Before you can complete this task, you need to have already created a security
policy for your application.
This task describes how to create a JSON profile that defines the properties that
the security policy enforces for an application sending JSON payloads.
Note: The system
supports JSON in UTF-8 and UTF-16 encoding.
On the Main tab, click
The Create New JSON Profile screen opens.
Type the name of the profile.
Adjust the maximum values that define the JSON data for the AJAX application, or
use the default values.
To change the security policy settings for specific attack signatures for this
JSON profile, in the Global Security Policy Settings
list, select the attack signatures and then move them into the
Overridden Security Policy Settings list.
Note: If no attack signatures are listed in the Global Security Policy Settings list, create the profile, update the attack signatures, then edit the profile.
In the Overridden Security Policy Settings list, enable or disable each attack signature as needed:
||Enforces the attack signature for this JSON profile, although the
signature may be disabled in general. The system reports the violation
Attack Signature Detected when the JSON in a request
matches the attack signature.
||Disables the attack signature for this JSON profile, although the signature may be enabled in general.
To allow or disallow specific meta characters in JSON data (and thus override the global meta character
settings), click Value Meta Characters.
- Select the Check characters check box, if it is not already selected.
- Move any meta characters that you want allow or disallow from the
Global Security Policy Settings list into the
Overridden Security Policy Settings
- In the Overridden Security Policy Settings list,
change the meta character state to Allow or
To mask sensitive JSON data (replacing it with asterisks), click Sensitive Data Configuration.
- In the Element Name field, type the JSON element
whose values you want the system to consider sensitive.
- Click Add.
Important: If the JSON data causes violations and the system stops parsing the JSON part
way through a transaction, the system masks only the sensitive data that was
Add any other elements that could contain sensitive data that you want to mask.
The system creates the profile and displays it in the JSON Profiles list.
This creates a JSON profile which does not affect the security policy until you associate the profile with a URL or parameter.
Next, you need to associate the JSON profile with any URLs or parameters that may include JSON.