Applies To:

Show Versions Show Versions

Manual Chapter: Adding JSON Support to an Existing Security Policy
Manual Chapter
Table of Contents   |   Next Chapter >>

Overview: Adding JSON support to existing security policies

This implementation describes how to add JSON (JavaScript® Object Notation) support to an existing security policy for an application that uses JSON for data transfer. You create a JSON profile to define what the security policy enforces and considers legal when it detects traffic that contains JSON data.

You can add JSON support to a security policy by completing these tasks.

Task Summary

Creating a JSON profile

Before you can complete this task, you need to have already created a security policy for your application.
This task describes how to create a JSON profile that defines the properties that the security policy enforces for an application sending JSON payloads.
Note: The system supports JSON in UTF-8 and UTF-16 encoding.
  1. On the Main tab, click Application Security > Content Profiles > JSON Profiles.
  2. Click Create. The Create New JSON Profile screen opens.
  3. Type the name of the profile.
  4. Adjust the maximum values that define the JSON data for the AJAX application, or use the default values.
  5. To change the security policy settings for specific attack signatures for this JSON profile, in the Global Security Policy Settings list, select the attack signatures and then move them into the Overridden Security Policy Settings list.
    Note: If no attack signatures are listed in the Global Security Policy Settings list, create the profile, update the attack signatures, then edit the profile.
  6. In the Overridden Security Policy Settings list, enable or disable each attack signature as needed:
    Option Description
    Enabled Enforces the attack signature for this JSON profile, although the signature may be disabled in general. The system reports the violation Attack Signature Detected when the JSON in a request matches the attack signature.
    Disabled Disables the attack signature for this JSON profile, although the signature may be enabled in general.
  7. To allow or disallow specific meta characters in JSON data (and thus override the global meta character settings), click Value Meta Characters.
    • Select the Check characters check box, if it is not already selected.
    • Move any meta characters that you want allow or disallow from the Global Security Policy Settings list into the Overridden Security Policy Settings list.
    • In the Overridden Security Policy Settings list, change the meta character state to Allow or Disallow.
  8. To mask sensitive JSON data (replacing it with asterisks), click Sensitive Data Configuration.
    • In the Element Name field, type the JSON element whose values you want the system to consider sensitive.
    • Click Add.
    Important: If the JSON data causes violations and the system stops parsing the JSON part way through a transaction, the system masks only the sensitive data that was fully parsed.
    Add any other elements that could contain sensitive data that you want to mask.
  9. Click Create. The system creates the profile and displays it in the JSON Profiles list.
This creates a JSON profile which does not affect the security policy until you associate the profile with a URL or parameter.
Next, you need to associate the JSON profile with any URLs or parameters that may include JSON.

Associating a JSON profile with a URL

Before you can associate a JSON profile with a URL, you need to have created a security policy with policy elements including application URLs, and the JSON profile.
You can associate a JSON profile with one or more explicit or wildcard URLs.
  1. On the Main tab, click Application Security > URLs.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. From the Allowed URLs List, click the name of a URL that may contain JSON data. The Allowed URL Properties screen opens.
  4. Next to Allowed URL Properties, select Advanced.
  5. For the Header-Based Content Profiles setting, in the Request Header Name field, type the explicit string or header name that defines when the request is treated as the Parsed As type; for example, content-type. This field is not case sensitive.
    Note: If the URL always contains JSON data, just change the default header-based content profile to be Parsed As JSON, then you do not have to specify the header name and value.
  6. For the Header-Based Content Profiles setting, in the Request Header Value field, type the wildcard (including *, ?, or [chars]) for the header value that must be matched in the Request Header Name field; for example, *json*. This field is case sensitive.
  7. From the Parsed As list, select JSON.
  8. From the Profile Name list, select the JSON profile appropriate for this URL.
  9. Click Add. Add as many header types as you need to secure this URL, clicking Add after specifying each one.
  10. To override the global meta character settings for this URL, adjust the meta character policy settings:
    • Select the Check characters on this URL check box, if it is not already selected.
    • Move any meta characters that you want allow or disallow from the Global Security Policy Settings list into the Overridden Security Policy Settings list.
    • In the Overridden Security Policy Settings list, change the meta character state to Allow or Disallow.
  11. Click Update.
  12. To activate the updated security policy, on the top right of the screen, click Apply Policy, then click OK to confirm.
The JSON profile is associated with the URL.
Continue to associate JSON profiles with any URLs in the application that may contain JSON data.

Associating a JSON profile with a parameter

You need to have created a security policy with policy elements including parameters and a JSON profile.
You can associate a JSON profile with a parameter.
  1. On the Main tab, click Application Security > Parameters.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. From the Parameters List, click the name of a parameter to which to assign a JSON profile. The Parameter Properties screen opens.
  4. For the Parameter Value Type setting, select JSON value.
  5. From the JSON Profile list, select the JSON profile to use for this parameter.
  6. Click Update. The system associates the JSON profile with the parameter.
  7. To activate the updated security policy, on the top right of the screen, click Apply Policy, then click OK to confirm.
Continue to associate JSON profiles with any parameters in the application that may contain JSON data.

Implementation results

You have manually added JSON support to the active security policy. The policy can now secure applications that use JSON for data transfer between the client and the server. If web application traffic includes JSON data, the system checks that it meets the requirements that you specified in the JSON profile.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)