# Add cookies, parameters, and URLs


> Configure cookie, parameter, and URL protections in your F5 WAF for NGINX policies using F5 NGINX Instance Manager.


## Add cookies

Configure and manage cookie protections in the policy editor by selecting **Cookies** in the web interface.

### Cookie properties and types

Each cookie configuration includes:

- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see [Matching Types: Explicit vs Wildcard](/nim/waf-integration/policies-and-logs/policies/waf-policy-matching-types.md).
- `Cookie Name`: The name of the cookie to monitor or protect.
- `Enforcement Type`:
  - **Allow**: The cookie can be changed by the client and is not protected from modification.
  - **Enforce**: The cookie cannot be changed by the client.
- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable.
- `Mask value in logs`: When turned on, the cookie's value is masked in the request log for security and privacy.

For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters](/waf/policies/parameter-reference.md) documentation under the `cookies` section.

### Cookie violations

Select **Edit configuration** to configure cookie violations. The following violations can be configured for cookies:

- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired.
- `VIOL_COOKIE_LENGTH`: Triggered when a cookie length exceeds the configured limit.
- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant.
- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with.

For each violation type, you can:

- Set the enforcement action.
- Set the action to **Alarm**, **Alarm and Block**, or **Disabled**.

See [Supported Violations](/waf/policies/violations.md#supported-violations) for additional details.

### Add a cookie to your policy

1. Select a **Cookie Type**:
   - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching.
2. Configure basic properties:
   - Enter the `Cookie Name`.
   - Specify whether to mask the cookie value in logs.
3. Set an **Enforcement Type**:
   - Choose either `Allow` or `Enforce`.
4. (Optional) Configure attack signatures:
   - If enabled, you can override attack signatures for this cookie.
   - For details on signature configuration, see [Add Signature Sets](/nim/waf-integration/policies-and-logs/policies/add-signature-sets.md).
5. Select **Add cookie** to save your configuration.

## Add parameters

Configure and manage parameter protections in the policy editor by selecting **Parameters** in the web interface.

### Parameter properties and types

Each parameter configuration includes:

- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see [Matching Types: Explicit vs Wildcard](/nim/waf-integration/policies-and-logs/policies/waf-policy-matching-types.md).
- `Parameter Name`: The name of the parameter.
- `Location`: Where the parameter is expected (URL query string, POST data, etc.).
- `Value Type`: The expected type of the parameter value (for example, alphanumeric, integer, or email).
- `Attack Signatures`: Whether attack signature checking is enabled for this parameter.
- `Mask value in logs`: When turned on, the parameter's value is masked in the request log for security and privacy. This sets the `sensitiveParameter` property of the parameter item.

For a complete list of configurable parameter properties and options, see the [Parameter Configuration Parameters](/waf/policies/parameter-reference.md) documentation under the `parameters` section.

### Parameter violations

Select **Edit configuration** to configure parameter violations. The following violations can be configured for parameters:

- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected.
- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal.
- `VIOL_PARAMETER_DATA_TYPE`: Triggered when a parameter’s data type doesn’t match the configured policy.
- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn’t be.
- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in the wrong location.
- `VIOL_PARAMETER_MULTIPART_NULL_VALUE`: Triggered when the multi-part request has a parameter value that contains a null character (`0x00`).
- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in a parameter name.
- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when a numeric parameter value is outside the allowed range.
- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally.
- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn’t match the configured security policy.
- `VIOL_PARAMETER_VALUE_BASE64`: Triggered when the value isn’t a valid Base64 string.
- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when a parameter value length exceeds limits.
- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in a parameter value.
- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when a parameter value doesn’t match the required pattern.

For each violation type, you can:

- Set the enforcement action.
- Set the action to **Alarm**, **Alarm and Block**, or **Disabled**.

See [Supported Violations](/waf/policies/violations.md#supported-violations) for additional details.

### Add a parameter to your policy

1. Select a **Parameter Type**:
   - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching.
2. Configure basic properties:
   - Enter the `Parameter Name`.
   - Select the `Location` where the parameter is expected.
   - Choose the `Value Type` (alphanumeric, integer, email, etc.).
   - Set the `Data Type` if applicable.
3. Set security options:
   - Choose whether to enable attack signatures.

   **Note:** 
   Attack signatures are only applicable when the Value Type is `User Input` or `Array`, and the Data Type is either `Alphanumeric` or `Binary`.
   

   - Decide if parameter values should be masked in logs. This sets the `sensitiveParameter` property.
4. (Optional) Configure attack signatures:
   - If enabled, you can override attack signatures for this parameter.
   - For details on signature configuration, see [Add Signature Sets](/nim/waf-integration/policies-and-logs/policies/add-signature-sets.md).
5. Select **Add parameter** to save your configuration.

## Add URLs

Configure and manage URL protections in the policy editor by selecting **URLs** in the web interface.

### URL properties and types

Each URL configuration includes:

- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see [Matching Types: Explicit vs Wildcard](/nim/waf-integration/policies-and-logs/policies/waf-policy-matching-types.md).
- `Method`: Specifies the HTTP method(s) for the URL (`GET`, `POST`, `PUT`, etc.).
- `Protocol`: The protocol for the URL (`HTTP` or `HTTPS`).
- `Enforcement Type`:
  - **Allow**: Permits access to the URL with optional attack signature checks.
  - **Disallow**: Blocks access to the URL entirely.
- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable.

**Note:** 
Attack signatures are automatically shown as "Not applicable" when the Enforcement Type is set to `Disallow`, because the URL is explicitly blocked and signature checking is unnecessary.

For a complete list of configurable URL properties and options, see the [URL Configuration Parameters](/waf/policies/parameter-reference.md) documentation under the `urls` section.

### URL violations

Select **Edit configuration** to configure URL violations. The following violations can be configured for URLs:

- `VIOL_URL`: Triggered when an illegal URL is accessed.
- `VIOL_URL_CONTENT_TYPE`: Triggered when there’s an illegal request content type.
- `VIOL_URL_LENGTH`: Triggered when the URL length exceeds the configured limit.
- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL.

For each violation type, you can:

- Set the enforcement action.
- Set the action to **Alarm**, **Alarm and Block**, or **Disabled**.

See [Supported Violations](/waf/policies/violations.md#supported-violations) for additional details.

### Add a URL to your policy

1. Select a **URL Type**:
   - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching.
2. Configure basic properties:
   - Enter the `URL` path (for example, `/index.html`, `/api/data`).
   - The URL path must start with `/`.
   - Select the HTTP `Method(s)` (for example, `GET`, `POST`, `*`).
   - Choose the `Protocol` (`HTTP` or `HTTPS`).
3. Set enforcement:
   - Choose whether to allow or disallow the URL.
   - If **Allow** is selected, you can optionally enable attack signatures.

   **Note:** 
   Attack signatures cannot be enabled for disallowed URLs.
   

4. (Optional) Configure attack signatures:
   - If enabled, you can override attack signatures for this specific URL.
   - For details on signature configuration, see [Add Signature Sets](/nim/waf-integration/policies-and-logs/policies/add-signature-sets.md).
5. Select **Add URL** to save your configuration.