NGINX Documentation

Declarative Policy

policy

Field Name Type Description Allowed Values
applicationLanguage string The character encoding for the application. The character encoding determines how the policy processes the character sets. The default is utf-8.
  • big5
  • euc-jp
  • euc-kr
  • gb18030
  • gb2312
  • gbk
  • iso-8859-1
  • iso-8859-10
  • iso-8859-13
  • iso-8859-15
  • iso-8859-16
  • iso-8859-2
  • iso-8859-3
  • iso-8859-4
  • iso-8859-5
  • iso-8859-6
  • iso-8859-7
  • iso-8859-8
  • iso-8859-9
  • koi8-r
  • shift_jis
  • utf-8
  • windows-1250
  • windows-1251
  • windows-1252
  • windows-1253
  • windows-1255
  • windows-1256
  • windows-1257
  • windows-874
blocking-settings object    
caseInsensitive boolean Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration.  
character-sets array of objects    
cookie-settings object The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value.  
cookies array of objects    
data-guard object Data Guard feature can prevent responses from exposing sensitive information by masking the data.  
description string Specifies the description of the policy.  
enablePassiveMode boolean In Passive Mode traffic is analyzed, but is not modified in any way.  
enforcementMode string
How the system processes a request that triggers a security policy violation.
  • Blocking: When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (configured for blocking).
  • Transparent: When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered.
  • blocking
  • transparent
filetypes array of objects    
fullPath string The full name of the policy including partition.  
general object This section includes several advanced policy configuration settings.  
header-settings object The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value.  
json-profiles array of objects    
json-validation-files array of objects    
methods array of objects    
name string The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_).  
open-api-files array of objects    
parameters array of objects    
response-pages array of objects    
sensitive-parameters array of objects    
server-technologies array of objects    
signature-requirements object    
signature-sets array of objects    
signature-settings object    
signatures array of objects    
softwareVersion string    
threat-campaigns array of objects    
urls array of objects    
whitelist-ips array of objects    
xml-profiles array of objects    

open-api-files

Field Name Type Description Allowed Values
link string    

signature-requirements

Field Name Type Description Allowed Values
maxRevisionDatetime string    
minRevisionDatetime string    
tag string    

blocking-settings

Field Name Type Description Allowed Values
evasions array of objects    
http-protocols array of objects    
violations array of objects    

character-sets

Field Name Type Description Allowed Values
characterSet array of objects    
characterSetType string  
  • gwt-content
  • header
  • json-content
  • parameter-name
  • parameter-value
  • plain-text-content
  • url
  • xml-content

characterSet

Field Name Type Description Allowed Values
isAllowed boolean    
metachar string    

cookies

Field Name Type Description Allowed Values
accessibleOnlyThroughTheHttpProtocol boolean

Specifies, when true, that the system adds the HttpOnly attribute to the domain cookie’s response header. This is done to expose the cookie to only HTTP and HTTPS entities. This prevents the cookie from being modified, or intercepted even if it is not modified, by unwanted third parties that run scripts on the web page.

Notes:
  • The system does not validate that the cookie has not been modified or intercepted.
  • The feature covers all security policy cookies, both enforced and allowed, explicit and wildcard.
 
attackSignaturesCheck boolean Specifies, when true, that you want attack signatures and threat campaigns to be detected on this cookie and possibly override the security policy settings of an attack signature or threat campaign specifically for this cookie. After you enable this setting, the system displays a list of attack signatures and threat campaigns.  
enforcementType string

Specifies how the system treats this cookie.

  • enforced: Specifies that according to the security policy, this cookie may not be changed by the client.
  • allowed: Specifies that according to the security policy, this cookie may be changed by the client. The system ignores this cookie.
  • allow
  • enforce
insertSameSiteAttribute string

The introduction of the SameSite http attribute (defined in [RFC6265bis](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00)) allows you to declare if your cookie should be restricted to a first-party or same-site context. Introducing the SameSite attribute on a cookie provides three different ways of controlling same-site vs. cross-site cookie sending:

  • strict: Cookie will only be sent in a first-party context. In user terms, the cookie will only be sent if the site for the cookie matches the site currently shown in the browser’s URL bar.
  • lax: Cookies will be sent with top level navigation
  • none-value: Cookies will be sent in a third-party context.
  • lax
  • none
  • none-value
  • strict
name string

Specifies the cookie name as appearing in the http cookie header. The cookie name length is limited to 500 characters.

Names can be one of the following according to the type attribute:

  • explicit: Specifies that the cookie has a specific name and is not a wildcard entity. Type the name of a cookie exactly as you expect it to appear in the request.
  • wildcard: Specifies that any cookie that matches the listed wildcard expression should be treated according to the wildcard attributes. Type a wildcard expression that matches the expected cookie. For example, the wildcard expression cookie_12* of type Enforced specifies that the security policy should not allow modified domain cookies for all cookies which match cookie_12*.

The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.

  • *: Matches all characters
  • ?: Matches any single character
  • [abcde]: Matches exactly one of the characters listed
  • [!abcde]: Matches any character not listed
  • [a-e]: Matches exactly one character in the range
  • [!a-e]: Matches any character not in the range

Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard.

 
securedOverHttpsConnection boolean

Specifies, when true, that the system adds the Secure attribute to the domain cookie’s response header. This is done to ensure that the cookies are returned to the server only over SSL (by using the HTTPS protocol). This prevents the cookie from being intercepted, but does not guarantee its integrity.

Notes:
  • The system does not validate that the cookie was received over SSL.
  • The feature covers all security policy cookies, both enforced and allowed, explicit and wildcard.
 
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name interpreted as such.
  • explicit
  • wildcard
wildcardOrder integer Specifies the order index for wildcard cookies matching. Wildcard cookies with lower wildcard order will get checked for a match prior to cookies with higher wildcard order.  

data-guard

Field Name Type Description Allowed Values
creditCardNumbers boolean If true the system considers credit card numbers as sensitive data.  
enabled boolean If true the system protects sensitive data.  
enforcementMode string

Specifies the URLs for which the system enforces data guard protection.

  • ignore-urls-in-list: Specifies that the system enforces data guard protection for all URLs except for those URLs in the Enforcement Mode list.
  • enforce-urls-in-list: Specifies that the system enforces data guard protection only for those URLs in the Enforcement Mode list
  • enforce-urls-in-list
  • ignore-urls-in-list
enforcementUrls array of strings List of URLS to be enforced based on enforcement mode of data guard protection.  
maskData boolean If true the system intercepts the returned responses to mask sensitive data.  
usSocialSecurityNumbers boolean If true the system considers U.S Social Security numbers as sensitive data.  

filetypes

Field Name Type Description Allowed Values
allowed boolean Determines whether the file type is allowed or disallowed. In either of these cases the VIOL_FILETYPE violation is issued (if enabled) for an incoming request- 1. No allowed file type matched the file type of the request. 2. The file type of the request matched a disallowed file type.  
checkPostDataLength boolean Determines whether to enforce maximum length restriction for the body, a.k.a. “POST data” part of the requests that match the respective file type. The maximum length is determined by postDataLength attribute. Although named “POST data”, this applies to any content type and not restricted to POST requests, e.g. PUT requests are also checked. This attribute is relevant only to allowed file types.  
checkQueryStringLength boolean Determines whether to enforce maximum length restriction for the query string of the requests that match the respective file type. The maximum length is determined by queryStringLength attribute. This attribute is relevant only to allowed file types.  
checkRequestLength boolean Determines whether to enforce maximum length restriction for the total length of requests that match the respective file type. The maximum length is determined by requestLength attribute. This attribute is relevant only to allowed file types.  
checkUrlLength boolean Determines whether to enforce maximum length restriction for the URL of the requests that match the respective file type. The URL does not include the query string, past the &. The maximum length is determined by urlLength attribute. This attribute is relevant only to allowed file types.  
name string

Specifies the file type name as appearing in the URL extension. Names can be one of the following according to the type attribute:

  • Explicit - Specifies that the name is the liternal file extension to which the file type refers. The type attribute has to be “explicit”.
  • No Extension - Specifies the empty file type, lacking file extension. For this the reserved string no_ext should be used. The type attribute has to be “explicit”.
  • Wildcard - Specifies that any file extension that matches the wildcard expression is matched to this file type in the policy. The type attribute has to be “wildcard”.

The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.

  • *: Matches all characters
  • ?: Matches any single character
  • [abcde]: Matches exactly one of the characters listed
  • [!abcde]: Matches any character not listed
  • [a-e]: Matches exactly one character in the range
  • [!a-e]: Matches any character not in the range

Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard.

 
postDataLength integer The maximum length in bytes of the body (POST data) of the request matching the file type. Enforced only if checkPostDataLength is set to true. If the value is exceeded then VIOL_POST_DATA_LENGTH violation is issued. This attribute is relevant only to allowed file types.  
queryStringLength integer The maximum length in bytes of the query string of the request matching the file type. Enforced only if checkQueryStringLength is set to true. If the value is exceeded then VIOL_QUERY_STRING_LENGTH violation is issued. This attribute is relevant only to allowed file types.  
requestLength integer The maximum total length in bytes of the request matching the file type. Enforced only if checkRequestLength is set to true. If the value is exceeded then VIOL_REQUEST_LENGTH violation is issued. This attribute is relevant only to allowed file types.  
responseCheck boolean Determines whether the responses to requests that match the respective file types are inspected for attack signature detection. This attribute is relevant only to allowed file types.  
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name interpreted as such.
  • explicit
  • wildcard
urlLength integer The maximum length in bytes of the URL of the request matching the file type, excluding the query string. Enforced only if checkUrlLength is set to true. If the value is exceeded then VIOL_URL_LENGTH violation is issued. This attribute is relevant only to allowed file types.  
wildcardOrder integer    

general

Field Name Type Description Allowed Values
allowedResponseCodes array of integers You can specify which responses a security policy permits. By default, the system accepts all response codes from 100 to 399 as valid responses. Response codes from 400 to 599 are considered invalid unless added to the Allowed Response Status Codes list. By default, 400, 401, 404, 407, 417, and 503 are on the list as allowed HTTP response status codes.  
customXffHeaders array of strings If you require the system to trust a server further than one hop toward the client (the last proxy traversed), you can use the Custom XFF Headers setting to define a specific header that is inserted closer to, or at the client, that the system will trust. Additionally, if you require the system to trust a proxy server that uses a different header name than the X-Forwarded-For header name, you can add the desired header name to the Custom XFF Headers setting. When adding a custom header, the X-Forwarded-For header is not trusted anymore. In case the X-Forwarded-For header is to be trusted along with other headers, you must add it to the custom headers list.  
maskCreditCardNumbersInRequest boolean When enabled, the security policy masks credit card numbers that appear in any part of requests. The system does not mask the information in the actual requests, but rather in various logs: * Credit card numbers appearing in entity names are masked in the requests of the Requests log. * Credit card numbers appearing in entity values are masked wherever requests can be viewed: the Requests log, violation details within that log, manual learning, and reports. This setting is enabled by default, and exists in addition to masking parameters defined as containing sensitive information.  
trustXff boolean

When enabled, the system has confidence in an XFF (X-Forwarded-For) header in the request. When disabled, that the system does not have confidence in an XFF header in the request. The default setting is disabled.

Select this option if the system is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address.

Leave this option disabled if you think the HTTP header may be spoofed, or crafted, by a malicious client. With this setting disabled, if the system is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address.

 

header-settings

Field Name Type Description Allowed Values
maximumHttpHeaderLength
  • integer
  • string
Maximum HTTP Header Length must be greater than 0 and less than 65536 bytes (64K). Note: if 0 or any are set, then no restriction on the HTTP header length is applied.
  • Integer values
  • “any”

json-profiles

Field Name Type Description Allowed Values
attackSignaturesCheck boolean    
defenseAttributes object    
description string    
handleJsonValuesAsParameters boolean    
hasValidationFiles boolean    
metacharElementCheck boolean    
metacharOverrides array of objects    
name string    
signatureOverrides array of objects    
validationFiles array of objects    

defenseAttributes

Field Name Type Description Allowed Values
maximumArrayLength
  • integer
  • string
 
  • Integer values
  • “any”
maximumStructureDepth
  • integer
  • string
 
  • Integer values
  • “any”
maximumTotalLengthOfJSONData
  • integer
  • string
 
  • Integer values
  • “any”
maximumValueLength
  • integer
  • string
 
  • Integer values
  • “any”
tolerateJSONParsingWarnings boolean    

metacharOverrides

Field Name Type Description Allowed Values
isAllowed boolean    
metachar string    

signatureOverrides

Field Name Type Description Allowed Values
enabled boolean    
signatureId integer    

validationFiles

Field Name Type Description Allowed Values
importUrl string    
isPrimary boolean    
jsonValidationFile object    

json-validation-files

Field Name Type Description Allowed Values
contents string    
fileName string    
isBase64 boolean    

methods

Field Name Type Description Allowed Values
name string    

parameters

Field Name Type Description Allowed Values
allowEmptyValue boolean Determines whether an empty value is allowed for a parameter.  
allowRepeatedParameterName boolean Determines whether multiple parameter instances with the same name are allowed in one request.  
arraySerializationFormat string

Specifies type of serialization for array of primitives parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:

  • pipe: pipe-separated values. Array color=[“blue”,”black”] -> color=blue|black.
  • form: ampersand-separated values. Array color=[“blue”,”black”] -> color=blue,black.
  • matrix: semicolon-prefixed values. Array color=[“blue”,”black”] -> ;color=blue,black.
  • tsv: tab-separated values. Aarray color=[“blue”,”black”] -> color=bluetblack.
  • csv: comma-separated values. Array color=[“blue”,”black”] -> color=blue,black.
  • label: dot-prefixed values. Array color=[“blue”,”black”] -> .blue.black.
  • multi: multiple parameter instances rather than multiple values. Array color=[“blue”,”black”] -> color=blue&color=black.
  • ssv: space-separated values. Array color=[“blue”,”black”] -> color=blue black.
  • multipart: defines array of files.
Notes:
  • This attribute is relevant only for parameters with array valueType.
  • multi and form serializations can be defined for parameter with query, form-data or cookie locations only.
  • multipart serialization can be defined for parameter with form-data location only.
  • matrix and label serializations can be defined for parameter with path location only.
  • csv
  • form
  • label
  • matrix
  • multi
  • multipart
  • pipe
  • ssv
  • tsv
arrayUniqueItemsCheck boolean Determines whether items in an array parameter must be unique. This attribute is relevant only for parameters with array valueType.  
attackSignaturesCheck boolean Determines whether attack signatures and threat campaigns must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric or binary dataType.  
checkMaxItemsInArray boolean Determines whether an array parameter has a restricted maximum number of items. This attribute is relevant only for parameters with array valueType.  
checkMaxValue boolean Determines whether the parameter has a restricted maximum value. This attribute is relevant only for parameters with integer or decimal dataType.  
checkMaxValueLength boolean Determines whether a parameter has a restricted maximum length for value.  
checkMetachars boolean Determines whether disallowed metacharacters must be detected in a parameter’s name. This attribute is relevant only for wildcard parameters with alpha-numeric dataType.  
checkMinItemsInArray boolean Determines whether an array parameter has a restricted minimum number of items. This attribute is relevant only for parameters with array valueType.  
checkMinValue boolean Determines whether a parameter has a restricted minimum value. This attribute is relevant only for parameters with integer or decimal dataType.  
checkMinValueLength boolean Determines whether a parameter has a restricted minimum length for value.  
checkMultipleOfValue boolean Determines whether a parameter’s value is a multiple of a number defined in multipleOf. This attribute is relevant only for parameters with integer or decimal dataType.  
contentProfile object    
dataType string

Specifies data type of parameter’s value:

  • none: system data type which is used by policy builder and cannot be set manually.
  • alpha-numeric: specifies that the value of parameter can be any text consisting of letters, digits, and the underscore character.
  • binary: specifies there is no text limit for the value of a parameter (length checks only).
  • phone: specifies that the value of a parameter can be text in telephone number format only.
  • email: specifies that the value of a parameter must be text in email format only.
  • boolean: specifies that the value of a parameter must be boolean (only true and false values are allowed).
  • integer: specifies that the value of a parameter must be whole numbers only (no decimals).
  • decimal: specifies that the value of a parameter is numbers only and can include decimals.
Notes:
  • This attribute is relevant for parameters with array or user-input valueType only.
  • alpha-numeric
  • binary
  • boolean
  • decimal
  • email
  • integer
  • none
  • phone
disallowFileUploadOfExecutables boolean Determines whether a parameter’s value cannot have binary executable content. This attribute is relevant only for parameters with binary dataType.  
enableRegularExpression boolean Determines whether the parameter value includes the pattern defined in regularExpression. This attribute is relevant only for parameters with alpha-numeric dataType.  
exclusiveMax boolean Determines whether the maximum value defined in maximumValue attribute is exclusive. This attribute is relevant only if checkMaxValue is set to true.  
exclusiveMin boolean Determines whether a minimum value defined in minimumValue attribute is exclusive. This attribute is relevant only if checkMinValue is set to true.  
explodeObjectSerialization boolean

Specifies whether an array or object parameters should have separate values for each array item or object property. This attribute is relevant only if objectSerializationStyle is defined.

Notes:
  • This attribute is not relevant for parameters with deep-object, space-delimited or pipe-delimited objectSerializationStyle.
 
isBase64 boolean Determines whether a parameter’s value contains a Base64 encoded string. If the value is indeed Base64 encoded, the system decodes this value and continues with its security checks. This attribute is relevant only for parameters with alpha-numeric or binary dataType.  
isCookie boolean Determines whether a parameter is located in the value of Cookie header. parameterLocation attribute is ignored if isCookie is set to true.  
isHeader boolean Determines whether a parameter is located in headers as one of the headers. parameterLocation attribute is ignored if isHeader is set to true.  
level string Specifies whether the parameter is associated with a URL, a flow, or neither.
  • global
  • url
mandatory boolean Determines whether a parameter must exist in the request.  
maxItemsInArray integer Determines the restriction forthe maximum number of items in an array parameter. This attribute is relevant only if checkMaxItemsInArray is set to true.  
maximumLength integer Determines the restriction for the maximum length of parameter’s value. This attribute is relevant only if checkMaxValueLength is set to true.  
maximumValue number Determines the restriction for the maximum value of parameter. This attribute is relevant only if checkMaxValue is set to true.  
metacharsOnParameterValueCheck boolean Determines whether disallowed metacharacters must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric dataType.  
minItemsInArray integer Determines the restriction for the minimum number of items in an array parameter. This attribute is relevant only if checkMinItemsInArray is set to true.  
minimumLength integer Determines the restriction for the minimum length of parameter’s value. This attribute is relevant only if checkMinValueLength is set to true.  
minimumValue number Determines the restriction for the minimum value of a parameter. This attribute is relevant only if checkMinValue is set to true.  
multipleOf number Determines the number by which a parameter’s value is divisible without remainder. This number must be positive and it may be a floating-point number. This attribute is relevant only if checkMultipleOfValue is set to true.  
name string

Specifies the name of a parameter which must be permitted in requests. Format of parameter name attribute differs depending on type attribute:

  • explicit type: name of permitted parameter in request should literally match.
  • wildcard type: name of permitted parameter in request should match wildcard expression.

The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.

  • *: Matches all characters
  • ?: Matches any single character
  • [abcde]: Matches exactly one of the characters listed
  • [!abcde]: Matches any character not listed
  • [a-e]: Matches exactly one character in the range
  • [!a-e]: Matches any character not in the range
Notes:
  • Wildcards do not match regular expressions. Do not use a regular expression as a wildcard.
  • Empty parameter name is allowed for explicit type
 
nameMetacharOverrides array of objects Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that has these metacharacters in the name. This attribute is relevant only if checkMetachars is set to true.  
objectSerializationStyle string

Specifies the type of serialization for an object or complex array parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:

  • pipe-delimited: pipe-separated values. Object color={“R”:100,”G”:200} -> color=R|100|G|200.
  • form: ampersand-separated values. Object color={“R”:100,”G”:200} -> color=R,100,G,200 if explodeObjectSerialization set to false or -> R=100&G=200 if explodeObjectSerialization set to true.
  • space-delimited: space-separated values. Object color={“R”:100,”G”:200} -> color=R 100 G 200.
  • deep-object: rendering nested objects. Object color={“R”:100,”G”:200} -> color[R]=100&color[G]=200.
  • matrix: semicolon-prefixed values. Object color={“R”:100,”G”:200} -> ;color=R,100,G,200 if explodeObjectSerialization set to false or -> ;R=100;G=200 if explodeObjectSerialization set to true.
  • simple: comma-separated values. Object color={“R”:100,”G”:200} -> R,100,G,200 if explodeObjectSerialization set to false or -> R=100,G=200 if explodeObjectSerialization set to true.
  • label: dot-prefixed values. Object color={“R”:100,”G”:200} -> .R.100.G.200 if explodeObjectSerialization set to false or -> .R=100.G=200 if explodeObjectSerialization set to true.
Notes:
  • This attribute is relevant only for parameters with object or openapi-array valueType.
  • form serialization can be defined for a parameter with query, form-data or cookie locations only.
  • matrix and label serializations can be defined for an array parameter with path location only.
  • simple serializations can be defined for a parameter with path and header locations only.
  • deep-object serialization can be defined for a parameter with query or form-data locations only.
  • deep-object
  • form
  • label
  • matrix
  • pipe-delimited
  • simple
  • space-delimited
parameterEnumValues array of strings Determines the set of possible parameter’s values. This attribute is not relevant for parameters with phone, email or binary dataType.  
parameterLocation string

Specifies location of parameter in request:

  • any: in query string, in POST data (body) or in URL path.
  • query: in query string.
  • form-data: in POST data (body).
  • cookie: in value of Cookie header.
  • path: in URL path.
  • header: in request headers.
Notes:
  • path location can be defined for parameter with global level only.
  • path, header and cookie location can be defined for parameter with explicit type only.
  • header and cookie location cannot be defined for parameter with empty name.
  • any
  • cookie
  • form-data
  • header
  • path
  • query
regularExpression string

Determines a positive regular expression (PCRE) for a parameter’s value. This attribute is relevant only if enableRegularExpression is set to true.

Notes:
  • The length of a regular expression is limited to 254 characters.
 
sensitiveParameter boolean Determines whether a parameter is sensitive and must be not visible in logs nor in the user interface. Instead of actual valu,e a string of asterisks is shown for this parameter. Use it to protect sensitive user input, such as a password or a credit card number, in a validated request.  
signatureOverrides array of objects Determines attack signatures whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that matches these attack signatures. This attribute is relevant only if signatureOverrides is set to true.  
staticValues array of strings Determines the set of possible parameter’s values. This attribute is relevant for parameters with static-content valueType only.  
type string Specifies the type of the name attribute.
  • explicit
  • wildcard
url object    
valueMetacharOverrides array of objects Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that has these metacharacters in value. This attribute is relevant only if metacharsOnParameterValueCheck is set to true.  
valueType string

Specifies type of parameter’s value:

  • object: the parameter’s value is complex object defined by JSON schema.
  • dynamic-content: the parameter’s content changes dynamically.
  • openapi-array: the parameter’s value is complex array defined by JSON schema.
  • ignore: the system does not perform validity checks on the value of the parameter.
  • static-content: the parameter has a static, or pre-defined, value(s).
  • json: the parameter’s value is JSON data.
  • array: the parameter’s value is array of primitives.
  • user-input: the parameter’s value is provided by user-input.
  • xml: the parameter’s value is XML data.
  • auto-detect: the parameter’s value can be user-inpur, XML data or JSON data. The system automatically classifies the type of value.
  • dynamic-parameter-name: the parameter’s name changes dynamically.
Notes:
  • dynamic-parameter-name value type can be defined for a parameter with flow level and explicit type only.
  • dynamic-content value type can be defined for a parameter with explicit type only.
  • array
  • auto-detect
  • ignore
  • json
  • object
  • openapi-array
  • static-content
  • user-input
  • xml
wildcardOrder integer Specifies the order in which wildcard entities are organized. Matching of an enforced parameter with a defined wildcard parameter happens based on order from smaller to larger.  

contentProfile

Field Name Type Description Allowed Values
contentProfile object    

contentProfile

Field Name Type Description Allowed Values
name string    

nameMetacharOverrides

Field Name Type Description Allowed Values
isAllowed boolean Specifies permission of metachar - when false, then character is prohibited.  
metachar string Specifies character in hexadecimal format with special allowance.  

signatureOverrides

Field Name Type Description Allowed Values
enabled boolean Specifies, when true, that the overridden signature is enforced  
signatureId integer The signature ID which identifies the signature.  

valueMetacharOverrides

Field Name Type Description Allowed Values
isAllowed boolean Specifies permission of metachar - when false, then character is prohibited.  
metachar string Specifies character in hexadecimal format with special allowance.  

response-pages

Field Name Type Description Allowed Values
ajaxActionType string
Which content, or URL, the system sends to the client as a response to an AJAX request that does not comply with the security policy.
  • alert-popup: The system opens a message as a popup screen. Type the message the system displays in the popup screen, or leave the default text.
  • custom: A response text that will replace the frame or page which generated the AJAX request. The system provides additional options where you can type the response body you prefer.
  • redirect: The system redirects the user to a specific web page instead of viewing a response page. Type the web page’s full URL path, for example, http://www.redirectpage.com.
  • alert-popup
  • custom
  • redirect
ajaxCustomContent string Custom message typed by user as a response for blocked AJAX request.  
ajaxEnabled boolean When enabled, the system injects JavaScript code into responses. You must enable this toggle in order to configure an Application Security Manager AJAX response page which is returned when the system detects an AJAX request that does not comply with the security policy.  
ajaxPopupMessage string Default message provided by the system as a response for blocked AJAX request. Can be manipulated by user, but <%TS.request.ID()%> must be included in this message.  
ajaxRedirectUrl string The system redirects the user to a specific web page instead of viewing a response page. Type the web page’s full URL path, for example, http://www.redirectpage.com. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.  
responseActionType string
Which action the system takes, and which content the system sends to the client, as a response when the security policy blocks the client request.
  • custom: The system returns a response page with HTML code that the user defines.
  • default: The system returns the system-supplied response page in HTML. No further configuration is needed.
  • erase-cookies: The system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text.
  • redirect: The system redirects the user to a specific web page instead of viewing a response page. The system provides an additional setting where you can indicate the redirect web page.
  • soap-fault: Displays the system-supplied response written in SOAP fault message structure. Use this type when a SOAP request is blocked due to an XML related violation. You cannot edit this text.
  • custom
  • default
  • erase-cookies
  • redirect
  • soap-fault
responseContent string The content the system sends to the client in response to an illegal blocked request.  
responseHeader string The response headers that the system sends to the client as a response to an illegal blocked request.  
responsePageType string
The different types of blocking response pages which are available from the system:
  • ajax: The system sends the AJAX Blocking Response Page when the security policy blocks an AJAX request that does not comply with the security policy.
  • ajax-login: The system sends the AJAX Login Page Response after the user sends an AJAX request that attempts to directly access a URL that is allowed to be accessed only after visiting a login page.
  • captcha: The system sends the CAPTCHA response page when the system suspects that a session is being run by a bot rather than a human, especially in the case of a brute force attack.
  • captcha-fail: The system sends the CAPTCHA fail response page to a failed CAPTCHA challenge.
  • default: The system sends the default response when the security policy blocks a client request.
  • failed-login-honeypot: The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation.
  • failed-login-honeypot-ajax: The Honeypot page is used for attacker deception sending AJAX request. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation.
  • hijack: The system sends the cookie hijacking response page when the system detects that an attacker tried to hijack the session.
  • leaked-credentials: The system sends the leaked credentials response when the system detects the use of stolen credentials.
  • leaked-credentials-ajax: The system sends the leaked credentials response following an AJAX request which includes usage of stolen credentials.
  • mobile: The system sends the mobile application response page when the system detects that a session is being run by a bot rather than a human.
  • persistent-flow: The system sends the login page response after the user violates one of the preconditions when requesting the target URL of a configured login page.
  • xml: The system sends the XML response page when the security policy blocks a client request that contains XML content that does not comply with the settings of an XML profile configured in the security policy.
  • ajax
  • ajax-login
  • captcha
  • captcha-fail
  • default
  • failed-login-honeypot
  • failed-login-honeypot-ajax
  • hijack
  • leaked-credentials
  • leaked-credentials-ajax
  • mobile
  • persistent-flow
  • xml
responseRedirectUrl string The particular URL to which the system redirects the user. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.  

sensitive-parameters

Field Name Type Description Allowed Values
name string Name of a parameter whose values the system should consider sensitive.  

server-technologies

Field Name Type Description Allowed Values
serverTechnologyName string Specifies the name of the selected policy. For example, PHP will add attack signatures that cover known PHP vulnerabilities.  

signature-sets

Field Name Type Description Allowed Values
alarm boolean If enabled - when a signature from this signature set is detected in a request - the request is logged.  
block boolean If enabled - when a signature from this signature set is detected in a request - the request is blocked.  
name string Signature set name.  

signature-settings

Field Name Type Description Allowed Values
attackSignatureFalsePositiveMode string  
  • detect
  • detect-and-allow
  • disabled
minimumAccuracyForAutoAddedSignatures string  
  • high
  • low
  • medium

signatures

Field Name Type Description Allowed Values
enabled boolean Specifies, if true, that the signature is enabled on the security policy. When false, the signature is disable on the security policy.  
signatureId integer The signature ID which identifies the signature.  

threat-campaigns

Field Name Type Description Allowed Values
isEnabled boolean If enabled - threat campaign is enforced in the security policy.  
name string Name of the threat campaign.  

urls

Field Name Type Description Allowed Values
attackSignaturesCheck boolean Specifies, when true, that you want attack signatures and threat campaigns to be detected on this URL and possibly override the security policy settings of an attack signature or threat campaign specifically for this URL. After you enable this setting, the system displays a list of attack signatures and threat campaigns.  
disallowFileUploadOfExecutables boolean    
isAllowed boolean If true, the URLs allowed by the security policy.  
mandatoryBody boolean A request body is mandatory. This is relevant for any method acting as POST.  
metacharOverrides array of objects To allow or disallow specific meta characters in the name of this specific URL (and thus override the global meta character settings).  
metacharsOnUrlCheck boolean Specifies, when true, that you want meta characters to be detected on this URL and possibly override the security policy settings of a meta character specifically for this URL. After you enable this setting, the system displays a list of meta characters.  
method string Unique ID of a URL with a protocol type and name. Select a Method for the URL to create an API endpoint: URL + Method.
  • ACL
  • BCOPY
  • BDELETE
  • BMOVE
  • BPROPFIND
  • BPROPPATCH
  • CHECKIN
  • CHECKOUT
  • CONNECT
  • COPY
  • DELETE
  • GET
  • HEAD
  • LINK
  • LOCK
  • MERGE
  • MKCOL
  • MKWORKSPACE
  • MOVE
  • NOTIFY
  • OPTIONS
  • PATCH
  • POLL
  • POST
  • PROPFIND
  • PROPPATCH
  • PUT
  • REPORT
  • RPC_IN_DATA
  • RPC_OUT_DATA
  • SEARCH
  • SUBSCRIBE
  • TRACE
  • TRACK
  • UNLINK
  • UNLOCK
  • UNSUBSCRIBE
  • VERSION_CONTROL
  • X-MS-ENUMATTS
  • *
methodOverrides array of objects Specifies a list of methods that are allowed or disallowed for a specific URL. The list overrides the list of methods allowed or disallowed globally at the policy level.  
methodsOverrideOnUrlCheck boolean Specifies, when true, that you want methods to be detected on this URL and possibly override the security policy settings of a method specifically for this URL. After you enable this setting, the system displays a list of methods.  
name string

Specifies an HTTP URL that the security policy allows. The available types are:

  • Explicit: Specifies that the URL has a specific name and is not a wildcard entity. Type the name of a URL exactly as you expect it to appear in the request.
  • Wildcard: Specifies that any URL that matches the listed wildcard expression should be treated according to the wildcard attributes. Type a wildcard expression that matches the expected URL. For example, entering the wildcard expression * specifies that any URL is allowed by the security policy.

The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.

  • *: Matches all characters
  • ?: Matches any single character
  • [abcde]: Matches exactly one of the characters listed
  • [!abcde]: Matches any character not listed
  • [a-e]: Matches exactly one character in the range
  • [!a-e]: Matches any character not in the range

Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard.

 
operationId string The attribute operationId is used as an OpenAPI endpint identifier.  
positionalParameters array of objects When checked (enabled), positional parameters are enabled in the URL.  
protocol string Specifies whether the protocol for the URL is HTTP or HTTPS.
  • http
  • https
signatureOverrides array of objects Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this URL, and which action the security policy takes when it discovers a request for this URL that matches these attack signatures.  
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
  • explicit
  • wildcard
urlContentProfiles array of objects Specifies how the system recognizes and enforces requests for this URL according to the requests’ header content. The system automatically creates a default header-based content profile for HTTP, and you cannot delete it. However, requests for a URL may contain other types of content, such as JSON, XML, or other proprietary formats.  
wildcardOrder integer Specifies the order index for wildcard URLs matching. Wildcard URLs with lower wildcard order will get checked for a match prior to URLs with higher wildcard order.  

metacharOverrides

Field Name Type Description Allowed Values
isAllowed boolean If true, metacharacters and other characters are allowed in a URL.  
metachar string ASCII representation of the character in Hex format  

methodOverrides

Field Name Type Description Allowed Values
allowed boolean Specifies that the system allows you to override allowed methods for this URL. When selected, the global policy settings for methods are listed, and you can change what is allowed or disallowed for this URL.  
method string Specifies a list of existing HTTP methods. All security policies accept standard HTTP methods by default.
  • ACL
  • BCOPY
  • BDELETE
  • BMOVE
  • BPROPFIND
  • BPROPPATCH
  • CHECKIN
  • CHECKOUT
  • CONNECT
  • COPY
  • DELETE
  • GET
  • HEAD
  • LINK
  • LOCK
  • MERGE
  • MKCOL
  • MKWORKSPACE
  • MOVE
  • NOTIFY
  • OPTIONS
  • PATCH
  • POLL
  • POST
  • PROPFIND
  • PROPPATCH
  • PUT
  • REPORT
  • RPC_IN_DATA
  • RPC_OUT_DATA
  • SEARCH
  • SUBSCRIBE
  • TRACE
  • TRACK
  • UNLINK
  • UNLOCK
  • UNSUBSCRIBE
  • VERSION_CONTROL
  • X-MS-ENUMATTS

positionalParameters

Field Name Type Description Allowed Values
parameter object    
urlSegmentIndex integer Select which to add: Text or Parameter and enter your desired segments. You can add multiple text and parameter segments.  

signatureOverrides

Field Name Type Description Allowed Values
enabled boolean Specifies, when true, that the overridden signature is enforced  
signatureId integer The signature ID which identifies the signature.  

urlContentProfiles

Field Name Type Description Allowed Values
contentProfile object    
headerName string Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.  
headerOrder
  • integer
  • string
Displays the order in which the system checks header content of requests for this URL.
  • Integer values
  • “default”
headerValue string Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive.  
type string Apply Content Signatures: Do not parse the content; scan the entire payload with full-content attack signatures. Apply Value and Content Signatures: Do not parse the content or extract parameters; process the entire payload with value and full-content attack signatures. Disallow: Block requests for an URL containing this header content. Log the Illegal Request Content Type violation. Do Nothing: Do not inspect or parse the content. Handle the header of the request as specified by the security policy. Form Data: Parse content as posted form data in either URL-encoded or multi-part formats. Enforce the form parameters according to the policy. GWT: Perform checks for data in requests, based on the configuration of the GWT (Google Web Toolkit) profile associated with this URL. JSON: Review JSON data using an associated JSON profile, and use value attack signatures to scan the element values. XML: Review XML data using an associated XML profile.
  • apply-content-signatures
  • apply-value-and-content-signatures
  • disallow
  • do-nothing
  • form-data
  • gwt
  • json
  • xml

contentProfile

Field Name Type Description Allowed Values
name string    

whitelist-ips

Field Name Type Description Allowed Values
blockRequests string
Specifies how the system responds to blocking requests sent from this IP address.
  • Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address.
  • Never Block: Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.
  • Always Block: Specifies that the system blocks requests sent from this IP address on condition that IP is blacklisted is set to Block under Policy Building Settings.
  • always
  • never
  • policy-default
description string Specifies a brief description of the IP address.  
ipAddress string Specifies the IP address that you want the system to trust.  
ipMask string Specifies the netmask of the exceptional IP address. This is an optional field.  

xml-profiles

Field Name Type Description Allowed Values
attackSignaturesCheck boolean    
defenseAttributes object    
description string    
name string    
signatureOverrides array of objects    

defenseAttributes

Field Name Type Description Allowed Values
allowCDATA boolean    
allowDTDs boolean    
allowExternalReferences boolean    
allowProcessingInstructions boolean    
maximumAttributeValueLength
  • integer
  • string
 
  • Integer values
  • “any”
maximumAttributesPerElement
  • integer
  • string
 
  • Integer values
  • “any”
maximumChildrenPerElement
  • integer
  • string
 
  • Integer values
  • “any”
maximumDocumentDepth
  • integer
  • string
 
  • Integer values
  • “any”
maximumDocumentSize
  • integer
  • string
 
  • Integer values
  • “any”
maximumElements
  • integer
  • string
 
  • Integer values
  • “any”
maximumNSDeclarations
  • integer
  • string
 
  • Integer values
  • “any”
maximumNameLength
  • integer
  • string
 
  • Integer values
  • “any”
maximumNamespaceLength
  • integer
  • string
 
  • Integer values
  • “any”
tolerateCloseTagShorthand boolean    
tolerateLeadingWhiteSpace boolean    
tolerateNumericNames boolean    

signatureOverrides

Field Name Type Description Allowed Values
enabled boolean    
signatureId integer    

evasions

Field Name Type Description Allowed Values
description string Human-readable name of sub-violation.
  • %u decoding
  • Apache whitespace
  • Bad unescape
  • Bare byte decoding
  • Directory traversals
  • IIS Unicode codepoints
  • IIS backslashes
  • Multiple decoding
enabled boolean Defines if sub-violation is enforced - alarmed or blocked, according to the ‘Evasion technique detected’ (VIOL_EVASION) violation blocking settings.  
maxDecodingPasses integer Defines how many times the system decodes URI and parameter values before the request is considered an evasion. Relevant only for the ‘Multiple decoding’ sub-violation.  

http-protocols

Field Name Type Description Allowed Values
description string Human-readable name of sub-violation
  • POST request with Content-Length: 0
  • Multiple host headers
  • Host header contains IP address
  • Null in request
  • Header name with no header value
  • Chunked request with Content-Length header
  • Check maximum number of parameters
  • Check maximum number of headers
  • Body in GET or HEAD requests
  • Bad multipart/form-data request parsing
  • Bad multipart parameters parsing
  • Unescaped space in URL
enabled boolean Defines if sub-violation is enforced - alarmed or blocked, according to the ‘HTTP protocol compliance failed’ (VIOL_HTTP_PROTOCOL) violation blocking settings  
maxHeaders integer Defines maximum allowed number of headers in request. Relevant only for the ‘Check maximum number of headers’ sub-violation  
maxParams integer Defines maximum allowed number of paramters in request. Relevant only for the ‘Check maximum number of parameters’ sub-violation  

violations

Field Name Type Description Allowed Values
alarm boolean    
block boolean    
description string    
name string  
  • VIOL_ASM_COOKIE_MODIFIED
  • VIOL_BLACKLISTED_IP
  • VIOL_COOKIE_EXPIRED
  • VIOL_COOKIE_LENGTH
  • VIOL_COOKIE_MALFORMED
  • VIOL_COOKIE_MODIFIED
  • VIOL_DATA_GUARD
  • VIOL_ENCODING
  • VIOL_EVASION
  • VIOL_FILETYPE
  • VIOL_FILE_UPLOAD
  • VIOL_FILE_UPLOAD_IN_BODY
  • VIOL_HEADER_LENGTH
  • VIOL_HEADER_METACHAR
  • VIOL_HTTP_PROTOCOL
  • VIOL_HTTP_RESPONSE_STATUS
  • VIOL_JSON_FORMAT
  • VIOL_JSON_MALFORMED
  • VIOL_JSON_SCHEMA
  • VIOL_MANDATORY_PARAMETER
  • VIOL_MANDATORY_REQUEST_BODY
  • VIOL_METHOD
  • VIOL_PARAMETER
  • VIOL_PARAMETER_ARRAY_VALUE
  • VIOL_PARAMETER_DATA_TYPE
  • VIOL_PARAMETER_EMPTY_VALUE
  • VIOL_PARAMETER_LOCATION
  • VIOL_PARAMETER_MULTIPART_NULL_VALUE
  • VIOL_PARAMETER_NAME_METACHAR
  • VIOL_PARAMETER_NUMERIC_VALUE
  • VIOL_PARAMETER_REPEATED
  • VIOL_PARAMETER_STATIC_VALUE
  • VIOL_PARAMETER_VALUE_BASE64
  • VIOL_PARAMETER_VALUE_LENGTH
  • VIOL_PARAMETER_VALUE_METACHAR
  • VIOL_PARAMETER_VALUE_REGEXP
  • VIOL_POST_DATA_LENGTH
  • VIOL_QUERY_STRING_LENGTH
  • VIOL_RATING_THREAT
  • VIOL_RATING_NEED_EXAMINATION
  • VIOL_REQUEST_MAX_LENGTH
  • VIOL_REQUEST_LENGTH
  • VIOL_THREAT_CAMPAIGN
  • VIOL_URL
  • VIOL_URL_CONTENT_TYPE
  • VIOL_URL_LENGTH
  • VIOL_URL_METACHAR
  • VIOL_XML_FORMAT
  • VIOL_XML_MALFORMED