A mandatory header is a header that must appear in a request for the request to be considered legal by the system. If a request does not contain the mandatory header and the Mandatory HTTP header is missing violation is set to alarm or block, the system logs or blocks the request. This violation is not set to alarm or block by default, so you have to set the blocking policy if you want to alarm or block requests that do not include a mandatory header.
You can use mandatory headers to make sure, for example, that requests are passing a proxy (which introduces such a header) before they reach the Application Security Manager.
You configure mandatory headers on the HTTP Headers screen.
Header normalization is a process whereby the Application Security Manager buffers the contents of request headers to change them into a standard format that can be more easily checked for discrepancies. Normalizing deals with special characters (such as percent encoding), non-ASCII text, URL paths and parameters, Base64 encoded binary content, non-printable characters, HTML codes, and many other formats that may be used in headers that could potentially hide malicious code.
Not all headers need to be normalized. You should normalize referer headers, and custom headers containing binary data, URLs, or other encoded information. But there is a performance trade-off when using normalization, so you should implement it only when needed.
You configure header normalization on the HTTP Headers screen when you select the option to check signatures for the header.
Application Security Manager (ASM) includes the default HTTP headers listed in the table.
|* (wildcard)||This wildcard HTTP header checks signatures against all requests unless they match another HTTP header. No normalization settings are selected by default, but you can edit them. Realize that enabling normalization on the wildcard header may impact performance. The Base64 Decoding and Mandatory check boxes are unavailable for this header.|
|referer||When requests have referer headers, they include URLs. The system checks signatures against them, performs URL normalization, and validates the URL syntax. Violations are issued if problems are encountered during normalization. The other settings are not typically relevant for this header.|
|cookie||Cookies have their own process for normalization and attack signature check and so the cookie as a header is always excluded from the normalization and attack signature check. You cannot change the settings, but you can configure the settings of a specific cookie by clicking the Cookie configuration link.|
|authorization||Although the user name may be encoded as Base64, the Base64 decoding is always off for this header; the reason for this is that the user name (and password) are only part of the Authorization header value. ASM detects what and when to decode, so the generic Base64 setting should always be off. Therefore, the Base64 Decoding check box is unavailable for this header. Realize that enabling normalization on the authorization header may impact performance.|
You cannot delete any of the default HTTP headers.
This is an advanced task not required in all environments.
Application Security Manager (ASM) lets you configure custom headers that deserve special treatment in your security policy. You can add these types of headers:
The security policy can recognize requests with these headers and handles them with special consideration. For example, if your application uses custom headers that must occur in every request, you can configure mandatory headers in the security policy. Or, if some request headers include binary content encoded in Base64, you can instruct ASM to decode the data and examine it for discrepancies.
You can also specify many different options to normalize an HTTP header for which you want to check signatures.
|Percent Decoding||This option normalizes referer headers or custom headers that may include strings with encoded percent codes (%xx) that replace certain characters, perform unescaping, and require other checks. This is included in URL normalization and thus is not available when checking the URL Normalization option.|
|Url Normalization||This option normalizes URLs in referer headers or custom headers that may include URLs with multiple slashes, directory traversal, or which require backslash replacement or path parameter removal. Includes percent decoding also.|
|HTML Normalization||This option removes non-printable characters, comment delimiters, HTML, hex, and decimal codes, and other HTML extras.|
|Any||Specifies that the system accepts requests with HTTP headers of any length.|
|Length with a value in bytes||Specifies that the system accepts HTTP headers up to that length. The default maximum length is 8192 bytes.|
The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.
When Application Security Manager receives requests, the system checks the header to see if it matches any of the HTTP headers other than the wildcard header. If the request header matches one of the headers, the system performs the configured options for that header.
You can review violations that occur on the Manual Traffic Learning screen. HTTP header violations are listed under Evasion Techniques in the section Evasion Techniques Detected in Headers. You can examine the requests to see if they are legitimate or false positives. If they are false positives, you can consider turning off evasion violations or normalization for the header. You can drill down and view the headers causing violations. If a header violation is a false positive, you can also disable normalization from the Evasion Techniques Detected in Headers screen.
If signature violations occur in the header, the system suggests disabling the signature that cause the violation, or disabling the signature check for that header. If a header declared mandatory is missing, the system suggests disabling the violation or making the missing header non-mandatory.
If the Base64 violation occurs in the header, the system suggests disabling the violation or disabling the Base64 decoding for that header.