.. _waf_template: waf template ============ Manage WAF template configuration template Specification ---------------------- ===================================== ============================================================ **Parameter** **Value** ===================================== ============================================================ **Type** *Collection* **Object Key(s)** *name* **Collection Name** :ref:`3288_template_list` **Collection URI** /axapi/v3/waf/template **Element Name** template **Element URI** /axapi/v3/waf/template/{name} **Element Attributes** template_attributes **Partition Visibility** shared **Schema** :download:`template schema ` ===================================== ============================================================ **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/waf/template .. raw:: html :ref:`3288_template_attributes` .. raw:: html
Create List .. raw:: html POST .. raw:: html /axapi/v3/waf/template .. raw:: html :ref:`3288_template_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/waf/template/{name} .. raw:: html :ref:`3288_template_attributes` .. raw:: html
Get List .. raw:: html GET .. raw:: html /axapi/v3/waf/template .. raw:: html :ref:`3288_template_list` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/waf/template/{name} .. raw:: html :ref:`3288_template_attributes` .. raw:: html
Replace Object .. raw:: html PUT .. raw:: html /axapi/v3/waf/template/{name} .. raw:: html :ref:`3288_template_attributes` .. raw:: html
Replace List .. raw:: html PUT .. raw:: html /axapi/v3/waf/template .. raw:: html :ref:`3288_template_list` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/waf/template/{name} .. raw:: html :ref:`3288_template_attributes` .. raw:: html
.. _3288_template_list: template-list ------------- template-list is **JSON List** of :ref:`3288_template_attributes` template-list : [ { :ref:`3288_template_attributes` }, { :ref:`3288_template_attributes` }, ... ] .. _3288_template_attributes: template attributes ------------------- **brute-force-protection** **Description:** brute-force-protection is a **JSON Block**. Please see below for :ref:`3288_brute-force-protection` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/brute-force-protection ` **cookie-security** **Description:** cookie-security is a **JSON Block**. Please see below for :ref:`3288_cookie-security` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/cookie-security ` **csp** **Description** Insert HTTP header Content-Security-Policy if necessary **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **csp-insert-type** **Description** 'insert-if-not-exist': Only insert the header when it does not exist; 'insert-always': Always insert the header even when there is a header with the same name; **Type:** string **Supported Values:** insert-if-not-exist, insert-always **csp-value** **Description** CSP header value, e.g., "script-src 'none'" **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **data-leak-prevention** **Description:** data-leak-prevention is a **JSON Block**. Please see below for :ref:`3288_data-leak-prevention` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/data-leak-prevention ` **deploy-mode** **Description** 'active': Deploy WAF in active (blocking) mode; 'passive': Deploy WAF in passive (log-only) mode; 'learning': Deploy WAF in learning mode; **Type:** string **Supported Values:** active, passive, learning **Default:** active **evasion-check** **Description:** evasion-check is a **JSON Block**. Please see below for :ref:`3288_evasion-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/evasion-check ` **form-protection** **Description:** form-protection is a **JSON Block**. Please see below for :ref:`3288_form-protection` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/form-protection ` **http-limit-check** **Description:** http-limit-check is a **JSON Block**. Please see below for :ref:`3288_http-limit-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/http-limit-check ` **http-protocol-check** **Description:** http-protocol-check is a **JSON Block**. Please see below for :ref:`3288_http-protocol-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/http-protocol-check ` **http-redirect** **Description** Send HTTP redirect response (302 Found) to specifed URL (URL to redirect to when denying request) **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **Mutual Exclusion:** http-redirect,http-resp-200, reset-conn, and http-resp-403 are mutually exclusive **http-resp-200** **Description** Send HTTP response with status code 200 OK **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** http-resp-200,http-redirect, reset-conn, and http-resp-403 are mutually exclusive **http-resp-403** **Description** Send HTTP response with status code 403 Forbidden (default) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** http-resp-403,http-redirect, http-resp-200, and reset-conn are mutually exclusive **json-check** **Description:** json-check is a **JSON Block**. Please see below for :ref:`3288_json-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/json-check ` **learn-pr** **Description** Enable per-request logs for WAF learning **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **log-succ-reqs** **Description** Log successful waf requests **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **logging** **Description** Logging template (Logging Config name) **Type:** string **Format:** string-rlx **Maximum Length:** 128 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/slb/template/logging ` **name** **Description** WAF Template Name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **parent** **Description** inherit from parent template **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **parent-template-waf** **Description** WAF template (WAF Config name) **Type:** string **Format:** string-rlx **Maximum Length:** 128 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/waf/template ` **pcre-match-limit** **Description** Maximum number of matches allowed (default 30000) **Type:** number **Range:** 1000-1500000 **Default:** 30000 **pcre-match-recursion-limit** **Description** Maximum levels of recursive allowed (default 5000) **Type:** number **Range:** 100-150000 **Default:** 5000 **request-check** **Description:** request-check is a **JSON Block**. Please see below for :ref:`3288_request-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/request-check ` **reset-conn** **Description** Reset the client connection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** reset-conn,http-redirect, http-resp-200, and http-resp-403 are mutually exclusive **resp-url-200** **Description** Response content to send client when denying request **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **resp-url-403** **Description** Response content to send client when denying request **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **response-cloaking** **Description:** response-cloaking is a **JSON Block**. Please see below for :ref:`3288_response-cloaking` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/response-cloaking ` **soap-format-check** **Description** Check XML document for SOAP format compliance **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **violation-log-mask** **Description:** violation-log-mask is a **JSON Block**. Please see below for :ref:`3288_violation-log-mask` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/violation-log-mask ` **wsdl-file** **Description** Specify name of WSDL file for verifying XML body contents **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** wsdl-file and wsdl-resp-val-file are mutually exclusive **wsdl-resp-val-file** **Description** Specify name of WSDL file for verifying XML body contents **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** wsdl-resp-val-file and wsdl-file are mutually exclusive **xml-check** **Description:** xml-check is a **JSON Block**. Please see below for :ref:`3288_xml-check` **Type:** Object **Reference Object:** :doc:`/axapi/v3/waf/template/{name}/xml-check ` **xml-schema-file** **Description** Specify name of XML-Schema file for verifying XML body contents **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** xml-schema-file and xml-schema-resp-val-file are mutually exclusive **xml-schema-resp-val-file** **Description** Specify name of XML-Schema file for verifying XML body contents **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** xml-schema-resp-val-file and xml-schema-file are mutually exclusive .. _3288_violation-log-mask: violation-log-mask ^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **query-param-name-equal-type** **Description** 'equals': Mask the query value if the query name equals to the string; **Type:** string **Supported Values:** equals **query-param-name-value** **Description** The list of Query parameter names **Type:** string **Format:** string-rlx **Maximum Length:** 1031 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_data-leak-prevention: data-leak-prevention ^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **ccn-mask** **Description** Mask credit card numbers in response **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **keep-end** **Description** Number of unmasked characters at the end (default: 0) **Type:** number **Range:** 0-65535 **keep-start** **Description** Number of unmasked characters at the beginning (default: 0) **Type:** number **Range:** 0-65535 **mask** **Description** Character to mask the matched pattern (default: X) **Type:** string **Format:** string-rlx **Maximum Length:** 1 characters **Maximum Length:** 1 characters **pcre-mask** **Description** Mask matched PCRE pattern in response **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **ssn-mask** **Description** Mask US Social Security numbers in response **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_brute-force-protection: brute-force-protection ^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **brute-force-challenge-limit** **Description** Maximum brute-force events before sending challenge (default 2) (Maximum brute-force events before locking out client (default 2)) **Type:** number **Range:** 0-65535 **Default:** 2 **brute-force-global** **Description** Brute-force triggers apply globally instead of per-client (Apply brute-force triggers globally) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **brute-force-lockout-limit** **Description** Maximum brute-force events before locking out client (default 5) **Type:** number **Range:** 0-65535 **Default:** 5 **brute-force-lockout-period** **Description** Number of seconds client should be locked out (default 600) **Type:** number **Range:** 0-1800 **Default:** 600 **brute-force-resp-codes** **Description** Trigger brute-force check on HTTP response code **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **brute-force-resp-codes-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **brute-force-resp-headers** **Description** Trigger brute-force check on HTTP response header names **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **brute-force-resp-headers-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **brute-force-resp-string** **Description** Trigger brute-force check on HTTP response reason phrase **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **brute-force-resp-string-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **brute-force-test-period** **Description** Number of seconds for brute-force event counting (default 60) **Type:** number **Range:** 0-600 **Default:** 60 **challenge-action-captcha** **Description** Initiate a Captcha to verify client can respond **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **challenge-action-cookie** **Description** Use Set-Cookie to determine if client allows cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **challenge-action-javascript** **Description** Add JavaScript to response to test if client allows JavaScript **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **enable-disable-action** **Description** 'enable': Enable brute force protections; 'disable': Disable brute force protections (default); **Type:** string **Supported Values:** enable, disable **Default:** disable **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_request-check: request-check ^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **bot-check** **Description** Check User-Agent for known bots **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **bot-check-policy-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **command-injection-check** **Description** Check to protect against command injection attacks **Type:** string **Format:** enum-list **command-injection-check-policy-file** **Description** Name of WAF policy command injection list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **lifetime** **Description** Session lifetime in minutes (default 10) **Type:** number **Range:** 1-1440 **Default:** 10 **redirect-whitelist** **Description** Check Redirect URL against list of previously learned redirects **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **referer-check** **Description** Check referer to protect against CSRF attacks **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **referer-domain-list** **Description** List of referer domains allowed **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **Mutual Exclusion:** referer-domain-list and referer-domain-list-only are mutually exclusive **referer-domain-list-only** **Description** List of referer domains allowed **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **Mutual Exclusion:** referer-domain-list-only and referer-domain-list are mutually exclusive **referer-safe-url** **Description** Safe URL to redirect to if referer is missing **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **session-check** **Description** Enable session checking via session cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **sqlia-check** **Description** 'reject': Reject requests with SQLIA patterns; **Type:** string **Supported Values:** reject **sqlia-check-policy-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **url-blacklist** **Description** specify name of WAF policy list file to blacklist **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **url-learned-list** **Description** Check URL against list of previously learned URLs **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **url-whitelist** **Description** specify name of WAF policy list file to whitelist **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **waf-blacklist-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **waf-whitelist-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **xss-check** **Description** 'reject': Reject requests with bad cookies; **Type:** string **Supported Values:** reject **xss-check-policy-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters .. _3288_cookie-security: cookie-security ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **allow-missing-cookie** **Description** Allow requests with missing cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allow-unrecognized-cookie** **Description** Allow requests with unrecognized cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cookie-policy** **Type:** List **enable-disable-action** **Description** 'enable': Enable cookie security (default); 'disable': Disable cookie security; **Type:** string **Supported Values:** enable, disable **Default:** enable **set-cookie-policy** **Type:** List **tamper-protection-grace-period** **Description** Allow unrecognized cookies for a period of time after cookie encryption being applied (default 120 minutes) **Type:** number **Range:** 0-43200 **Default:** 120 **tamper-protection-http-only** **Description** Add HttpOnly flag to cookies not in set-cookie-policy list (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **tamper-protection-samesite** **Description** 'none': none; 'lax': lax; 'strict': strict; **Type:** string **Supported Values:** none, lax, strict **Default:** none **tamper-protection-secret** **Description** Cookie encryption secret **Type:** string **Format:** password **Maximum Length:** 128 characters **Maximum Length:** 1 characters **tamper-protection-secret-encrypted** **Description** Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED secret string) **tamper-protection-secure** **Description** Add Secure flag to cookies not in set-cookie-policy list (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **tamper-protection-session-cookie-only** **Description** Only encrypt session cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **tamper-protection-sign** **Description** Sign cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** tamper-protection-sign and tamper-protection-encrypt are mutually exclusive **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_cookie-security_set-cookie-policy: cookie-security_set-cookie-policy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **set-cookie-policy-allow** **Description** Allow the cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **set-cookie-policy-disallow** **Description** Block the cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **set-cookie-policy-http-only** **Description** Add HttpOnly flag to cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **set-cookie-policy-name** **Description** Name of cookie **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **set-cookie-policy-samesite** **Description** 'none': none; 'lax': lax; 'strict': strict; **Type:** string **Supported Values:** none, lax, strict **set-cookie-policy-secret** **Description** Cookie encryption secret **Type:** string **Format:** password **Maximum Length:** 128 characters **Maximum Length:** 1 characters **set-cookie-policy-secret-encrypted** **Description** Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED secret string) **set-cookie-policy-secure** **Description** Add Secure flag to cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **set-cookie-policy-sign** **Description** Sign cookies **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** set-cookie-policy-sign and set-cookie-policy-encrypt are mutually exclusive .. _3288_cookie-security_cookie-policy: cookie-security_cookie-policy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **cookie-policy-allow** **Description** Allow the cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cookie-policy-disallow** **Description** Block the cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cookie-policy-name** **Description** Name of cookie **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters .. _3288_response-cloaking: response-cloaking ^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **filter-headers** **Description** Removes web server's identifying headers **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **hide-status-codes** **Description** Hides response status codes that are not allowed (default 4xx, 5xx) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **hide-status-codes-file** **Description** Name of WAF policy list file **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_json-check: json-check ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **format-check** **Description** Check HTTP body for JSON format compliance **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-array-values** **Description** Maximum number of values in an array in a JSON request body (default 256) (Maximum number of values in a JSON array (default 256)) **Type:** number **Range:** 0-4096 **Default:** 256 **max-depth** **Description** Maximum recursion depth in a value in a JSON requesnt body (default 16) (Maximum recursion depth in a JSON value (default 16)) **Type:** number **Range:** 0-4096 **Default:** 16 **max-object-members** **Description** Maximum number of members in an object in a JSON request body (default 256) (Maximum number of members in a JSON object (default 256)) **Type:** number **Range:** 0-4096 **Default:** 256 **max-string-length** **Description** Maximum length of a string in a JSON request body (default 64) (Maximum length of a JSON string (default 64)) **Type:** number **Range:** 0-4096 **Default:** 64 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_http-protocol-check: http-protocol-check ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **allowed-headers** **Description** Enable allowed-headers check (default disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allowed-headers-list** **Description** Allowed HTTP headers. Default "Host Referer User-Agent Accept Accept-Encoding ..." (see docs for full list) (Allowed HTTP headers (default "Host Referer User-Agent Accept Accept-Encoding ..." (see docs for full list))) **Type:** string **Format:** string-rlx **Maximum Length:** 1023 characters **Maximum Length:** 1 characters **Default:** Host Referer User-Agent Accept Accept-Encoding Accept-Language Accept-Language Authorization Cache-Control Content-Length **allowed-methods** **Description** Enable allowed-methods check (default disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allowed-methods-list** **Description** List of allowed HTTP methods. Default is "GET POST". (List of HTTP methods allowed (default "GET POST")) **Type:** string **Format:** string-rlx **Maximum Length:** 1023 characters **Maximum Length:** 1 characters **Default:** GET POST **allowed-versions** **Description** Enable allowed-versions check (default disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allowed-versions-list** **Description** List of allowed HTTP versions (default "1.0 1.1 2") **Type:** string **Format:** enum-list **Default:** 1.0,1.1,2 **bad-multipart-request** **Description** Check for bad multipart/form-data request body **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **body-without-content-type** **Description** Check for Body request without Content-Type header in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **disable** **Description** Disable all checks for HTTP protocol compliance **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **get-with-content** **Description** Check for GET request with Content-Length headers in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **head-with-content** **Description** Check for HEAD request with Content-Length headers in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **host-header-with-ip** **Description** Check for Host header with IP address **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **invalid-url-encoding** **Description** Check for invalid URL encoding in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **malformed-content-length** **Description** Check for malformed content-length in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **malformed-header** **Description** Check for malformed HTTP header **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **malformed-parameter** **Description** Check for malformed HTTP query/POST parameter **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **malformed-request** **Description** Check for malformed HTTP request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **malformed-request-line** **Description** Check for malformed HTTP request line **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **missing-header-value** **Description** Check for missing header value in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **missing-host-header** **Description** Check for missing Host header in HTTP/1.1 request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **multiple-content-length** **Description** Check for multiple Content-Length headers in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **non-ssl-cookie-prefix** **Description** Check for Bad __Secure- or __Host- Cookie Name prefixes in non-ssl request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **post-with-0-content** **Description** Check for POST request with Content-Length 0 **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **post-without-content** **Description** Check for POST request without Content-Length/Chunked Encoding headers in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **post-without-content-type** **Description** Check for POST request without Content-Type header in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_xml-check: xml-check ^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **disable** **Description** Disable all checks for XML limit **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **format** **Description** Check HTTP body for XML format compliance **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-attr** **Description** Maximum number of attributes of an XML element (default 256) **Type:** number **Range:** 0-256 **Default:** 256 **max-attr-name-len** **Description** Maximum length of an attribute name (default 128) **Type:** number **Range:** 0-2048 **Default:** 128 **max-attr-value-len** **Description** Maximum length of an attribute text value (default 128) **Type:** number **Range:** 0-4096 **Default:** 128 **max-cdata-len** **Description** Maximum length of an CDATA section of an element (default 65535) **Type:** number **Range:** 0-65535 **Default:** 65535 **max-elem** **Description** Maximum number of XML elements (default 1024) **Type:** number **Range:** 0-8192 **Default:** 1024 **max-elem-child** **Description** Maximum number of children of an XML element (default 1024) **Type:** number **Range:** 0-4096 **Default:** 1024 **max-elem-depth** **Description** Maximum recursion level for element definition (default 256) **Type:** number **Range:** 0-4096 **Default:** 256 **max-elem-name-len** **Description** Maximum length for an element name (default 128) **Type:** number **Range:** 0-65535 **Default:** 128 **max-entity-decl** **Description** Maximum number of entity declarations (default 1024) **Type:** number **Range:** 0-1024 **Default:** 1024 **max-entity-depth** **Description** Maximum depth of entities (default 32) **Type:** number **Range:** 0-32 **Default:** 32 **max-entity-exp** **Description** Maximum number of entity expansions (default 1024) **Type:** number **Range:** 0-1024 **Default:** 1024 **max-entity-exp-depth** **Description** Maximum nested depth of entity expansions (default 32) **Type:** number **Range:** 0-32 **Default:** 32 **max-namespace** **Description** Maximum number of namespace declarations (default 16) **Type:** number **Range:** 0-256 **Default:** 16 **max-namespace-uri-len** **Description** Maximum length of a namespace URI (default 256) **Type:** number **Range:** 0-1024 **Default:** 256 **sqlia** **Description** Check XML data against SQLIA policy **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **xss** **Description** Check XML data against XSS policy **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 .. _3288_http-limit-check: http-limit-check ^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **disable** **Description** Disable all checks for HTTP limit **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-content-length** **Description** Max length of content (Maximum length of content allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-content-length-value** **Description** Max length of content (default 4096) (Maximum length of content allowed (default 4096)) **Type:** number **Range:** 0-2147483647 **Default:** 4096 **max-cookie-header-length** **Description** Max Cookie header length allowed in request (Maximum length of cookie header allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-cookie-header-length-value** **Description** Max Cookie header length allowed in request (default 4096) (Maximum length of cookie header allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-cookie-name-length** **Description** Max Cookie name length allowed in request (Maximum length of cookie name allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-cookie-name-length-value** **Description** Max Cookie name length allowed in request (default 64) (Maximum length of cookie name allowed (default 64)) **Type:** number **Range:** 0-65535 **Default:** 64 **max-cookie-value-length** **Description** Max Cookie value length allowed in request (Maximum length of cookie value allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-cookie-value-length-value** **Description** Max Cookie value length allowed in request (default 4096) (Maximum length of cookie value allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-cookies** **Description** Max Cookies allowed in request (Maximum number of cookie allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-cookies-length** **Description** Total Cookies length allowed in request (Maximum length of all cookies in request) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-cookies-length-value** **Description** Total Cookies length allowed in request (default 4096) (Maximum length of all cookies in request (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-cookies-value** **Description** Max Cookies allowed in request (default 20) (Maximum number of cookie allowed (default 20)) **Type:** number **Range:** 0-1023 **Default:** 20 **max-data-parse** **Description** Max data to be parsed for Web Application Firewall **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-data-parse-value** **Description** Max data to be parsed for Web Application Firewall (default 262144) **Type:** number **Range:** 0-2097152 **Default:** 262144 **max-entities** **Description** Maximum number of MIME entities allowed in request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-entities-value** **Description** Maximum number of MIME entities allowed in request (default 10) **Type:** number **Range:** 0-512 **Default:** 10 **max-header-length** **Description** Max header length allowed in request (Maximum length of header allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-header-length-value** **Description** Max header length allowed in request (default 4096) (Maximum length of header allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-header-name-length** **Description** Max header name length allowed in request (Maximum length of header name allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-header-name-length-value** **Description** Max header name length allowed in request (default 64) (Maximum length of header name allowed (default 64)) **Type:** number **Range:** 0-65535 **Default:** 64 **max-header-value-length** **Description** Max header value length allowed in request (Maximum length of header value allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-header-value-length-value** **Description** Max header value length allowed in request (default 4096) (Maximum length of header value allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-headers** **Description** Total number of headers allowed in request (Maximum number of headers in request) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-headers-length** **Description** Total headers length allowed in request (Maximum length of all headers in request) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-headers-length-value** **Description** Total headers length allowed in request (default 4096) (Maximum length of all headers in request (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-headers-value** **Description** Total number of headers allowed in request (default 64) (Maximum number of headers in request (default 64)) **Type:** number **Range:** 0-255 **Default:** 64 **max-param-name-length** **Description** Max query/POST parameter name length allowed in request (Maximum length of query/POST parameter names allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-param-name-length-value** **Description** Max query/POST parameter name length allowed in request (default 256) (Maximum length of query/POST parameter names allowed (default 256)) **Type:** number **Range:** 0-65535 **Default:** 256 **max-param-value-length** **Description** Max query/POST parameter value length allowed in request (Maximum length of query/POST parameter value allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-param-value-length-value** **Description** Max query/POST parameter value length allowed in request (default 4096) (Maximum length of query/POST parameter value allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-params** **Description** Total query/POST parameters allowed in request (Maximum number of query/POST parameters in request) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-params-length** **Description** Total query/POST parameters length allowed in request (Maximum length of all params in request) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-params-length-value** **Description** Total query/POST parameters length allowed in request (default 4096) (Maximum length of all params in request (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-params-value** **Description** Total query/POST parameters allowed in request (default 64) (Maximum number of query/POST parameters in request (default 64)) **Type:** number **Range:** 0-1024 **Default:** 64 **max-post-length** **Description** Maximum content length allowed in POST request **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-post-length-value** **Description** Maximum content length allowed in POST request (default 20480) **Type:** number **Range:** 0-2147483647 **Default:** 20480 **max-query-length** **Description** Max length of query string (Maximum length of query string allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-query-length-value** **Description** Max length of query string (default 4096) (Maximum length of query string allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-request-length** **Description** Max length of request (Maximum length of request allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-request-length-value** **Description** Max length of request (default 20480) (Maximum length of request allowed (default 20480)) **Type:** number **Range:** 0-2147483647 **Default:** 20480 **max-request-line-length** **Description** Max length of request line (Maximum length of request line) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-request-line-length-value** **Description** Max length of request line (default 4096) (Maximum length of request line (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **max-url-length** **Description** Max length of url (Maximum length of url allowed) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-url-length-value** **Description** Max length of url (default 4096) (Maximum length of url allowed (default 4096)) **Type:** number **Range:** 0-65535 **Default:** 4096 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_evasion-check: evasion-check ^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **apache-whitespace** **Description** Check for whitespace characters in URL **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **decode-entities** **Description** Decode entities in internal url (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **decode-escaped-chars** **Description** Decode escaped characters such as \r \n \" \xXX \u00YY in internal url (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **decode-plus-chars** **Description** Decode '+' as space in URL (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **decode-unicode-chars** **Description** Check for evasion attempt using %u encoding of Unicode chars to bypass (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **dir-traversal** **Description** Check for directory traversal attempt (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **high-ascii-bytes** **Description** Check for evasion attempt using ASCII bytes with values **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **invalid-hex-encoding** **Description** Check for evasion attempt using invalid hex characters (not in 0-9,a-f) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **max-levels** **Description** Max levels of encoding allowed in request (default 2) **Type:** number **Range:** 0-64 **Default:** 2 **multiple-encoding-levels** **Description** Check for evasion attempt using multiple levels of encoding **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **multiple-slashes** **Description** Check for evasion attempt using multiple slashes/backslashes **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **remove-comments** **Description** Remove comments from internal url **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **remove-spaces** **Description** Remove spaces from internal url (default on) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 1 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _3288_form-protection: form-protection ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **csrf-check** **Description** Tag the form to protect against Cross-site Request Forgery **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **enable-disable-action** **Description** 'enable': Enable web form protections (default); 'disable': Disable web form protections; **Type:** string **Supported Values:** enable, disable **Default:** enable **field-consistency-check** **Description** Form input consistency check **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-caching** **Description** Disable caching for response with forms **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-non-post** **Description** Check whether POST is used for request with forms **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-non-ssl** **Description** Check whether SSL is used for request with forms **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-request-non-post** **Description** Check whether POST is used for request with forms **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-response-non-post** **Description** Check whether form method POST is used for response with forms **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **form-check-response-non-post-sanitize** **Description** Change form method GET to POST (Use with caution: make sure server application still work) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **password-check-autocomplete** **Description** Check to protect against server-generated form which contain password fields that allow autocomplete **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **password-check-non-masked** **Description** Check forms that have a password field with a textual type, resulting in this field not being masked **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **password-check-non-ssl** **Description** Check forms that has a password field if the form is not sent over an SSL connection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters