Activate F5 product registration key
Verify the proper operation of your BIG-IP system
Get up to speed with free self-paced courses
Join the community of 250,000+ technical peers
Advance your career with F5 Certification
Product Manuals and Release notes
Path parameters are parameters that are attached to path segments in the URI. You can configure Application Security Manager™ (ASM) to enforce path parameters as needed in your organization. Path parameters can be ignored, or treated as parameters, or as an integral part of URLs.
Although path parameters are not widely used, they could serve as covert back doors to potential attacks even for server applications that do not use path parameters. For example, an application could copy a URI with path parameters containing attack signatures to the body of the response.
Path parameters can have multiple parameters in the same path segment separated by semicolons. A semicolon also separates the path segment from the parameters; for example, /path/name;param1;p2;p3. Each parameter can optionally equal a value; for example, param=value;p2. If a path parameter has more than one value, the values are separated by commas, such as param=val1,val2,val3.
Path parameters are extracted from requests, but not from responses.
|As Parameter||The system normalizes and enforces path parameters. For each path parameter, the system removes it from the URL as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the Global level), and enforces it according to its attributes like any other parameter.|
|As URL||The system does not normalize or enforce path parameters, and treats them as an integral part of the URL.|
|Ignore||The system removes path parameters from URLs as part of the normalization process, but does not enforce them.|