Manual Chapter : Configuring HTTP Headers that Require Special Treatment

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About mandatory headers

A mandatory header is a header that must appear in a request for the request to be considered legal by the system. If a request does not contain the mandatory header and the Mandatory HTTP header is missing violation is set to alarm or block, the system logs or blocks the request. This violation is not set to alarm or block by default, so you have to set the blocking policy if you want to alarm or block requests that do not include a mandatory header.

You can use mandatory headers to make sure, for example, that requests are passing a proxy (which introduces such a header) before they reach the Application Security Manager™.

You configure mandatory headers on the HTTP Headers screen.

About header normalization

Header normalization is a process whereby the Application Security Manager™ buffers the contents of request headers to change them into a standard format that can be more easily checked for discrepancies. Normalizing deals with special characters (such as percent encoding), non-ASCII text, URL paths and parameters, Base64 encoded binary content, non-printable characters, HTML codes, and many other formats that may be used in headers that could potentially hide malicious code.

Not all headers need to be normalized. You should normalize referer headers, and custom headers containing binary data, URLs, or other encoded information. But there is a performance trade-off when using normalization, so you should implement it only when needed.

You configure header normalization on the HTTP Headers screen when you select the option to check signatures for the header.

About default HTTP headers

Application Security Manager™ (ASM) includes the default HTTP headers listed in the table.

Header Name Description
* (wildcard) This wildcard HTTP header checks signatures against all requests unless they match another HTTP header. No normalization settings are selected by default, but you can edit them. Realize that enabling normalization on the wildcard header may impact performance. The Base64 Decoding and Mandatory check boxes are unavailable for this header.
referer When requests have referer headers, they include URLs. The system checks signatures against them, performs URL normalization, and validates the URL syntax. Violations are issued if problems are encountered during normalization. The other settings are not typically relevant for this header.
cookie Cookies have their own process for normalization and attack signature check and so the cookie as a header is always excluded from the normalization and attack signature check. You cannot change the settings, but you can configure the settings of a specific cookie by clicking the Cookie configuration link.
authorization Although the user name may be encoded as Base64, the Base64 decoding is always off for this header; the reason for this is that the user name (and password) are only part of the Authorization header value. ASM™ detects what and when to decode, so the generic Base64 setting should always be off. Therefore, the Base64 Decoding check box is unavailable for this header. Realize that enabling normalization on the authorization header may impact performance.

You cannot delete any of the default HTTP headers.

Overview: Configuring HTTP headers

This is an advanced task not required in all environments.

Application Security Manager™ (ASM) lets you configure custom headers that deserve special treatment in your security policy. You can add these types of headers:

  • Mandatory headers
  • Headers that require Base64 decoding
  • Headers to exclude from signature checks
  • Headers that need to be normalized

The security policy can recognize requests with these headers and handles them with special consideration. For example, if your application uses custom headers that must occur in every request, you can configure mandatory headers in the security policy. Or, if some request headers include binary content encoded in Base64, you can instruct ASM™ to decode the data and examine it for discrepancies.

You can also specify many different options to normalize an HTTP header for which you want to check signatures.

Configuring HTTP headers

You add HTTP headers to a security policy when you need to define certain headers that require special treatment when found in requests. For example, if you are receiving false positives for a certain type of header, you can create the header and exclude it from signature checks.
  1. On the Main tab, click Security > Application Security > Headers > HTTP Headers .
    The HTTP Headers screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click Create.
    The New Header screen opens.
  4. From the Name list, select a standard HTTP header name type or select Custom and type the custom header name that appears in requests.
  5. If you want this to be a header that is required in every request, select the Mandatory check box.
    If a request does not include this header, the Mandatory HTTP header is missing violation occurs (if set to alarm or block).
  6. If you want the security policy to check this header against attack signatures, select the Check Attack Signatures check box. Otherwise, this header is excluded from signature checks.
    If the check box is selected, the screen displays additional settings for header normalization and the Attack Signatures tab.
  7. If this is a custom header that may include base64 encoding, select the Base64 Decoding check box.
    Note: When this check box is selected, the options Percent Decoding, Url Normalization, and Normalization Violations are unavailable because they are not compatible with Base64 decoding.
    The system performs decoding on the header and if decoding fails, the Illegal Base64 Value violation occurs (if set to alarm or block).
  8. If you want to normalize this header, select the options you need.
    Option Description
    Percent Decoding This option normalizes referer headers or custom headers that may include strings with encoded percent codes (%xx) that replace certain characters, perform unescaping, and require other checks. This is included in URL normalization and thus is not available when checking the URL Normalization option.
    Url Normalization This option normalizes URLs in referer headers or custom headers that may include URLs with multiple slashes, directory traversal, or which require backslash replacement or path parameter removal. Includes percent decoding also.
    HTML Normalization This option removes non-printable characters, comment delimiters, HTML, hex, and decimal codes, and other HTML extras.
  9. If you want evasion violations to be issued in case of problems while normalizing the header, select the Evasion Techniques Violations check box.
    This check box is only available if using Percent Decoding or Url Normalization.
  10. If the attack signatures included in the security policy apply differently to this HTTP header, you can adjust them on the Attack Signatures tab.
    1. Ensure that Check Attack Signatures is selected.
    2. From the Global Security Policy Settings list, move any attack signatures whose global settings you want to override into the Overridden Security Policy Settings and adjust the state as needed (from Enabled to Disabled or vice versa).
    Tip: The most common action you perform here is to disable an attack signature for a specific URL.
    Overridden attack signatures are preceded with a yellow alert triangle in the attack signature list, and you can filter the list to view them.
  11. Click Create.
    The HTTP Headers screen opens and lists the new header.
When ASM™ receives a request with the type of header you created, the system performs the special considerations indicated in the HTTP header.

Configuring the maximum HTTP header length

You specify a maximum HTTP header length so that the system knows the acceptable maximum length for the HTTP header in an incoming request. This setting is useful primarily in preventing buffer overflow attacks.
  1. On the Main tab, click Security > Application Security > Security Policies .
    The Policies List screen opens.
  2. Click the name of the security policy you want to work on.
    The Policy Summary opens.
  3. From the list, select Advanced.
  4. For the Maximum HTTP Header Length setting, select one of the options.
    Option Description
    Any Specifies that the system accepts requests with HTTP headers of any length.
    Length with a value in bytes Specifies that the system accepts HTTP headers up to that length. The default maximum length is 8192 bytes.
  5. Click Save to save your settings.
  6. To put the security policy changes into effect immediately, click Apply Policy.

The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.

Implementation Result

When Application Security Manager™ receives requests, the system checks the header to see if it matches any of the HTTP headers other than the wildcard header. If the request header matches one of the headers, the system performs the configured options for that header.

You can review suggestions related to violations that occur on the Traffic Learning screen. HTTP header violations are listed under Evasion Techniques in the section Evasion Techniques Detected in Headers. You can examine the requests to see if they are legitimate or false positives. If they are false positives, you can consider turning off evasion violations or normalization for the header. You can drill down and view the headers causing violations. If a header violation is a false positive, you can also disable normalization from the Evasion Techniques Detected in Headers screen.

If signature violations occur in the header, the system suggests disabling the signature that cause the violation, or disabling the signature check for that header. If a header declared mandatory is missing, the system suggests disabling the violation or making the missing header non-mandatory.

If the Base64 violation occurs in the header, the system suggests disabling the violation or disabling the Base64 decoding for that header.