Manual Chapter : Defining URLs in the profile

Applies To:

Show Versions Show Versions
Manual Chapter

Defining URLs in the profile

Define URLs in your
anti-fraud
profile to ensure proper protection of your web site.
If you are creating a mobile security anti-fraud profile, the instructions in this section are not relevant.
  1. On the Main tab, click
    Security
    Fraud Protection Service
    Anti-Fraud Profiles
    .
    The Anti-Fraud Profiles screen opens.
  2. From the list of profiles, select the profile on which you want to define a URL.
    The
    Anti-Fraud
    Profile Properties screen opens.
  3. In the Anti-Fraud Configuration area, click
    URL List
    .
    The URL List opens.
  4. Click the
    Add URL
    button.
    The Create New URL screen opens.
  5. In the
    URL Path
    field, choose one of the following types for the URL path:
    • Explicit
      : Assign a specific URL path.
    • Wildcard
      : Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression
      /*
      specifies that any URL is allowed.
    All URLs must start with a slash (
    /
    ), for both Explicit and Wildcard types.
    1. If you chose
      Explicit
      , type the URL path.
    2. If you chose
      Wildcard
      , type the wildcard expression URL and if you want it to include a query string, select the
      Include Query String
      check box.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used in Wildcard URLs.
  6. For Application Type, ensure that
    Web
    is selected (selected by default).
  7. Click
    Advanced
    .
  8. If you want the
    FPS
    Main JavaScript to run on the web page of the URL, select the
    Enabled
    check box for
    Inject Main JavaScript
    (selected by default).
    When this setting is enabled, the
    FPS
    Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
    • The
      FPS
      Main JavaScript protects web applications with the content types
      text/html
      and
      application/xhtml+xml
      . If your web application is based on a different content type, you cannot apply the
      FPS
      Main JavaScript protection on it.
    • Inject Main JavaScript
      can be disabled for web pages that do not require fraud protection and only receive data from a protected page.
    • If Malware Detection and Phishing Detection are enabled on the URL and then
      Inject Main JavaScript
      is disabled, Malware Detection and Phishing Detection will also be disabled but Request Signatures are still active.
  9. If you want to change the default location where the
    FPS
    Main JavaScript is injected in the URL's web page, at
    Location of Main JavaScript Injection
    , do the following:
    • Select a position for the Main JavaScript (either before or after the tag you define).
    • In the
      Tag
      field, type the tag for determining where the Main JavaScript is placed.
    The
    FPS
    Main JavaScript must be injected into the web page HTML before the CSS Element.
  10. If you want to change the default location of the Disabled JavaScript Detection Tag, at
    Location of Disabled JavaScript Detection Tag
    do the following:
    • Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define).
    • In the
      Tag
      field, type the tag for determining where the Disabled JavaScript Detection Tag is placed.
    The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.
    • For Internet Explorer browsers 9.0 and later versions, Disabled JavaScript Detection is not supported if the content type of your web application response is
      xhtml
      .
    • For web browsers other than Internet Explorer, if the content type of your web application response is
      xhtml
      you must use the default settings
      After
      and
      body
      .
  11. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  12. Click
    Create
    to save your initial URL settings.