Security Features : Using web application firewall policies : Configuring a HTTP Protocol Constraint policy
 
Configuring a HTTP Protocol Constraint policy
The HTTP Protocol Constraint policy includes the following rules:
URI length—Limit the HTTP URI length to prevent several types of attacks, such as buffer overflow and denial of service.
HTTP request methods—Restrict HTTP methods allowed in HTTP requests. For example, do not allow the PUT method in HTTP requests to prevent attackers from uploading malicious files.
HTTP response codes—Drop response traffic containing HTTP response codes that might contain information attackers can use to craft attacks. For example, some HTTP response codes include fingerprint data like web server version, database version, OS, and so on.
Table 57 describes the predefined policies.
Table 57: Predefined HTTP protocol constraint policies
Predefined Rules
Description
High-Level-Security
Maximum URI length is 2048 characters. Action is set to deny. Severity is set to high.
Medium-Level-Security
Maximum URI length is 2048 characters. Action is set to alert. Severity is set to medium.
Alert-Only
Maximum URI length is 2048 characters. Action is set to alert. Severity is set to low.
If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.
Before you begin:
You should have a sense of legitimate URI lengths and HTTP request methods for the destination resources.
You should know whether your servers include application fingerprint information in HTTP response codes.
You must have Read-Write permission for Security settings.
To configure an HTTP Protocol Constraint policy:
1. Go to Security > Web Application Firewall.
2. Click the HTTP Protocol Constraint tab.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in Table 58.
5. Save the configuration.
 
Table 58: HTTP Protocol Constraint configuration
Settings
Guidelines
Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
After you initially save the configuration, you cannot edit the name.
Maximum URI Length
Length
Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.
Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert.
Severity
High—Log as high severity events.
Medium—Log as a medium severity events.
Low—Log as low severity events.
The default is low.
Request Method Rule
Method
Select one or more methods to match in the HTTP request line:
CONNECT
DELETE
GET
HEAD
OPTIONS
POST
PUT
TRACE
Others
Note: The first 8 methods are described in RFC 2616. Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.
Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert.
Severity
High—Log as high severity events.
Medium—Log as a medium severity events.
Low—Log as low severity events.
The default is low.
Response Code Rule
Minimum Status Code / Maximum Status Code
Start/end of a range of status codes to match. You can specify codes 400 to 599.
Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert.
Severity
High—Log as high severity events.
Medium—Log as a medium severity events.
Low—Log as low severity events.
The default is low.