We have an application that no longer exists. A static page has been created (which will be up for 90 days) to tell the users that it no longer exists. Is there any best practice to whether the ASM/WAF base policy should or shouldn't be applied to this temporary VIP?
As far as I know, it depends on how the service is hosted or the platform or a known issue on it.
You may not be vulnerable to a command injection because site is static.
But is possible to be vulnerable to command execution, poisoning, tampering, etc.
So, yes, I would apply a policy there t least based on a platform.