• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Add cookies, parameters and urls

Add cookies

Cookies can be configured and managed directly within the policy editor by selecting the Cookies option.

Each cookie configuration includes:

  • Cookie Type: Explicit or Wildcard. For details on explicit and wildcard matching, see the Matching Types: Explicit vs Wildcard section.
  • Cookie Name: The name of the cookie to be monitored or protected
  • Enforcement Type:
    • Allow: Permits the cookie with optional attack signature checks
    • Disallow: Blocks the use of the cookie entirely
  • Attack Signatures: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable
  • Mask Value in Logs: When enabled, the cookie’s value will be masked in the request log for enhanced security and privacy

⚠️ Important: Attack Signatures are automatically set to “Not Applicable” when Enforcement Type is set to Disallow since the URL is explicitly blocked and signature checking is unnecessary.

For a complete list of configurable cookie properties and options, see the Cookie Configuration Parameters documentation under the cookies section.

Click on Edit Configuration to configure cookie violations. The following violations can be configured for cookies:

  • VIOL_COOKIE_EXPIRED: Triggered when a cookie’s timestamp is expired
  • VIOL_COOKIE_LENGTH: Triggered when cookie length exceeds the configured limit
  • VIOL_COOKIE_MALFORMED: Triggered when cookies are not RFC-compliant
  • VIOL_COOKIE_MODIFIED: Triggered when domain cookies have been tampered with

For each violation type, you can:

  • Set the enforcement action
  • Toggle alarm and block settings

For more details about enforcement modes, see the Glossary, specifically the entry: Enforcement mode.

See the Supported Violations for additional details.

  1. Choose Cookie Type:

    • Select either Explicit for exact cookie matching or Wildcard for pattern-based matching

  2. Configure Basic Properties:

    • Enter the Cookie Name
    • Choose whether to mask the cookie value in logs

  3. Set Enforcement:

    • Choose whether to allow or disallow the cookie
    • If Allow Cookie is selected, you can optionally enable attack signatures
    • ⚠️ Important: Attack signatures cannot be enabled for disallowed cookies.

  4. Optional: Configure Attack Signatures

    • If enabled, you can overwrite attack signatures for this specific cookie
    • For details on signature configuration, refer to the documentation on Add Signature Sets

  5. Select Add Cookie to save your configuration

Add parameters

Parameters can be configured and managed directly within the policy editor by selecting the Parameters option.

Parameter properties and types

Each parameter configuration includes:

  • Parameter Type: Explicit or Wildcard. For details on explicit and wildcard matching, see the Matching Types: Explicit vs Wildcard section.
  • Name: The name of the parameter
  • Location: Where the parameter is expected (URL query string, POST data, etc.)
  • Value Type: The expected type of the parameter value (e.g., alpha-numeric, integer, email)
  • Attack Signatures: Whether attack signature checking is enabled for this parameter
  • Mask Value in Logs: When enabled, the parameter’s value will be masked in the request log for enhanced security and privacy

For a complete list of configurable cookie properties and options, see the Parameter Configuration Parameters documentation under the parameters section.

Parameter violations

Select Edit Configuration to configure parameter violations. The following violations can be configured for parameters:

  • VIOL_PARAMETER: Triggered when an illegal parameter is detected
  • VIOL_PARAMETER_ARRAY_VALUE: Triggered when an array parameter value is illegal
  • VIOL_PARAMETER_DATA_TYPE: Triggered when parameter data type doesn’t match configuration
  • VIOL_PARAMETER_EMPTY_VALUE: Triggered when a parameter value is empty but shouldn’t be
  • VIOL_PARAMETER_LOCATION: Triggered when a parameter is found in wrong location
  • VIOL_PARAMETER_NAME_METACHAR: Triggered when illegal meta characters are found in parameter name
  • VIOL_PARAMETER_NUMERIC_VALUE: Triggered when numeric parameter value is outside allowed range
  • VIOL_PARAMETER_REPEATED: Triggered when a parameter name is repeated illegally
  • VIOL_PARAMETER_STATIC_VALUE: Triggered when a static parameter value doesn’t match configuration
  • VIOL_PARAMETER_VALUE_LENGTH: Triggered when parameter value length exceeds limits
  • VIOL_PARAMETER_VALUE_METACHAR: Triggered when illegal meta characters are found in parameter value
  • VIOL_PARAMETER_VALUE_REGEXP: Triggered when parameter value doesn’t match required pattern

For each violation type, you can:

  • Set the enforcement action
  • Toggle alarm and block settings

For more details about enforcement modes, see the Glossary, specifically the entry: Enforcement mode.

See the Supported Violations for additional details.

Adding a parameter to your policy

  1. Choose Parameter Type:

    • Select either Explicit for exact parameter matching or Wildcard for pattern-based matching

  2. Configure Basic Properties:

    • Enter the parameter Name
    • Select the Location where the parameter is expected
    • Choose the Value Type (alpha-numeric, integer, email, etc.)
    • Set the Data Type if applicable

  3. Set Security Options:

  4. Optional: Configure Attack Signatures

    • If enabled, you can overwrite attack signatures for this specific parameter
    • For details on signature configuration, refer to the documentation on Add Signature Sets

  5. Select Add Parameter to save your configuration

Add urls

URLs can be configured and managed directly within the policy editor by selecting the URLs option.

URL properties and types

Each URL configuration includes:

  • URL Type: Explicit or Wildcard. For details on explicit and wildcard matching, see the Matching Types: Explicit vs Wildcard section.
  • Method: Specifies which HTTP methods are allowed (GET, POST, PUT, etc.)
  • Protocol: The protocol for the URL (HTTP/HTTPS)
  • Enforcement Type:
    • Allow: Permits access to the URL with optional attack signature checks
    • Disallow: Blocks access to the URL entirely
  • Attack Signatures: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable

⚠️ Important: Attack Signatures are automatically set to “Not Applicable” when Enforcement Type is set to Disallow since the URL is explicitly blocked and signature checking is unnecessary.

For a complete list of configurable URL properties and options, see the URL Configuration Parameters documentation under the urls section.

URL violations

Select Edit Configuration to configure URL violations. The following violations can be configured for URLs:

  • VIOL_URL: Triggered when an illegal URL is accessed
  • VIOL_URL_CONTENT_TYPE: Triggered when there’s an illegal request content type
  • VIOL_URL_LENGTH: Triggered when URL length exceeds the configured limit
  • VIOL_URL_METACHAR: Triggered when illegal meta characters are found in the URL

For each violation type, you can:

  • Set the enforcement action
  • Toggle alarm and block settings

For more details about enforcement modes, see the Glossary, specifically the entry: Enforcement mode.

See the Supported Violations for additional details.

Adding a URL to your policy

  1. Choose URL Type:

    • Select either Explicit for exact URL matching or Wildcard for pattern-based matching

  2. Configure Basic Properties:

    • Enter the URL path
    • Select allowed Method(s) (e.g., GET, POST, *)
    • Choose the Protocol (HTTP/HTTPS)

  3. Set Enforcement:

    • Choose whether to allow or disallow the URL
    • If Allow URL is selected, you can optionally enable attack signatures
    • ⚠️ Important: Attack signatures cannot be enabled for disallowed URLs.

  4. Optional: Configure Attack Signatures

    • If enabled, you can overwrite attack signatures for this specific URL
    • For details on signature configuration, refer to the documentation on Add Signature Sets

  5. Select Add URL to save your configuration

View source
Edit this page
Create a new issue