Policy parameter reference 2

Declarative Policy

policy

Field Name Type Description
access-profiles array of objects
applicationLanguage string The character encoding for the application. The character encoding determines how the policy processes the character sets. The default is utf-8.
blocking-settings object This section defines policy block/alarm behaviors.
bot-defense object This section defines the properties of the bot defense feature.
browser-definitions array of objects
brute-force-attack-preventions array of objects Defines configuration for Brute Force Protection feature. There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page.
caseInsensitive boolean Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration.
character-sets array of objects
cookie-settings object The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value.
cookies array of objects This section defines Cookie entities for your policy. You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:
csrf-protection object
csrf-urls array of objects
data-guard object Data Guard feature can prevent responses from exposing sensitive information by masking the data.
description string Specifies the description of the policy.
disallowed-geolocations array of objects Specifies a list of countries that may not access the web application.
enforcementMode string How the system processes a request that triggers a security policy violation.
enforcer-settings object This section contains all enforcer settings.
filetypes array of objects File types are categorization of the URLs in the request by the extension appearing past the last dot at the end of the URL. For example, the file type of /index.php is "php". Other well known file types are html, aspx, png, jpeg and many more. A special case is the "empty" file type called "no-ext" meaning, no extension in which the URL has no dot at its last segment as in /foo_no_dot File types usually imply the expected content type in the response. For example, html and php return HTML content, while jpeg, png and gif return images, each in its respective format. File types also imply the server technology deployed for rendering the page. For example, php (PHP), aspx (ASP) and many others. The security policy uses file types for several purposes: 1. Ability to define which file types are allowed and which are disallowed. By including the pure wildcard "*" file type and a list of disallowed file types you have a file type denylist. By having a list of explicit file type without the pure wildcard "*" you have a file type allowlist. 2. Each file type implies maximum length restrictions for the requests of that file type. The checked lengths are per the URL, Query String, total request length, and payload (POST data). 3. Each file type determines whether to detect response signatures for requests of that file type. Typically, one would never check signatures for image file types.
fullPath string The full name of the policy including partition.
general object This section includes several advanced policy configuration settings.
graphql-profiles array of objects
grpc-profiles array of objects
header-settings object The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value.
headers array of objects This section defines Header entities for your policy.
host-names array of objects
idl-files array of objects
ip-address-lists array of objects An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy.
ip-intelligence object
json-profiles array of objects
json-validation-files array of objects
login-enforcement object
login-pages array of objects A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.
methods array of objects
name string The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_).
open-api-files array of objects
override-rules array of objects This section defines policy override rules.
parameters array of objects This section defines parameters that the security policy permits in requests.
performStaging boolean Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal.
response-pages array of objects The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page.
sensitive-parameters array of objects This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default.
server-technologies array of objects The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology.
signature-requirements array of objects
signature-sets array of objects Defines behavior when signatures found within a signature-set are detected in a request. Settings are cumulative, so if a signature is found in any set with block enabled, that signature will have block enabled.
signature-settings object
signatures array of objects This section defines the properties of a signature on the policy.
template object Specifies the template to populate the default attributes of a new policy.
threat-campaigns array of objects This section defines the enforcement state for the threat campaigns in the security policy.
urls array of objects In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists.
wafEngineVersion string
xml-profiles array of objects

open-api-files
Field Name Type Description
link string

template
Field Name Type Description
derivedFrom string
name string Specifies the name of the template used for the policy creation.

access-profiles

Field Name Type Description
description string
enforceMaximumLength boolean
enforceValidityPeriod boolean
keyFiles array of objects
location object
maximumLength integer
name string
type string
usernameExtraction object
verifyDigitalSignature boolean

keyFiles
Field Name Type Description
contents string
fileName string

location
Field Name Type Description
in string
name string

usernameExtraction
Field Name Type Description
claimPropertyName string
enabled boolean
isMandatory boolean

blocking-settings

Field Name Type Description
evasions array of objects This section defines behavior of 'Evasion technique detected' (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'Evasion technique detected' violation, defined in /policy/blocking-settings/violations section:
http-protocols array of objects This section defines behavior of 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'HTTP protocol compliance failed' violation,
violations array of objects

bot-defense

Field Name Type Description
mitigations object This section defines the mitigation to each class or signature.
settings object This section contains all bot defense settings.

browser-definitions

Field Name Type Description
isUserDefined boolean
matchRegex string
matchString string
name string

brute-force-attack-preventions

Field Name Type Description
bruteForceProtectionForAllLoginPages boolean When enabled, enables Brute Force Protection for all configured login URLs. When disabled, only brute force configurations for specific login pages are applied in case they exist.
loginAttemptsFromTheSameIp object Specifies configuration for detecting brute force attacks from IP Address.
loginAttemptsFromTheSameUser object Specifies configuration for detecting brute force attacks for Username.
reEnableLoginAfter integer minimum: 60 maximum: 90000 Defines prevention period (measured in seconds) for source-based brute force attacks.
sourceBasedProtectionDetectionPeriod integer minimum: 60 maximum: 90000 Defines detection period (measured in seconds) for source-based brute force attacks.
url object Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature.

loginAttemptsFromTheSameIp
Field Name Type Description
action string Specifies action that is applied when defined threshold is reached.
enabled boolean When enabled, the system counts failed login attempts from IP Address.
threshold integer minimum: 1 maximum: 1000 After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt.

loginAttemptsFromTheSameUser
Field Name Type Description
action string Specifies action that is applied when defined threshold is reached.
enabled boolean When enabled, the system counts failed login attempts for each Username.
threshold integer minimum: 1 maximum: 100 After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt.

character-sets

Field Name Type Description
characterSet array of objects
characterSetType string

characterSet
Field Name Type Description
isAllowed boolean
metachar string

Field Name Type Description
maximumCookieHeaderLength
• integer minimum: 1 maximum: 65536
• string		 Maximum Cookie Header Length must be greater than 0 and less than 65536 bytes (64K). Note: if 0 or any are set, then no restriction on the cookie header length is applied.

cookies

Field Name Type Description
accessibleOnlyThroughTheHttpProtocol boolean Specifies, when true, that the system adds the HttpOnly attribute to the domain cookie’s response header. This is done to expose the cookie to only HTTP and HTTPS entities. This prevents the cookie from being modified, or intercepted even if it is not modified, by unwanted third parties that run scripts on the web page. Notes:
attackSignaturesCheck boolean Specifies, when true, that you want attack signatures and threat campaigns to be detected on this cookie and possibly override the security policy settings of an attack signature or threat campaign specifically for this cookie. After you enable this setting, the system displays a list of attack signatures and threat campaigns.
decodeValueAsBase64 string Specifies whether the the system should detect or require values to be Base64 encoded:
enforcementType string Specifies how the system treats this cookie.
insertSameSiteAttribute string The introduction of the SameSite http attribute (defined in RFC6265bis) allows you to declare if your cookie should be restricted to a first-party or same-site context. Introducing the SameSite attribute on a cookie provides three different ways of controlling same-site vs. cross-site cookie sending:
maskValueInLogs boolean Specifies, when true, that the cookie’s value will be masked in the request log.
name string Specifies the cookie name as appearing in the http cookie header. The cookie name length is limited to 500 characters. Names can be one of the following according to the type attribute:
securedOverHttpsConnection boolean Specifies, when true, that the system adds the Secure attribute to the domain cookie’s response header. This is done to ensure that the cookies are returned to the server only over SSL (by using the HTTPS protocol). This prevents the cookie from being intercepted, but does not guarantee its integrity. Notes:
signatureOverrides array of objects Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this cookie, and which action the security policy takes when it discovers a request for this cookie that matches these attack signatures.
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
wildcardOrder integer Specifies the order index for wildcard cookies matching. Wildcard cookies with lower wildcard order will get checked for a match prior to cookies with higher wildcard order.

signatureOverrides
Field Name Type Description
enabled boolean Specifies, when true, that the overridden signature is enforced
name string The signature name which, along with the signature tag, identifies the signature.
signatureId integer The signature ID which identifies the signature.
tag string The signature tag which, along with the signature name, identifies the signature.

csrf-protection

Field Name Type Description
enabled boolean
expirationTimeInSeconds
• integer
• string
sslOnly boolean

csrf-urls

Field Name Type Description
enforcementAction string
method string
url string
wildcardOrder integer

data-guard

Field Name Type Description
creditCardNumbers boolean If true the system considers credit card numbers as sensitive data.
customPatterns boolean If true the system recognizes customized patterns as sensitive data.
customPatternsList array of strings List of PCRE regular expressions that specify the sensitive data patterns.
enabled boolean If true the system protects sensitive data.
enforcementMode string Specifies the URLs for which the system enforces data guard protection.
enforcementUrls array of strings List of URLS to be enforced based on enforcement mode of data guard protection.
firstCustomCharactersToExpose integer minimum: 0 maximum: 255 Specifies the number of first alphanumeric characters in Custom patterns that are exposed.
lastCustomCharactersToExpose integer minimum: 0 maximum: 255 Specifies the number of last alphanumeric characters in Custom patterns that are exposed.
maskData boolean If true the system intercepts the returned responses to mask sensitive data.
usSocialSecurityNumbers boolean If true the system considers U.S Social Security numbers as sensitive data.

disallowed-geolocations

Field Name Type Description
countryCode string Specifies the ISO country code of the selected country.
countryName string Specifies the name of the country.

enforcer-settings

Field Name Type Description
enforcerStateCookies object This section defines the properties of the enforcer state cookies.

enforcerStateCookies
Field Name Type Description
httpOnlyAttribute boolean Specifies, when true, that the system adds the state cookie HttpOnly attribute.
sameSiteAttribute string The value for the state cookie SameSite attribute:
secureAttribute string The value for the state cookie Secure attribute:

filetypes

Field Name Type Description
allowed boolean Determines whether the file type is allowed or disallowed. In either of these cases the VIOL_FILETYPE violation is issued (if enabled) for an incoming request- 1. No allowed file type matched the file type of the request. 2. The file type of the request matched a disallowed file type.
checkPostDataLength boolean Determines whether to enforce maximum length restriction for the body, a.k.a. "POST data" part of the requests that match the respective file type. The maximum length is determined by postDataLength attribute. Although named "POST data", this applies to any content type and not restricted to POST requests, e.g. PUT requests are also checked. This attribute is relevant only to allowed file types.
checkQueryStringLength boolean Determines whether to enforce maximum length restriction for the query string of the requests that match the respective file type. The maximum length is determined by queryStringLength attribute. This attribute is relevant only to allowed file types.
checkRequestLength boolean Determines whether to enforce maximum length restriction for the total length of requests that match the respective file type. The maximum length is determined by requestLength attribute. This attribute is relevant only to allowed file types.
checkUrlLength boolean Determines whether to enforce maximum length restriction for the URL of the requests that match the respective file type. The URL does not include the query string, past the &. The maximum length is determined by urlLength attribute. This attribute is relevant only to allowed file types.
name string Specifies the file type name as appearing in the URL extension. Names can be one of the following according to the type attribute:
postDataLength integer minimum: 0 The maximum length in bytes of the body (POST data) of the request matching the file type. Enforced only if checkPostDataLength is set to true. If the value is exceeded then VIOL_POST_DATA_LENGTH violation is issued. This attribute is relevant only to allowed file types.
queryStringLength integer minimum: 0 The maximum length in bytes of the query string of the request matching the file type. Enforced only if checkQueryStringLength is set to true. If the value is exceeded then VIOL_QUERY_STRING_LENGTH violation is issued. This attribute is relevant only to allowed file types.
requestLength integer minimum: 0 The maximum total length in bytes of the request matching the file type. Enforced only if checkRequestLength is set to true. If the value is exceeded then VIOL_REQUEST_LENGTH violation is issued. This attribute is relevant only to allowed file types.
responseCheck boolean Determines whether the responses to requests that match the respective file types are inspected for attack signature detection. This attribute is relevant only to allowed file types.
responseCheckLength integer minimum: 0 maximum: 10000000000 Determines how much of the response body will be checked for signatures. When value is set to 0, only the header will be checked. This attribute is relevant only to allowed file types.
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
urlLength integer minimum: 0 The maximum length in bytes of the URL of the request matching the file type, excluding the query string. Enforced only if checkUrlLength is set to true. If the value is exceeded then VIOL_URL_LENGTH violation is issued. This attribute is relevant only to allowed file types.
wildcardOrder integer

general

Field Name Type Description
allowedResponseCodes array of integers You can specify which responses a security policy permits. By default, the system accepts all response codes from 100 to 399 as valid responses. Response codes from 400 to 599 are considered invalid unless added to the Allowed Response Status Codes list. By default, 400, 401, 404, 407, 417, and 503 are on the list as allowed HTTP response status codes.
customXffHeaders array of strings If you require the system to trust a server further than one hop toward the client (the last proxy traversed), you can use the Custom XFF Headers setting to define a specific header that is inserted closer to, or at the client, that the system will trust. Additionally, if you require the system to trust a proxy server that uses a different header name than the X-Forwarded-For header name, you can add the desired header name to the Custom XFF Headers setting. When adding a custom header, the X-Forwarded-For header is not trusted anymore. In case the X-Forwarded-For header is to be trusted along with other headers, you must add it to the custom headers list.
maskCreditCardNumbersInRequest boolean When enabled, the security policy masks credit card numbers that appear in any part of requests. The system does not mask the information in the actual requests, but rather in various logs:
• Credit card numbers appearing in entity names are masked in the requests of the Requests log.
• Credit card numbers appearing in entity values are masked wherever requests can be viewed: the Requests log, and violation details within that log. This setting is enabled by default, and exists in addition to masking parameters defined as containing sensitive information.
trustXff boolean When enabled, the system has confidence in an XFF (X-Forwarded-For) header in the request. When disabled, that the system does not have confidence in an XFF header in the request. The default setting is disabled. Select this option if the system is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. Leave this option disabled if you think the HTTP header may be spoofed, or crafted, by a malicious client. With this setting disabled, if the system is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address.

graphql-profiles

Field Name Type Description
attackSignaturesCheck boolean
defenseAttributes object
description string
hasIdlFiles boolean
idlFiles array of objects
metacharElementCheck boolean
metacharOverrides array of objects
name string
responseEnforcement object
sensitiveData array of objects
signatureOverrides array of objects

defenseAttributes
Field Name Type Description
allowIntrospectionQueries boolean
maximumBatchedQueries
• integer minimum: 0 maximum: 2147483647
• string
maximumQueryCost
• integer minimum: 0 maximum: 2147483647
• string
maximumStructureDepth
• integer minimum: 0 maximum: 2147483647
• string
maximumTotalLength
• integer minimum: 0 maximum: 2147483647
• string
maximumValueLength
• integer minimum: 0 maximum: 2147483647
• string
tolerateParsingWarnings boolean

idlFiles
Field Name Type Description
idlFile object
isPrimary boolean

idlFile
Field Name Type Description Allowed Values

metacharOverrides
Field Name Type Description
isAllowed boolean
metachar string

responseEnforcement
Field Name Type Description
blockDisallowedPatterns boolean
disallowedPatterns array of strings

sensitiveData
Field Name Type Description
parameterName string

signatureOverrides
Field Name Type Description
enabled boolean
name string
signatureId integer
tag string

grpc-profiles

Field Name Type Description
associateUrls boolean
attackSignaturesCheck boolean
decodeStringValuesAsBase64 string
defenseAttributes object
description string
hasIdlFiles boolean
idlFiles array of objects
metacharElementCheck boolean
name string
signatureOverrides array of objects

defenseAttributes
Field Name Type Description
allowUnknownFields boolean
maximumDataLength
• integer minimum: 0 maximum: 2147483647
• string

idlFiles
Field Name Type Description
idlFile object
importUrl string
isPrimary boolean
primaryIdlFileName string

idlFile
Field Name Type Description Allowed Values

signatureOverrides
Field Name Type Description
enabled boolean
name string
signatureId integer
tag string

header-settings

Field Name Type Description
maximumHttpHeaderLength
• integer minimum: 1 maximum: 65536
• string		 Maximum HTTP Header Length must be greater than 0 and less than 65536 bytes (64K). Note: if 0 or any are set, then no restriction on the HTTP header length is applied.

headers

Field Name Type Description
allowEmptyValue boolean
allowRepeatedOccurrences boolean
autoDetectBinaryValue boolean
checkSignatures boolean
decodeValueAsBase64 string Specifies whether the the system should detect or require values to be Base64 encoded:
htmlNormalization boolean
mandatory boolean
maskValueInLogs boolean Specifies, when true, that the headers’s value will be masked in the request log.
name string Specifies the HTTP header name. The header name length is limited to 254 characters. Names can be one of the following according to the type attribute:
normalizationViolations boolean
percentDecoding boolean
signatureOverrides array of objects Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this header, and which action the security policy takes when it discovers a request for this header that matches these attack signatures.
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
urlNormalization boolean
wildcardOrder integer Specifies the order index for wildcard header matching. Wildcard headers with lower wildcard order will get checked for a match prior to headers with higher wildcard order.

signatureOverrides
Field Name Type Description
enabled boolean Specifies, when true, that the overridden signature is enforced
name string The signature name which, along with the signature tag, identifies the signature.
signatureId integer The signature ID which identifies the signature.
tag string The signature tag which, along with the signature name, identifies the signature.

host-names

Field Name Type Description
includeSubdomains boolean
name string

idl-files

Field Name Type Description
contents string
fileName string
isBase64 boolean

ip-address-lists

Field Name Type Description
blockRequests string Specifies how the system responds to blocking requests sent from this IP address list.
description string Specifies a brief description of the IP address list. Optional
ipAddresses array of objects Specifies the IP addresses. Use CIDR notation for subnet definition.
matchOrder integer Specifies the order matching index between different IP Address Lists. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Lists with a lower matchOrder will be checked for a match prior to items with higher matchOrder.
name string Specifies the name of ip address list.
neverLogRequests boolean Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. Optional, if absent default value is false.
setGeolocation string Specifies a geolocation to be associated for this IP address list. This will force the IP addresses in the list to be considered as though they are in that geolocation. This applies to blocking via "disallowed-geolocations" and to logging. Optional

ipAddresses
Field Name Type Description
ipAddress string Specifies the IP address. Use CIDR notation for subnet definition.

ip-intelligence

Field Name Type Description
enabled boolean
ipIntelligenceCategories array of objects

ipIntelligenceCategories
Field Name Type Description
alarm boolean
block boolean
category string

json-profiles

Field Name Type Description
attackSignaturesCheck boolean
defenseAttributes object
description string
handleJsonValuesAsParameters boolean
hasValidationFiles boolean
metacharElementCheck boolean
metacharOverrides array of objects
name string
signatureOverrides array of objects
validationFiles array of objects

defenseAttributes
Field Name Type Description
maximumArrayLength
• integer minimum: 0 maximum: 2147483647
• string
maximumStructureDepth
• integer minimum: 0 maximum: 2147483647
• string
maximumTotalLengthOfJSONData
• integer minimum: 0 maximum: 2147483647
• string
maximumValueLength
• integer minimum: 0 maximum: 2147483647
• string
tolerateJSONParsingWarnings boolean

metacharOverrides
Field Name Type Description
isAllowed boolean
metachar string

signatureOverrides
Field Name Type Description
enabled boolean
name string
signatureId integer
tag string

validationFiles
Field Name Type Description
importUrl string
isPrimary boolean
jsonValidationFile object

jsonValidationFile
Field Name Type Description Allowed Values

json-validation-files

Field Name Type Description
contents string
fileName string
isBase64 boolean

login-enforcement

Field Name Type Description
authenticatedUrls array of strings
expirationTimePeriod
• integer minimum: 0 maximum: 99999
• string
logoutUrls array of objects

logoutUrls
Field Name Type Description
requestContains string
requestOmits string
url object

login-pages

Field Name Type Description
accessValidation object Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
authenticationType string Authentication Type is method the web server uses to authenticate the login URL’s credentials with a web user.
passwordParameterName string A name of parameter which will contain password string.
passwordRegex string PCRE regular expression for capturing the password. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the password. For example: "pwd=(\w+)". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body.
url object URL string used for login page.
usernameParameterName string A name of parameter which will contain username string.
usernameRegex string PCRE regular expression for capturing the username. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the username. For example: "user_id=(\w+)". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body.

accessValidation
Field Name Type Description
cookieContains string A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.
headerContains string A header name and value that the response to the login URL must match to permit user access to the authenticated URL.
headerContainsMatchCondition string
headerOmits string A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL.
headerOmitsMatchCondition string
parameterContains string A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL.
responseContains string A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, "Successful Login".
responseHttpStatus string An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, "200".
responseHttpStatusOmits array of strings An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL.
responseOmits string A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, "Authentication failed".

methods

Field Name Type Description
name string

override-rules

Field Name Type Description
actionType string The action to take when the override rule is matched. Possible values are:
condition string Specifies the condition under which the override rule should be applied. Example: "clientIp != '10.0.0.5' and userAgent.lower().contains('WebRobot')" Condition Syntax:
name string The unique name of the override rule. Cannot contain spaces or special characters.
override object The overriding security policy definition.
violation object Contains the details of the raised VIOL_RULE violation. Mandatory if action-type is violation.

override
Field Name Type Description Allowed Values

violation
Field Name Type Description
alarm boolean Whether the violation should be marked in the security log and cause the request to be classified as "illegal".
attackType object The attack type associated with the violation in the present rule. This is reflected in the security log. Mandatory.
block boolean Whether the violation should cause the request to be blocked. On other words: the block flag of the VIOL_RULE for the present rule.
description string Textual description of the violation in the present rule. Limited to 200 characters. Not Mandatory.
rating integer minimum: 3 maximum: 5 The violation rating that the present rule violation will induce. In other words, the violation rating of the request will be the maximum between this value and the calculated value based on the other violations in the request. If not specified and there is no other violation, then the VR is 3.

attackType
Field Name Type Description
name string The name of the attack type. Mandatory.

parameters

Field Name Type Description
allowEmptyValue boolean Determines whether an empty value is allowed for a parameter.
allowRepeatedParameterName boolean Determines whether multiple parameter instances with the same name are allowed in one request.
arraySerializationFormat string Specifies type of serialization for array of primitives parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:
arrayUniqueItemsCheck boolean Determines whether items in an array parameter must be unique. This attribute is relevant only for parameters with array valueType.
attackSignaturesCheck boolean Determines whether attack signatures and threat campaigns must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric or binary dataType.
checkMaxItemsInArray boolean Determines whether an array parameter has a restricted maximum number of items. This attribute is relevant only for parameters with array valueType.
checkMaxValue boolean Determines whether the parameter has a restricted maximum value. This attribute is relevant only for parameters with integer or decimal dataType.
checkMaxValueLength boolean Determines whether a parameter has a restricted maximum length for value.
checkMetachars boolean Determines whether disallowed metacharacters must be detected in a parameter’s name. This attribute is relevant only for wildcard parameters with alpha-numeric dataType.
checkMinItemsInArray boolean Determines whether an array parameter has a restricted minimum number of items. This attribute is relevant only for parameters with array valueType.
checkMinValue boolean Determines whether a parameter has a restricted minimum value. This attribute is relevant only for parameters with integer or decimal dataType.
checkMinValueLength boolean Determines whether a parameter has a restricted minimum length for value.
checkMultipleOfValue boolean Determines whether a parameter’s value is a multiple of a number defined in multipleOf. This attribute is relevant only for parameters with integer or decimal dataType.
contentProfile object
dataType string Specifies data type of parameter’s value:
decodeValueAsBase64 string Specifies whether the the system should detect or require values to be Base64 encoded:
disallowFileUploadOfExecutables boolean Determines whether a parameter’s value cannot have binary executable content. This attribute is relevant only for parameters with binary dataType.
enableRegularExpression boolean Determines whether the parameter value includes the pattern defined in regularExpression. This attribute is relevant only for parameters with alpha-numeric dataType.
exclusiveMax boolean Determines whether the maximum value defined in maximumValue attribute is exclusive. This attribute is relevant only if checkMaxValue is set to true.
exclusiveMin boolean Determines whether a minimum value defined in minimumValue attribute is exclusive. This attribute is relevant only if checkMinValue is set to true.
explodeObjectSerialization boolean Specifies whether an array or object parameters should have separate values for each array item or object property. This attribute is relevant only if objectSerializationStyle is defined. Notes:
hostNameRepresentation string
isCookie boolean Determines whether a parameter is located in the value of Cookie header. parameterLocation attribute is ignored if isCookie is set to true.
isHeader boolean Determines whether a parameter is located in headers as one of the headers. parameterLocation attribute is ignored if isHeader is set to true.
level string Specifies whether the parameter is associated with a URL, a flow, or neither.
mandatory boolean Determines whether a parameter must exist in the request.
maxItemsInArray integer minimum: 0 Determines the restriction for the maximum number of items in an array parameter. This attribute is relevant only if checkMaxItemsInArray is set to true.
maximumLength integer minimum: 0 Determines the restriction for the maximum length of parameter’s value. This attribute is relevant only if checkMaxValueLength is set to true.
maximumValue number Determines the restriction for the maximum value of parameter. This attribute is relevant only if checkMaxValue is set to true.
metacharsOnParameterValueCheck boolean Determines whether disallowed metacharacters must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric dataType.
minItemsInArray integer minimum: 0 Determines the restriction for the minimum number of items in an array parameter. This attribute is relevant only if checkMinItemsInArray is set to true.
minimumLength integer minimum: 0 Determines the restriction for the minimum length of parameter’s value. This attribute is relevant only if checkMinValueLength is set to true.
minimumValue number Determines the restriction for the minimum value of a parameter. This attribute is relevant only if checkMinValue is set to true.
multipleOf number Determines the number by which a parameter’s value is divisible without remainder. This number must be positive and it may be a floating-point number. This attribute is relevant only if checkMultipleOfValue is set to true.
name string Specifies the name of a parameter which must be permitted in requests. Format of parameter name attribute differs depending on type attribute:
nameMetacharOverrides array of objects Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that has these metacharacters in the name. This attribute is relevant only if checkMetachars is set to true.
objectSerializationStyle string Specifies the type of serialization for an object or complex array parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:
parameterEnumValues array of strings Determines the set of possible parameter’s values. This attribute is not relevant for parameters with phone, email or binary dataType.
parameterLocation string Specifies location of parameter in request:
regularExpression string Determines a positive regular expression (PCRE) for a parameter’s value. This attribute is relevant only if enableRegularExpression is set to true. Notes:
sensitiveParameter boolean Determines whether a parameter is sensitive and must be not visible in logs nor in the user interface. Instead of the actual value, a string of asterisks is shown for this parameter. Use it to protect sensitive user input, such as a password or a credit card number, in a validated request.
signatureOverrides array of objects Determines attack signatures whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that matches these attack signatures. This attribute is relevant only if signatureOverrides is set to true.
staticValues array of strings Determines the set of possible parameter’s values. This attribute is relevant for parameters with static-content valueType only.
type string Specifies the type of the name attribute.
url object
valueMetacharOverrides array of objects Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request parameter that has these metacharacters in its value. This attribute is relevant only if metacharsOnParameterValueCheck is set to true.
valueType string Specifies type of parameter’s value:
wildcardOrder integer Specifies the order in which wildcard entities are organized. Matching of an enforced parameter with a defined wildcard parameter happens based on order from smaller to larger.

contentProfile
Field Name Type Description
contentProfile object

contentProfile
Field Name Type Description
name string

nameMetacharOverrides
Field Name Type Description
isAllowed boolean Specifies permission of metachar - when false, then character is prohibited.
metachar string Specifies character in hexadecimal format with special allowance.

signatureOverrides
Field Name Type Description
enabled boolean Specifies, when true, that the overridden signature is enforced
name string The signature name which, along with the signature tag, identifies the signature.
signatureId integer The signature ID which identifies the signature.
tag string The signature tag which, along with the signature name, identifies the signature.

valueMetacharOverrides
Field Name Type Description
isAllowed boolean Specifies permission of metachar - when false, then character is prohibited.
metachar string Specifies character in hexadecimal format with special allowance.

response-pages

Field Name Type Description
ajaxActionType string Which content, or URL, the system sends to the client as a response to an AJAX request that does not comply with the security policy.
ajaxCustomContent string Custom message typed by user as a response for blocked AJAX request.
ajaxEnabled boolean When enabled, the system injects JavaScript code into responses. You must enable this toggle in order to configure an Application Security Manager AJAX response page which is returned when the system detects an AJAX request that does not comply with the security policy.
ajaxPopupMessage string Default message provided by the system as a response for blocked AJAX request. Can be manipulated by user, but <%TS.request.ID()%> must be included in this message.
ajaxRedirectUrl string The system redirects the user to a specific web page instead of viewing a response page. Type the web page’s full URL path, for example, http://www.redirectpage.com. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
grpcStatusCode
• integer
• string
grpcStatusMessage string
responseActionType string Which action the system takes, and which content the system sends to the client, as a response when the security policy blocks the client request.
responseContent string The content the system sends to the client in response to an illegal blocked request.
responseHeader string The response headers that the system sends to the client as a response to an illegal blocked request.
responsePageType string The different types of blocking response pages which are available from the system:
responseRedirectUrl string The particular URL to which the system redirects the user. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.

sensitive-parameters

Field Name Type Description
name string Name of a parameter whose values the system should consider sensitive.

server-technologies

Field Name Type Description
serverTechnologyName string Specifies the name of the selected policy. For example, PHP will add attack signatures that cover known PHP vulnerabilities.

signature-requirements

Field Name Type Description
maxRevisionDatetime string
minRevisionDatetime string
tag string

signature-sets

Field Name Type Description
alarm boolean If enabled - when a signature from this signature set is detected in a request - the request is logged.
block boolean If enabled - when a signature from this signature set is detected in a request - the request is blocked.
learn boolean If enabled - when a signature from this signature set is detected in a request -the policy builder creates a learning suggestion to disable it.
name string Signature set name.
signatureSet object Defines signature set.
stagingCertificationDatetime string

signatureSet
Field Name Type Description
filter object Specifies filter that defines signature set.
signatures array of objects
systems array of objects
type string

filter
Field Name Type Description
accuracyFilter string
accuracyValue string
attackType object
hasCve string
lastUpdatedFilter string
lastUpdatedValue string
riskFilter string
riskValue string
signatureType string
tagFilter string Filter by signature tagValue.
tagValue string Value for the tagFilter. Relevant only for the eq value of tagFilter.
userDefinedFilter string

attackType
Field Name Type Description
name string

signatures
Field Name Type Description
name string
signatureId integer
tag string

systems
Field Name Type Description
name string

signature-settings

Field Name Type Description
minimumAccuracyForAutoAddedSignatures string
signatureStaging boolean
stagingCertificationDatetime string

signatures

Field Name Type Description
enabled boolean Specifies, if true, that the signature is enabled on the security policy. When false, the signature is disable on the security policy.
learn boolean
name string The signature name which, along with the signature tag, identifies the signature.
performStaging boolean Specifies, if true, that the signature is in staging. The system does not enforce signatures in staging. Instead, the system records the request information and keeps it for a period of time (the Enforcement Readiness Period whose default time period is 7 days). Specifies, when false, that the staging feature is not in use, and that the system enforces the signatures' Learn/Alarm/Block settings immediately. (Blocking is performed only if the security policy’s enforcement mode is Blocking.)
signatureId integer The signature ID which identifies the signature.
tag string The signature tag which, along with the signature name, identifies the signature.

threat-campaigns

Field Name Type Description
displayName string
isEnabled boolean If enabled - threat campaign is enforced in the security policy.
name string Name of the threat campaign.

urls

Field Name Type Description
accessProfile object
allowRenderingInFrames string Specifies the conditions for when the browser should allow this URL to be rendered in a frame or iframe. never: Specifies that this URL must never be rendered in a frame or iframe. The web application instructs browsers to hide, or disable, frame and iframe parts of this URL. only-same: Specifies that the browser may load the frame or iframe if the referring page is from the same protocol, port, and domain as this URL. This limits the user to navigate only within the same web application.
allowRenderingInFramesOnlyFrom string Specifies that the browser may load the frame or iframe from a specified domain. Type the protocol and domain in URL format for example, http://www.mywebsite.com. Do not enter a sub-URL, such as http://www.mywebsite.com/index.
attackSignaturesCheck boolean Specifies, when true, that you want attack signatures and threat campaigns to be detected on this URL and possibly override the security policy settings of an attack signature or threat campaign specifically for this URL. After you enable this setting, the system displays a list of attack signatures and threat campaigns.
authorizationRules array of objects
canChangeDomainCookie boolean
clickjackingProtection boolean Specifies that the system adds the X-Frame-Options header to the domain URL’s response header. This is done to protect the web application against clickjacking. Clickjacking occurs when an attacker lures a user to click illegitimate frames and iframes because the attacker hid them on legitimate visible website buttons. Therefore, enabling this option protects the web application from other web sites hiding malicious code behind them. The default is disabled. After you enable this option, you can select whether, and under what conditions, the browser should allow this URL to be rendered in a frame or iframe.
disallowFileUploadOfExecutables boolean
html5CrossOriginRequestsEnforcement object The system extracts the Origin (domain) of the request from the Origin header.
isAllowed boolean If true, the URLs allowed by the security policy.
mandatoryBody boolean A request body is mandatory. This is relevant for any method acting as POST.
metacharOverrides array of objects To allow or disallow specific meta characters in the name of this specific URL (and thus override the global meta character settings).
metacharsOnUrlCheck boolean Specifies, when true, that you want meta characters to be detected on this URL and possibly override the security policy settings of a meta character specifically for this URL. After you enable this setting, the system displays a list of meta characters.
method string Unique ID of a URL with a protocol type and name. Select a Method for the URL to create an API endpoint: URL + Method.
methodOverrides array of objects Specifies a list of methods that are allowed or disallowed for a specific URL. The list overrides the list of methods allowed or disallowed globally at the policy level.
methodsOverrideOnUrlCheck boolean Specifies, when true, that you want methods to be detected on this URL and possibly override the security policy settings of a method specifically for this URL. After you enable this setting, the system displays a list of methods.
name string Specifies an HTTP URL that the security policy allows. The available types are:
operationId string The attribute operationId is used as an OpenAPI endpoint identifier.
positionalParameters array of objects When checked (enabled), positional parameters are enabled in the URL.
protocol string Specifies whether the protocol for the URL is HTTP or HTTPS.
signatureOverrides array of objects Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this URL, and which action the security policy takes when it discovers a request for this URL that matches these attack signatures.
type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
urlContentProfiles array of objects Specifies how the system recognizes and enforces requests for this URL according to the requests' header content. The system automatically creates a default header-based content profile for HTTP, and you cannot delete it. However, requests for a URL may contain other types of content, such as JSON, XML, or other proprietary formats.
wildcardOrder integer Specifies the order index for wildcard URLs matching. Wildcard URLs with lower wildcard order will get checked for a match prior to URLs with higher wildcard order.

authorizationRules
Field Name Type Description
condition string
name string

html5CrossOriginRequestsEnforcement
Field Name Type Description
allowOriginsEnforcementMode string Allows you to specify a list of origins allowed to share data returned by this URL.
checkAllowedMethods boolean Allows you to specify a list of methods that other web applications hosted in different domains can use when requesting this URL.
crossDomainAllowedOrigin array of objects Allows you to specify a list of origins allowed to share data returned by this URL.
enforcementMode string Specify the option to determine how to handle CORS requests. disabled: Do nothing related to cross-domain requests. Pass CORS requests exactly as set by the server. enforce: Allow cross-origin resource sharing as configured in the crossDomainAllowedOrigin setting. CORS requests are allowed from the domains specified as allowed origins.

crossDomainAllowedOrigin
Field Name Type Description
includeSubDomains boolean If true, sub-domains of the allowed origin are also allowed to receive data from your web application.
originName string Type the domain name or IP address with which the URL can share data. Wildcards are allowed in the names. For example: *.f5.com will match b.f5.com; however it will not match a.b.f5.com.
originPort
• integer minimum: 0 maximum: 65535
• string		 Select the port that other web applications can use to request data from your web application, or use the * wildcard for all ports.
originProtocol string Select the appropriate protocol for the allowed origin.

metacharOverrides
Field Name Type Description
isAllowed boolean If true, metacharacters and other characters are allowed in a URL.
metachar string ASCII representation of the character in Hex format

methodOverrides
Field Name Type Description
allowed boolean Specifies that the system allows you to override allowed methods for this URL. When selected, the global policy settings for methods are listed, and you can change what is allowed or disallowed for this URL.
method string Specifies a list of existing HTTP methods. All security policies accept standard HTTP methods by default.

positionalParameters
Field Name Type Description
parameter object
urlSegmentIndex integer minimum: 1 Select which to add: Text or Parameter and enter your desired segments. You can add multiple text and parameter segments.

signatureOverrides
Field Name Type Description
enabled boolean Specifies, when true, that the overridden signature is enforced
name string The signature name which, along with the signature tag, identifies the signature.
signatureId integer The signature ID which identifies the signature.
tag string The signature tag which, along with the signature name, identifies the signature.

urlContentProfiles
Field Name Type Description
contentProfile object
decodeValueAsBase64 string
headerName string Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.
headerOrder
• integer
• string		 Displays the order in which the system checks header content of requests for this URL.
headerValue string Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive.
type string - Apply Content Signatures: Do not parse the content; scan the entire payload with full-content attack signatures.

contentProfile
Field Name Type Description
name string

urls

Field Name Type Description
parameters array of objects

xml-profiles

Field Name Type Description
attackSignaturesCheck boolean
defenseAttributes object
description string
metacharAttributeCheck boolean
metacharElementCheck boolean
metacharOverrides array of objects
name string
signatureOverrides array of objects
useXmlResponsePage boolean

defenseAttributes
Field Name Type Description
allowCDATA boolean
allowDTDs boolean
allowExternalReferences boolean
allowProcessingInstructions boolean
maximumAttributeValueLength
• integer minimum: 0 maximum: 2147483647
• string
maximumAttributesPerElement
• integer minimum: 0 maximum: 2147483647
• string
maximumChildrenPerElement
• integer minimum: 0 maximum: 2147483647
• string
maximumDocumentDepth
• integer minimum: 0 maximum: 2147483647
• string
maximumDocumentSize
• integer minimum: 0 maximum: 2147483647
• string
maximumElements
• integer minimum: 0 maximum: 2147483647
• string
maximumNSDeclarations
• integer minimum: 0 maximum: 2147483647
• string
maximumNameLength
• integer minimum: 0 maximum: 2147483647
• string
maximumNamespaceLength
• integer minimum: 0 maximum: 2147483647
• string
tolerateCloseTagShorthand boolean
tolerateLeadingWhiteSpace boolean
tolerateNumericNames boolean

metacharOverrides
Field Name Type Description
isAllowed boolean
metachar string

signatureOverrides
Field Name Type Description
enabled boolean
name string
signatureId integer
tag string

evasions

Field Name Type Description
description string Human-readable name of sub-violation.
enabled boolean Defines if sub-violation is enforced - alarmed or blocked, according to the 'Evasion technique detected' (VIOL_EVASION) violation blocking settings.
learn boolean Defines if sub-violation is learned. Sub-violations are learned only when learn is enabled for the 'Evasion technique detected' (VIOL_EVASION) violation.
maxDecodingPasses integer minimum: 2 maximum: 5 Defines how many times the system decodes URI and parameter values before the request is considered an evasion. Relevant only for the 'Multiple decoding' sub-violation.

http-protocols

Field Name Type Description
description string Human-readable name of sub-violation
enabled boolean Defines if sub-violation is enforced - alarmed or blocked, according to the 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation blocking settings
learn boolean Defines if sub-violation is learned. Sub-violations is learned only when learn is enabled for the 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation
maxCookies integer minimum: 1 maximum: 100
maxHeaders integer minimum: 1 maximum: 150 Defines maximum allowed number of headers in request. Relevant only for the 'Check maximum number of headers' sub-violation
maxParams integer minimum: 1 maximum: 5000 Defines maximum allowed number of parameters in request. Relevant only for the 'Check maximum number of parameters' sub-violation

violations

Field Name Type Description
alarm boolean
block boolean
description string
learn boolean
name string

mitigations

Field Name Type Description
anomalies array of objects
browsers array of objects
classes array of objects List of classes and their actions.
signatures array of objects List of signatures and their actions. If a signature is not in the list - its action will be taken according to the class it belongs to.

settings

Field Name Type Description
caseSensitiveHttpHeaders boolean If false the system will not check header name with case sensitivity for both relevant anomalies: Invalid HTTP Headers, Suspicious HTTP Headers.
isEnabled boolean If true the system detects bots.

anomalies

Field Name Type Description
action string
name string
scoreThreshold
• integer minimum: 0 maximum: 150
• string

browsers

Field Name Type Description
action string
maxVersion integer minimum: 0 maximum: 2147483647
minVersion integer minimum: 0 maximum: 2147483647
name string

classes

Field Name Type Description
action string The action we set for this class.
name string The class we set the action to.

signatures

Field Name Type Description
action string The action we set for this signature.
name string The name of the signature we want to change action for.
View source
Edit this page
Create a new issue