Manual Chapter :
Removing JavaScript event listeners from parameters
Applies To:
Show VersionsBIG-IP FPS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Removing JavaScript event listeners from parameters
Before you can remove JavaScript event listeners from parameters, Application Layer
Encryption must be enabled on the URL or view.
You can remove JavaScript event listeners from
parameters to protect sensitive data in parameters from being obtained by potential
attackers.
Some web applications add non-malicious event listeners that improve functionality.
If you choose to activate removal of event listeners on parameters, this will remove
all event listeners, including non-malicious ones added by the web application. Take
this into account before deciding to activate removal of event
listeners.
- On the Main tab, click.The Anti-Fraud Profiles screen opens.
- From the list of profiles, select the relevant profile.The Anti-Fraud Profile Properties screen opens.
- In the Anti-Fraud Configuration area, clickURL List.The URL List opens.
- Select the URL or view on which you want to remove JavaScript event listeners.The URL Properties (or View Properties) screen opens.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- ClickAdvancedand select theEnabledcheck box for theRemove Event Listenerssetting.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- In the Application Layer Encryption section, select theObfuscatecheck box or theSubstitute Valuecheck box.If you assign theSubstitute Valueattribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
- ClickCreate.The parameter settings are saved and the URL Properties (or View Properties) screen appears.
- Repeat steps 8-11 for every parameter on which you want to remove JavaScript event listeners.
- ClickSavein the URL/View Properties screen.The configuration settings for the URL or view are saved.