Manual Chapter : Removing JavaScript event listeners from parameters

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Manual Chapter

Removing JavaScript event listeners from parameters

Before you can remove JavaScript event listeners from parameters, Application Layer Encryption must be enabled on the URL or view.
You can remove JavaScript event listeners from parameters to protect sensitive data in parameters from being obtained by potential attackers.
Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on parameters, this will remove all event listeners, including non-malicious ones added by the web application. Take this into account before deciding to activate removal of event listeners.
  1. On the Main tab, click
    Security
    Fraud Protection Service
    Anti-Fraud Profiles
    .
    The Anti-Fraud Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The Anti-Fraud Profile Properties screen opens.
  3. In the Anti-Fraud Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL or view on which you want to remove JavaScript event listeners.
    The URL Properties (or View Properties) screen opens.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Click
    Advanced
    and select the
    Enabled
    check box for the
    Remove Event Listeners
    setting.
  7. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  8. Click the
    Add
    button.
    The Parameter Settings screen opens.
  9. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
  10. In the Application Layer Encryption section, select the
    Obfuscate
    check box or the
    Substitute Value
    check box.
    If you assign the
    Substitute Value
    attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  11. Click
    Create
    .
    The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  12. Repeat steps 8-11 for every parameter on which you want to remove JavaScript event listeners.
  13. Click
    Save
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.