Applies To:Show Versions
Configuring HTTP Headers that Require Special
About default HTTP
This wildcard HTTP header checks signatures against all requests unless they match another HTTP header. No normalization settings are selected by default, but you can edit them. Realize that enabling normalization on the wildcard header may impact performance. The
Mandatorycheck boxes are unavailable for this header.
When requests have referer headers, they include URLs. The system checks signatures against them, performs URL normalization, and validates the URL syntax. Violations are issued if problems are encountered during normalization. The other settings are not typically relevant for this header.
Cookies have their own process for normalization and attack signature check and so the cookie as a header is always excluded from the normalization and attack signature check. You cannot change the settings, but you can configure the settings of a specific cookie by clicking the
Although the user name may be encoded as Base64, the Base64 decoding is always off for this header; the reason for this is that the user name (and password) are only part of the Authorization header value. ASM™ detects what and when to decode, so the generic Base64 setting should always be off. Therefore, the
Base64 Decodingcheck box is unavailable for this header. Realize that enabling normalization on the authorization header may impact performance.
Overview: Configuring HTTP headers
- Mandatory headers
- Headers that require Base64 decoding
- Headers to exclude from signature checks
- Headers that need to be normalized
- On the Main tab, click.The HTTP Headers screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Header screen opens.
- From theNamelist, select a standard HTTP header name type or selectCustomand type the custom header name that appears in requests.
- If you want this to be a header that is required in every request, select theMandatorycheck box.If a request does not include this header, theMandatory HTTP header is missingviolation occurs (if set to alarm or block).
- If you want the security policy to check this header against attack signatures, select theCheck Attack Signaturescheck box. Otherwise, this header is excluded from signature checks.If the check box is selected, the screen displays additional settings for header normalization and the Attack Signatures tab.
- If this is a custom header that may include base64 encoding, select theBase64 Decodingcheck box.When this check box is selected, the optionsPercent Decoding,Url Normalization, andNormalization Violationsare unavailable because they are not compatible with Base64 decoding.The system performs decoding on the header and if decoding fails, the Illegal Base64 Value violation occurs (if set to alarm or block).
- If you want to normalize this header, select the options you need.OptionDescriptionPercent DecodingThis option normalizes referer headers or custom headers that may include strings with encoded percent codes (%xx) that replace certain characters, perform unescaping, and require other checks. This is included in URL normalization and thus is not available when checking the URL Normalization option.Url NormalizationThis option normalizes URLs in referer headers or custom headers that may include URLs with multiple slashes, directory traversal, or which require backslash replacement or path parameter removal. Includes percent decoding also.HTML NormalizationThis option removes non-printable characters, comment delimiters, HTML, hex, and decimal codes, and other HTML extras.
- If you want evasion violations to be issued in case of problems while normalizing the header, select theEvasion Techniques Violationscheck box.This check box is only available if usingPercent DecodingorUrl Normalization.
- If the attack signatures included in the security policy apply differently to this HTTP header, you can adjust them on the Attack Signatures tab.
The most common action you perform here is to disable an attack signature for a specific URL.Overridden attack signatures are preceded with a yellow alert triangle in the attack signature list, and you can filter the list to view them.
- Ensure thatCheck Attack Signaturesis selected.
- From theGlobal Security Policy Settingslist, move any attack signatures whose global settings you want to override into theOverridden Security Policy Settingsand adjust the state as needed (fromEnabledtoDisabledor vice versa).
- ClickCreate.The HTTP Headers screen opens and lists the new header.
Configuring the maximum HTTP header length
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary opens.
- From the list, selectAdvanced.
- For theMaximum HTTP Header Lengthsetting, select one of the options.OptionDescriptionAnySpecifies that the system accepts requests with HTTP headers of any length.Lengthwith a value in bytesSpecifies that the system accepts HTTP headers up to that length. The default maximum length is8192bytes.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.