Applies To:Show Versions
- 14.1.3, 14.1.2, 14.1.0
Creating Security Policies for AJAX Applications
Application security for applications that use AJAX
Overview: Creating a security policy for applications that use AJAX
Creating a simple security policy
- On the Main tab, click.The Policies List screen opens.
- ClickCreate New Policy.You only see this button when no policy is selected.
- In thePolicy Namefield, type a name for the policy.
- LeavePolicy Type, set toSecurity.
- ForPolicy Template, selectFundamental.
- ForVirtual Server, clickConfigure new virtual serverto specify where to direct application requests.
- ForWhat type of protocol does your application use?, selectHTTP,HTTPS, or both.
- In theVirtual Server Namefield, type a unique name.
- In theHTTP Virtual Server Destinationfield, type the address in IPv4 (10.0.0.1) or IPv6 (2001:ed8:77b5:2:10:10:100:42/64) format, and specify the service port.If you want multiple IP addresses to be directed here, use theNetworksetting.
- In the HTTP Pool Member setting, specify the addresses of the back-end application servers.
- From theLogging Profilelist, select a profile such asLog illegal requeststo determine which events are logged on the system.
- In the upper right corner, clickAdvanced.You can use default values for the Advanced settings but it's a good idea to take a look at them.
- If you selectedFundamentalorComprehensivefor thePolicy Template,Learning Modeis set toAutomaticandEnforcement Modeis set toBlocking.If you need to change these values, set application language to a value other thanAuto detect.
- If you know theApplication Language, select it or useUnicode (utf-8).
- To add specific protections (enforcing additional attack signatures) to the policy, forServer Technologies, select the technologies that apply to the back-end application servers.
- You can configure trusted IP addresses that you want the security policy to consider safe.
- ClickCreate Policyto create the security policy.
Overview: Adding AJAX blocking and login response behavior
- Microsoft ASP.NET
blocking response for AJAX applications
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Click theAJAX Response Pagetab.
- For theDefault Response Page actionsetting, select the type of response you want the application user to receive when they are blocked from the application:
- Custom Responselets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then clickShowto preview the response.
- Popup messagedisplays text in a popup window (default text is included).
- Redirect URLredirects the user to the URL you specify. You can also include the support ID. For example:http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>.
- For theLogin Page Response action, select the type of response (types are the same as for default response page in Step 5).
- To put the security policy changes into effect immediately, clickApply Policy.