XML content profile detects malformed content and detects signatures in the element values. It is possible to enforce a provided JSON schema and/or enable more size restrictions: maximum total length Of JSON data maximum value length maximum array length tolerate JSON parsing errors. Default policy checks maximum structure depth. JSON content profile detects malformed content and detects signatures and metacharacters in the property values. It is possible to add more such parameters. It is also possible to set the cookie attributes: HttpOnly, Secure and SameSite for cookies found in the response.ĭefault policy masks the “password” parameter in the security log. The user can add specific cookies, wildcards or explicit, that will be enforced for integrity. See Disallowed File Types list below.īy default all cookies are allowed and not enforced for integrity. Default includes a predefined list of file types. It is the combination of meta characters, attack signatures and other violations that indicates an actual threat that should be blocked and this is determined by Violation Rating. Metacharacters indicate suspicious traffic, but not necessarily an actual threat. Support only auto-detect parameter value type and acts according to the result: plain alphanumeric string, XML or JSON.ĭetected in parameter names, parameter values, URLs, headers and in JSON and XML content. These include directory traversal, bad escaped character and more.ĭetects and masks credit card and/or US social security numbers in responses.
These checks cannot be disabled.Īll evasion techniques are enabled by default and each can be disabled. Some of the checks enabled by default can be disabled, but others, such as bad HTTP version and null in request are performed by the NGINX parser and NGINX App Protect WAF only reports them. It is possible to enable any of these two. The default policy enables threat campaigns but it is possible to disable it through the respective violation.Īll HTTP protocol compliance checks are enabled by default except for GET with body and POST without body. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. These are patterns that detect all the known attack campaigns. Support adding signatures per added server technology. The user can disable any of them or add other sets. We show what is enabled in the default policy and the changes that the user can do on top of this policy.ĭefault policy covers all the OWASP top 10 attack patterns enabling signature sets detailed in a section below. The following security features are supported in NGINX App Protect WAF.
An example can be found in Configure Static Location. If configuration returns static content, it is recommended to add a location which enables App Protect, and proxies the request via proxy_pass to the internal static content location. When configuring NGINX App Protect WAF, app_protect_enable should always be enabled in a proxy_pass location. This guide also assumes that you have some familiarity with various Layer 7 (L7) Hypertext Transfer Protocol (HTTP) concepts, such as Uniform Resource Identifier (URI)/Uniform Resource Locator (URL), method, header, cookie, status code, request, response, and parameters.įor more information on the NGINX App Protect WAF security features, see NGINX App Protect WAF Terminology.
#Websphere homepage builder how to
This guide explains the NGINX App Protect WAF security features and how to use them. NGINX App Protect WAF Configuration Guide Overview