Manual Chapter : Configuring HTTP Headers that Require Special Treatment
Applies To:Show Versions
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Configuring HTTP Headers that Require Special
mandatory headeris a header that must appear in a request for the request to be considered legal by the system. If a request does not contain the mandatory header and the
Mandatory HTTP header is missingviolation is set to alarm or block, the system logs or blocks the request. This violation is not set to alarm or block by default, so you have to set the blocking policy if you want to alarm or block requests that do not include a mandatory header.
You can use mandatory headers to make sure, for example, that requests are passing a proxy (which introduces such a header) before they reach the Application Security Manager.
You configure mandatory headers on the HTTP Headers screen.
Header normalizationis a process whereby the Application Security Manager buffers the contents of request headers to change them into a standard format that can be more easily checked for discrepancies. Normalizing deals with special characters (such as percent encoding), non-ASCII text, URL paths and parameters, Base64 encoded binary content, non-printable characters, HTML codes, and many other formats that may be used in headers that could potentially hide malicious code.
Not all headers need to be normalized. You should normalize referer headers, and custom headers containing binary data, URLs, or other encoded information. But there is a performance trade-off when using normalization, so you should implement it only when needed.
You configure header normalization on the HTTP Headers screen when you select the option to check signatures for the header.
About default HTTP
Application Security Manager (ASM) includes the default HTTP headers listed in the table.
This wildcard HTTP header checks signatures against all requests unless they match another HTTP header. No normalization settings are selected by default, but you can edit them. Realize that enabling normalization on the wildcard header may impact performance. The
Mandatorycheck boxes are unavailable for this header.
When requests have referer headers, they include URLs. The system checks signatures against them, performs URL normalization, and validates the URL syntax. Violations are issued if problems are encountered during normalization. The other settings are not typically relevant for this header.
Cookies have their own process for normalization and attack signature check and so the cookie as a header is always excluded from the normalization and attack signature check. You cannot change the settings, but you can configure the settings of a specific cookie by clicking the
Although the user name may be encoded as Base64, the Base64 decoding is always off for this header; the reason for this is that the user name (and password) are only part of the Authorization header value. ASM™ detects what and when to decode, so the generic Base64 setting should always be off. Therefore, the
Base64 Decodingcheck box is unavailable for this header. Realize that enabling normalization on the authorization header may impact performance.
You cannot delete any of the default HTTP headers.
Overview: Configuring HTTP headers
This is an advanced task not required in all environments.
Application Security Manager™ (ASM) lets you configure custom headers that deserve special treatment in your security policy. You can add these types of headers:
- Mandatory headers
- Headers that require Base64 decoding
- Headers to exclude from signature checks
- Headers that need to be normalized
The security policy can recognize requests with these headers and handles them with special consideration. For example, if your application uses custom headers that must occur in every request, you can configure mandatory headers in the security policy. Or, if some request headers include binary content encoded in Base64, you can instruct ASM™ to decode the data and examine it for discrepancies.
You can also specify many different options to normalize an HTTP header for which you want to check signatures.
You add HTTP headers to a security policy when you need to define certain headers that require special treatment when found in requests. For example, if you are receiving false positives for a certain type of header, you can create the header and exclude it from signature checks.
- On the Main tab, click.The HTTP Headers screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Header screen opens.
- From theNamelist, select a standard HTTP header name type or selectCustomand type the custom header name that appears in requests.
- If you want this to be a header that is required in every request, select theMandatorycheck box.If a request does not include this header, theMandatory HTTP header is missingviolation occurs (if set to alarm or block).
- If you want the security policy to check this header against attack signatures, select theCheck Attack Signaturescheck box. Otherwise, this header is excluded from signature checks.If the check box is selected, the screen displays additional settings for header normalization and the Attack Signatures tab.
- If this is a custom header that may include base64 encoding, select theBase64 Decodingcheck box.When this check box is selected, the optionsPercent Decoding,Url Normalization, andNormalization Violationsare unavailable because they are not compatible with Base64 decoding.The system performs decoding on the header and if decoding fails, the Illegal Base64 Value violation occurs (if set to alarm or block).
- If you want to normalize this header, select the options you need.OptionDescriptionPercent DecodingThis option normalizes referer headers or custom headers that may include strings with encoded percent codes (%xx) that replace certain characters, perform unescaping, and require other checks. This is included in URL normalization and thus is not available when checking the URL Normalization option.Url NormalizationThis option normalizes URLs in referer headers or custom headers that may include URLs with multiple slashes, directory traversal, or which require backslash replacement or path parameter removal. Includes percent decoding also.HTML NormalizationThis option removes non-printable characters, comment delimiters, HTML, hex, and decimal codes, and other HTML extras.
- If you want evasion violations to be issued in case of problems while normalizing the header, select theEvasion Techniques Violationscheck box.This check box is only available if usingPercent DecodingorUrl Normalization.
- If the attack signatures included in the security policy apply differently to this HTTP header, you can adjust them on the Attack Signatures tab.
The most common action you perform here is to disable an attack signature for a specific URL.Overridden attack signatures are preceded with a yellow alert triangle in the attack signature list, and you can filter the list to view them.
- Ensure thatCheck Attack Signaturesis selected.
- From theGlobal Security Policy Settingslist, move any attack signatures whose global settings you want to override into theOverridden Security Policy Settingsand adjust the state as needed (fromEnabledtoDisabledor vice versa).
- ClickCreate.The HTTP Headers screen opens and lists the new header.
When ASM receives a request with the type of header you created, the system performs the special considerations indicated in the HTTP header.
Configuring the maximum HTTP header length
You specify a maximum HTTP header length so that the system knows the acceptable maximum length for the HTTP header in an incoming request. This setting is useful primarily in preventing buffer overflow attacks.
- On the Main tab, click.The Policies List screen opens.
- Click the name of the security policy you want to work on.The Policy Summary opens.
- From the list, selectAdvanced.
- For theMaximum HTTP Header Lengthsetting, select one of the options.OptionDescriptionAnySpecifies that the system accepts requests with HTTP headers of any length.Lengthwith a value in bytesSpecifies that the system accepts HTTP headers up to that length. The default maximum length is8192bytes.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.
When Application Security Manager™ receives requests, the system checks the header to see if it matches any of the HTTP headers other than the wildcard header. If the request header matches one of the headers, the system performs the configured options for that header.
You can review suggestions related to violations that occur on the Traffic Learning screen. HTTP header violations are listed under Evasion Techniques in the section Evasion Techniques Detected in Headers. You can examine the requests to see if they are legitimate or false positives. If they are false positives, you can consider turning off evasion violations or normalization for the header. You can drill down and view the headers causing violations. If a header violation is a false positive, you can also disable normalization from the Evasion Techniques Detected in Headers screen.
If signature violations occur in the header, the system suggests disabling the signature that cause the violation, or disabling the signature check for that header. If a header declared mandatory is missing, the system suggests disabling the violation or making the missing header non-mandatory.
If the Base64 violation occurs in the header, the system suggests disabling the violation or disabling the Base64 decoding for that header.