We have configured WAF Signatures in GCP cloud armor and been told to whitelist the signatures that cause Request rejections in case the URLs are legitimate regardless of other attributes. If this is the right way then is there a possibility that the real attacker could use the same whitelisted signature to attack the system.