The rules engine is a very nice feature to use, but in some cases it falls short.

For example, I might have an API that I want to secure, where resource creation and management is limited to authorized users, and reading is public:

GET /api/items -> public
GET /api/items/* -> public
POST /api/items -> private
PUT /api/items -> private

The current rules options don't let me manage this, because the path is the same for many operations.

Instead, if I were able to filter by verb, I could easily setup a rule to forward to auth for all POST or PUT requests.