This wizard lets you filter HTTP protocol oriented attributes (methods, content-type, declarative security, and information leakage attributes).
Want to create a new HTTP profile? Go to Security > HTTP Profiles and click the New HTTP Profile button.
Enter the name and description for the HTTP profile. Initially the user who creates the HTTP profile is the owner. When editing an HTTP profile, you can choose another owner.
Select to allow all HTTP request methods and detect violations. If selected, you have the option to block invalid request methods and/or TRACE and TRACK methods.
Select to deny all HTTP requests methods except those you explicitly allow. Enter the request types to be allowed. Use commas to separate request types.
Define handling for Accept-Encoding request headers.
Choose "Keep Accept-Encoding" to keep the HTTP header in the requests.
Define handling for suspicious HTTP request headers.
Choose "Detect Invalid Headers" to detect headers with empty names or invalid characters in the name.
Choose "Detect Repeated Headers" to detect multiple headers with the same name.
Choose "Detect Chunked Encoding" to detect headers with chunked encoding.
Allow or exclude certain request content types (e.g., application/xml) and file uploads.
Select to allow all request content types, but detect invalid content types. The WAF service will allow all valid MIME content, and detect all invalid content. If selected, file uploads will be allowed unless you select the Detect File Uploads check box.
Select to deny all request content types except for those you explicitly want to allow. If selected, specify the allowed content types in the field provided. Only the specified content types will be allowed.
In the "Allowed content types" field, enter the content types that you want to allow for a request. We have rules related to format and maximum length for defining content types. As WAF UI validates a request content type by its MIME type that is by type/subtype e.g. text/html, you are required to specify the same format when defining allowed content types for a request.
MIME types that you will specify can contain any letters from a to z and any numbers from 0 through 9, but no special characters such as #,$,!,& *. Maximum characters allowed for specifying a MIME type is 128 characters. The requests that have allowed MIME content types in the Content Type header are accepted.
The application shows an error message when a MIME type specified is not in proper format or the length of a MIME type that is type/subtype combination exceeds the maximum allowed length of 128 characters.
You also have the option to define custom rules to filter a request based on the full header "Content-Type" value. You can provide an exact value for full content type header or specify payloads that are forbidden e.g. deny requests posted as US-ASCII.
If you want to allow all requests that have the type “application”, subtype “json” and charset “UTF 8”, use our Custom Rule wizard to create a rule with this rule condition:
request.header "Content-Type" EQUAL "application/json; charset=UTF-8"
Then click the Actions tab and select “Allow” from the Actions drop-down field. See Custom Rules.
If you select this option we'll check that web requests respect the protocol part (e.g. "HTTP/1.1") of the "HTTP/1.1" specification (IETF RFC 2616). A web request respecting this specification looks like this: GET /directory/script.php?parameters HTTP/1.1. Specifically we'll check that the protocol part has the form "HTTP/" followed by a valid HTTP version number (0.9, 1.0, 1.1, ...). If the protocol part of a web request has one or more anomalies we will generate a security event.
You can enable XML/JSON parsing to validate that transmitted payload is XML/JSON compliant. Parsing is not enabled by default.
Provide values for:
Size: Maximum size of data parsed (in bytes). Note that the size of data can get inflated due to pattern reuse (e.g. reuse of XML entities). Size also includes extra payloads added for preventing against attacks. For example, to prevent a Billion laughs attack (a DoS attack aimed at XML parsers).
Item: Maximum number of items parsed. An "item" can be an attribute, element tag, etc. (Depending on format: whether XML or JSON).
Level: Maximum depth reachable when parsing structured content. This enables you to avoid parsing data with huge depth, but protects servers against DDOS attacks.
Select to enable server cloaking. If enabled, enter the web server name to display in the HTTP(S) server header.
This option allows you to remove certain headers, for example headers inserted by web frameworks or development kits.
Select to modify origin site responses to discourage browsers from guessing the MIME types.
Select to force a default content type on responses where the origin site provides none. If enabled, enter the default content type in the field provided.
Configure default character encoding for site responses.
Choose "None" to do nothing,
Choose "Apply when not set" to apply a default character encoding when none is set. Then choose a character encoding from the menu provided.
Choose "Always apply" to always apply a specific character encoding. Then choose a character encoding from the menu provided.
Select to enable a Content Security Policy header to restrict the sources from which a browser will accept content. If enabled, enter the content security policy header.
Enable HTTP Strict Transport Security (HSTS) header to let web sites inform browsers that they are accessible only via HTTPS secure connection. Maximum age is the time in seconds during which web sites can only be accessed by a browser using HTTPS. Enable Include sub domains to apply HSTS policy to sub domains of the host. For more information, refer RFC 6797.
You can modify origin responses to discourage clickjacking attacks against site visitors.
Choose "None" to do nothing, "No Framing" to deny framing or "Same-origin framing" to allow same-origin page framing.
Control browser-based cross-site scripting.
Choose "None" to do nothing, "Disable" to disable browser cross-site scripting detection, "Enable without blocking" to enable browser cross-site scripting detection without blocking, or "Enable with blocking" to enable browser cross-site scripting detection and blocking.