Before you can complete this task, you need to have already created a security
policy for your application.
This task describes how to create a JSON profile that defines the properties that
the security policy enforces for an application sending JSON payloads or WebSocket
payloads in JSON format.
Note: The system supports JSON in UTF-8 and UTF-16
encoding. WebSocket allows only UTF-8.
On the Main tab, click
Click Create to create a new JSON profile, or edit the
Default JSON profile (by clicking it).
The Create New JSON Profile screen opens.
Type a name for the profile.
Adjust the maximum values that define the JSON data for the AJAX application,
or use the default values.
If you want the system to tolerate and not report warnings about JSON content,
select the Tolerate JSON Parsing Warnings check
If the system cannot parse JSON content, it generates the violation
Malformed JSON data, regardless of whether this setting is
enabled or disabled.
To parse parameters in a JSON payload as parameters (recommended), ensure that
Parse Parameters is enabled.
The system extracts parameters from JSON content whenever the JSON profile is
used; for example, with URLs, WebSocket URLs, or parameters that use a JSON
The security policy parses parameters extracted from the JSON payload
the same as other parameters. Also, the Attack Signatures, Value Metacharacters,
and Sensitive Data Configuration tabs are removed from the screen, so you can
skip to the last step.
If the signatures included in the security policy are not sufficient for this
JSON profile, you can change them.
On the Attack Signatures tab, in the Global Security Policy
Settings list, select any specific attack signatures
that you want to enable or disable for this profile, and then move them
into the Overridden Security Policy Settings
Tip: If no attack signatures are listed in the Global
Security Policy Settings list, create the profile,
update the attack signatures, then edit the profile.
After you have moved any applicable attack signatures to the
Overridden Security Policy Settings list,
enable or disable each of them as needed:
Enabled - Enforces the attack signature for
this JSON profile, although the signature might be disabled in
general. The system reports the violation Attack
Signature Detected when the JSON in a request
matches the attack signature.
Disabled - Disables the attack signature
for this JSON profile, although the signature might be enabled
To allow or disallow specific meta characters in JSON data (and thus override
the global meta character settings), click the Value Meta Characters tab.
- Select the Check characters check box, if it is
not already selected.
- Move any meta characters that you want allow or disallow from the
Global Security Policy Settings list into the
Overridden Security Policy Settings
- In the Overridden Security Policy Settings list,
change the meta character state to Allow or
To mask sensitive JSON data (replacing it with asterisks), click the Sensitive
Data Configuration tab.
- In the Element Name field, type the JSON element
whose values you want the system to consider sensitive.
- Click Add.
Important: If the JSON data causes violations and the system stops
parsing the data part way through a transaction, the system masks only the
sensitive data that was fully parsed.
Add any other elements that could contain sensitive data that you want to
Click Create (or Update if
editing the Default profile).
The system creates the profile and displays it in the JSON Profiles
This creates a JSON profile that affects the security policy when you associate the
profile with a URL, WebSocket URL, or parameter.
Next, you need to associate the JSON profile with any URLs, WebSocket URLs, or
parameters that might include JSON data.