In a security policy, you can manually specify the file types that are allowed (or disallowed) in traffic to the web application being protected. This is only if you are not using automatic policy building which F5 recommends doing. When using automatic policy building, Application Security Manager determines which file types to add, based on legitimate traffic.
When you create a security policy, a wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.
Referrer URLs are web pages that request other URLs within a web application. For example, an HTML page can request a GIF, JPG, or PNG image file. The HTML page is the referrer, and the GIF, JPG, and PNG files are non-referrers. In lists of URLs, non-referrer URLs appear in blue and referrer URLs appear in gold.
A referrer in Application Security Manager is similar to the HTTP Referer header. Use referrers for complex objects, such as HTML pages, but not for embedded objects, such as GIF files.
|Explicit||Specifies a unique URL, such as /index.html. Choose HTTP or HTTPS, and type the URL in the adjacent field.|
|Wildcard||Specifies that the URL is a wildcard expression. Any URL that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as /main/*. Select HTTP or HTTPS, and type a wildcard expression in the adjacent field.|
|Never (wildcard only)||The system does not add or suggest that you add entities that match the wildcard to the policy. When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option results in a security policy that is easy to manage but may not be as strict.|
|Add All Entities||The system creates a comprehensive whitelist policy that includes all of the website entities. This option will form a large set of security policy entities, which produce a granular object-level configuration and high security level; it may take more time to maintain such a policy.|
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
|?||Any single character|
|[abcde]||Exactly one of the characters listed|
|[!abcde]||Any character not listed|
|[a-e]||Exactly one character in the range|
|[!a-e]||Any character not in the range|
These tables describe the allowed URL properties (both Basic and Advanced settings) that appear on different parts of the screen.
|URL||Specifies a URL that the security policy allows. The available types are:
|Protocol||Specifies whether the protocol for the URL is HTTP or HTTPS.|
|Perform Staging||Specifies that the system places this URL in staging. Learning suggestions produced by requesting staged URLs are logged in the Learning screens. Review staging status on the URL List screen. If a URL is in staging, point to the icon to display staging information.When you are no longer getting learning suggestions, you can disable this setting. If you enforce a URL, this setting is cleared.|
|Learn Explicit Entities||Specifies how to add or suggests you add URLs to the security policy if you are
creating a wildcard URL.
|Check Flows to this URL||Specifies that the security policy validates flows to the URL (if configured). If this setting is disabled, the system ignores the flows to the URL. When you select this check box, additional settings appear.|
|URL is Entry Point||(Visible when Check Flows to this URL is selected.) Specifies that this URL is a page through which a visitor can enter the web application.|
|URL is Referrer||(Visible when Check Flows to this URL is selected.) Specifies that the URL is a URL from which a user can access other URLs in the web application.|
|URL can change Domain Cookie||Specifies that the security policy does not block an HTTP request where the domain cookie was modified on the client side. Note that this setting is applicable only if the URL is a referrer.|
|URL with Navigation Parameter||Specifies that you want to associate a navigation parameter with this URL. You must have a navigation parameter defined in the security policy to view this option.|
|Select Navigation Parameter||Specifies a list of navigation parameters that you can associate with this URL.|
|Navigation Parameter Value||Indicates the value of the navigation parameter.|
|Clickjacking Protection||Specifies that the system adds the X-Frame-Options header to the domain cookie’s response header. This is done to protect the web application against clickjacking. Clickjacking occurs when attacker lures a user to click illegitimate frames and iframes because the attacker hid them on legitimate visible website buttons. Therefore, enabling this option protects the web application from other web sites hiding malicious code behind them. The default is disabled. After you enable this option, you can select whether, and under what conditions, the browser should allow this URL to be rendered in a frame or iframe.|
|Allow Rendering in Frames||Specifies the conditions for when the browser should allow this URL to be
rendered in a frame or iframe.
|Wildcard Match Includes Slashes||Specifies that an asterisk in a wildcard URL matches any number of path segments (separated by slashes); when cleared, specifies that an asterisk matches at most one segment. For example: the wildcard /art/* matches /art/abc/index.html if the wildcard match includes slashes (default value), but does not match it if the check box is cleared. In that case, it matches /art/go.html (only one segment below /art).|
|URL Description||Describes the URL (optional).|
|Request Header Name||Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.|
|Request Header Value||Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, *json*, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive.|
|Request Body Handling||Indicates how the system parses the content of requests for the allowed URL:
|Profile Name||Specifies the XML, JSON, or GWT profile the security policy uses when examining requests for this URL if the header content is parsed as XML, JSON, or GWT. You can also create or view the XML, JSON, or GWT profile from this option.|
|Allow HTML5 Cross-Origin Requests||Allows all CORS requests to this URL, and displays additional settings.|
|Allowed Origins||Allows you to specify a list of origins allowed to share data returned by this URL.|
|Allowed Methods||Allows you to specify a list of methods that other web applications hosted in different domains can use when requesting this URL.|
|Allowed Headers||Allows you to specify a list of request headers that other web applications hosted in different domains can use when requesting this URL. Or you can delete non-simple headers returned in response to requests.|
|Allow Credentials||Specifies whether requests from other web applications hosted in different domains may include user credentials.|
|Check characters on this URL||Specifies that the system verifies meta characters on this URL. You can change which meta characters are allowed or disallowed.|
You can use header-based content profiles to configure how the system recognizes and enforces requests for this URL according to the header content in the request. You can also use header-based content profiles to block traffic based on the type of header and header value in requests for a URL.
|Apply Content Signatures||Do not parse the content; scan the entire payload with full-content attack signatures.|
|Apply Value and Content Signatures||Do not parse the content or extract parameters; process the entire payload with value and full-content attack signatures. This option provides basic security for protocols other than HTTP, XML, JSON, and GWT; for example, use *amf* as the header value for a content-type of Action Message Format.|
|Disallow||Block requests for an URL containing this header content. The system logs the Illegal Request Content Type violation.|
|Do Nothing||Do not inspect or parse the content. Handle the header of the request as specified by the security policy.|
|Form Data||Parse content as posted form data in either URL-encoded or multi-part formats. Enforce the form parameters according to the policy.|
|GWT||Examine data in requests, based on the configuration of a GWT (Google Web Toolkit) profile associated with this URL.|
|JSON||Examine JSON data using an associated JSON profile, and use value attack signatures to scan the element values.|
|XML||Examine XML data using an associated XML profile.|
|Use this option||When|
|Custom pattern||The security policy uses a user-defined regular expression to recognize a dynamic session ID in URLs. Type a regular expression in the Value field, and a description in the Description field.|
|Default pattern||The security policy uses the default regular expression (\/sap\([^)]+\)) for recognizing a dynamic session ID in URL.|
|Disabled||The security policy does not enforce dynamic session IDs in URLs. This is the default value.|
Normally, if the system receives a request in which the dynamic session information does not match the settings in the security policy, the system issues the Illegal session ID in URL violation. When you allow dynamic session IDs in URLs, ASM extracts the dynamic session information from requests or responses, based on the pattern that you configure. For requests, the system applies the pattern to the URI up to, but not including, the question mark (?) character in a query string.