        variables:
+          - username
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: "admin"
+      - zones:
+          - BODY_ARGS
+        variables:
+          - psd
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: "parks"
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /boaform/admin/formLogin HTTP/1.1
 Host: example.com
@@ -224,6 +242,7 @@ username=admin&psd=parks
 ```
 
 ### Key Features Demonstrated
+
 - **Form data analysis** with BODY_ARGS and specific variable targeting
 - **HTTP method validation** with case-insensitive matching
 - **URI endpoint matching** using endsWith comparison
@@ -232,9 +251,11 @@ username=admin&psd=parks
 ## 6. Header Names Analysis
 
 ### Description
+
 Header name inspection (HEADERS_NAMES zone).
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
@@ -262,6 +283,7 @@ rules:
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /mgmt/tm/util/bash HTTP/1.1
 Host: example.com
@@ -277,6 +299,7 @@ Content-Type: application/json
 ```
 
 ### Key Features Demonstrated
+
 - **Header name inspection** using HEADERS_NAMES zone
 - **Multiple header validation** combining different authentication headers
 - **Case-insensitive header matching** with lowercase transform
@@ -285,27 +308,31 @@ Content-Type: application/json
 ## 7. Simple URI Pattern Matching - Environment File Access
 
 ### Description
+
 Simple URI pattern matching with endsWith.
 
 ### Rule Example
+
 ```yaml
 rules:
   - zones:
-    - URI
+      - URI
     transform:
-    - lowercase
+      - lowercase
     match:
       type: endsWith
       value: .env
 ```
 
 ### HTTP Request Example
+
 ```http
 GET /foo/bar/.env HTTP/1.1
 Host: example.com
 ```
 
 ### Key Features Demonstrated
+
 - **Simple URI matching** without complex AND conditions
 - **File extension detection** using endsWith matcher
 - **Case normalization** with lowercase transform
@@ -314,36 +341,39 @@ Host: example.com
 ## 8. Regular Expression Validation - Command Injection Detection
 
 ### Description
+
 Regex pattern matching for input validation.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - METHOD
-      match:
-        type: equals
-        value: POST
-    - zones:
-      - URI
-      transform:
-      - lowercase
-      match:
-        type: endsWith
-        value: /boaform/admin/formping
-    - zones:
-      - BODY_ARGS
-      variables:
-      - target_addr
-      transform:
-      - lowercase
-      match:
-        type: regex
-        value: "[^a-f0-9:.]+"
+      - zones:
+          - METHOD
+        match:
+          type: equals
+          value: POST
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: endsWith
+          value: /boaform/admin/formping
+      - zones:
+          - BODY_ARGS
+        variables:
+          - target_addr
+        transform:
+          - lowercase
+        match:
+          type: regex
+          value: "[^a-f0-9:.]+"
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /boaform/admin/formPing HTTP/1.1
 Host: example.com
@@ -353,6 +383,7 @@ target_addr=1.2.3.4;cat /etc/passwd
 ```
 
 ### Key Features Demonstrated
+
 - **Regex pattern matching** for command injection detection
 - **Character class validation** to identify suspicious input
 - **Form parameter filtering** on specific variables
@@ -361,47 +392,50 @@ target_addr=1.2.3.4;cat /etc/passwd
 ## 9. Complex JSON Processing - Multi-condition XXE
 
 ### Description
+
 Multi-property JSON validation.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - METHOD
-      transform:
-      - lowercase
-      match:
-        type: equals
-        value: post
-    - zones:
-      - URI
-      transform:
-      - lowercase
-      match:
-        type: contains
-        value: /rest/v1/guest-carts/1/estimate-shipping-methods
-    - zones:
-      - BODY_ARGS
-      variables:
-      - json.address.totalsCollector.collectorList.totalCollector.sourceData.data
-      transform:
-        - lowercase
-      match:
-        type: contains
-        value: "://"
-    - zones:
-      - BODY_ARGS
-      variables:
-      - json.address.totalsCollector.collectorList.totalCollector.sourceData.dataIsURL
-      transform:
-        - lowercase
-      match:
-        type: equals
-        value: "true"
+      - zones:
+          - METHOD
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: post
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /rest/v1/guest-carts/1/estimate-shipping-methods
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.address.totalsCollector.collectorList.totalCollector.sourceData.data
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: "://"
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.address.totalsCollector.collectorList.totalCollector.sourceData.dataIsURL
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: "true"
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /rest/v1/guest-carts/1/estimate-shipping-methods HTTP/1.1
 Host: example.com
@@ -424,6 +458,7 @@ Content-Type: application/json
 ```
 
 ### Key Features Demonstrated
+
 - **Multi-property JSON validation** checking both data content and flags
 - **URL scheme detection** using contains match for "://"
 - **Boolean flag inspection** in JSON structures
@@ -432,23 +467,26 @@ Content-Type: application/json
 ## 10. Template Injection in Request Body - POST Data Analysis
 
 ### Description
+
 Raw body content analysis with multi-zone matching.
 
 ### Rule Example
+
 ```yaml
 rules:
   - and:
-    - zones:
-      - RAW_BODY
-      - ARGS
-      transform:
-      - lowercase
-      match:
-        type: contains
-        value: 'freemarker.template.utility.execute'
+      - zones:
+          - RAW_BODY
+          - ARGS
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: "freemarker.template.utility.execute"
 ```
 
 ### HTTP Request Example
+
 ```http
 POST /template/aui/text-inline.vm HTTP/1.1
 Host: example.com
@@ -459,6 +497,7 @@ label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).intern
 ```
 
 ### Key Features Demonstrated
+
 - **POST body content analysis** using RAW_BODY zone
 - **Template injection detection** through signature-based matching
 - **URL-encoded payload handling** in form submissions
@@ -475,9 +514,11 @@ Pre-evaluation hooks run before rules are evaluated, allowing you to modify rule
 ### 1. Disable Rules by Name
 
 #### Description
+
 Dynamically disable specific rules before evaluation.
 
 #### Hook Example
+
 ```yaml
 pre_eval:
   - filter: req.URL.Path == "/admin/upload"
@@ -486,14 +527,17 @@ pre_eval:
 ```
 
 #### Use Case
+
 Disable existing rules on specific endpoints.
 
 ### 2. Disable Rules by Tag
 
 #### Description
+
 Disable multiple rules sharing the same tag.
 
 #### Hook Example
+
 ```yaml
 pre_eval:
   - apply:
@@ -501,14 +545,17 @@ pre_eval:
 ```
 
 #### Use Case
+
 Disable all rules with a specific tag.
 
 ### 3. Change Rule Remediation by Name
 
 #### Description
+
 Modify the default remediation for specific rules.
 
 #### Hook Example
+
 ```yaml
 pre_eval:
   - apply:
@@ -516,14 +563,17 @@ pre_eval:
 ```
 
 #### Use Case
+
 Change a blocking rule to log-only mode for testing.
 
 ### 4. Disable Rules by ID
 
 #### Description
+
 Disable specific rules using their unique ID during request processing.
 
 #### Hook Example
+
 ```yaml
 pre_eval:
   - filter: req.Method == "DELETE"
@@ -532,8 +582,41 @@ pre_eval:
 ```
 
 #### Use Case
+
 Disable a specific rule by its ID for certain endpoints or conditions where the rule may cause false positives.
 
+### 5. GeoBlocking
+
+#### Description
+
+Block requests originating (or not) from specific countries.
+
+#### Hook Example
+
+This will block any requests not coming from the US or France.
+
+Note the empty value (`""`) in the list and the `?` after the call to `GeoIPEnrich`: this will allow IPs for which crowdsec was not able to get the country (eg, private IPs) and prevent the helper from returning `nil` which would break the evaluation.
+
+```yaml
+pre_eval:
+  - filter: IsInBand == true && GeoIPEnrich(req.RemoteAddr)?.Country.IsoCode not in ["FR", "US", ""]
+    apply:
+      - DropRequest("Forbidden Country")
+```
+
+If you want to disallow traffic from a specific country:
+
+```yaml
+pre_eval:
+  - filter: IsInBand == true && GeoIPEnrich(req.RemoteAddr)?.Country.IsoCode == "FR"
+    apply:
+      - DropRequest("Forbidden Country")
+```
+
+#### Use Case
+
+Automatically block traffic from unwanted countries.
+
 ## Post-Evaluation Phase (post_eval)
 
 Post-evaluation hooks run after rule evaluation is complete, primarily used for debugging and logging.
@@ -541,9 +624,11 @@ Post-evaluation hooks run after rule evaluation is complete, primarily used for
 ### 5. Debug Request Dumping
 
 #### Description
+
 Dump request details to file for debugging.
 
 #### Hook Example
+
 ```yaml
 post_eval:
   - filter: IsInBand == true
@@ -552,6 +637,7 @@ post_eval:
 ```
 
 #### Use Case
+
 Capture full request details for forensic analysis or debugging rule behavior.
 
 ## On-Match Phase (on_match)
@@ -561,9 +647,11 @@ On-match hooks run when a rule matches, allowing you to modify the response beha
 ### 6. Change HTTP Response Code
 
 #### Description
+
 Modify the HTTP status code returned to users when a rule matches.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsInBand == true
@@ -572,14 +660,17 @@ on_match:
 ```
 
 #### Use Case
+
 Return a 413 "Payload Too Large" instead of the default 403 when a rule triggers.
 
 ### 7. Change Remediation Action
 
 #### Description
+
 Dynamically change the remediation action from the default.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsInBand == true
@@ -588,14 +679,17 @@ on_match:
 ```
 
 #### Use Case
+
 Show a captcha instead of blocking the request for certain rule matches.
 
 ### 8. Allow Specific IPs
 
 #### Description
+
 Override blocking for trusted IP addresses.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsInBand == true && req.RemoteAddr == "192.168.1.100"
@@ -604,14 +698,17 @@ on_match:
 ```
 
 #### Use Case
+
 Allow internal/admin IPs to bypass security rules while keeping protection for others.
 
 ### 9. Cancel Alert Generation
 
 #### Description
+
 Prevent alert creation while keeping the request blocked.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsInBand == true
@@ -620,14 +717,17 @@ on_match:
 ```
 
 #### Use Case
+
 Block suspicious requests without generating alerts for known false positives.
 
 ### 10. Force Alert for Out-of-Band Rules
 
 #### Description
+
 Generate alerts for monitoring rules that normally only log.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsOutBand == true
@@ -636,14 +736,17 @@ on_match:
 ```
 
 #### Use Case
+
 Create alerts for reconnaissance attempts detected by monitoring rules.
 
 ### 11. Hook Flow Control
 
 #### Description
+
 Control execution of subsequent hooks with break/continue.
 
 #### Hook Example
+
 ```yaml
 on_match:
   - filter: IsInBand == true
@@ -656,6 +759,7 @@ on_match:
 ```
 
 #### Use Case
+
 Cancel event generation and stop processing further hooks.
 
 ## Hook Execution Phases Summary
@@ -676,4 +780,4 @@ These examples demonstrate the comprehensive capabilities of the CrowdSec WAF en
 - **Complex logic**: AND/OR conditions across multiple zones
 - **Variable targeting**: Specific parameter and header name filtering
 - **Dynamic behavior**: Hooks for runtime customization
-- **Security coverage**: XSS, SQLi, SSTI, XXE, RCE, and configuration exposure protection
\ No newline at end of file
+- **Security coverage**: XSS, SQLi, SSTI, XXE, RCE, and configuration exposure protection