Manual Chapter : Configuring HTTP Headers that Require Special Treatment

Applies To:

Show Versions Show Versions


  • 17.0.0
Manual Chapter

Configuring HTTP Headers that Require Special Treatment

About mandatory headers

mandatory header
is a header that must appear in a request for the request to be considered legal by the system. If a request does not contain the mandatory header and the
Mandatory HTTP header is missing
violation is set to alarm or block, the system logs or blocks the request. This violation is not set to alarm or block by default, so you have to set the blocking policy if you want to alarm or block requests that do not include a mandatory header.
You can use mandatory headers to make sure, for example, that requests are passing a proxy (which introduces such a header) before they reach the Application Security Manager.
You configure mandatory headers on the HTTP Headers screen.

About header normalization

Header normalization
is a process whereby the Application Security Manager buffers the contents of request headers to change them into a standard format that can be more easily checked for discrepancies. Normalizing deals with special characters (such as percent encoding), non-ASCII text, URL paths and parameters, Base64 encoded binary content, non-printable characters, HTML codes, and many other formats that may be used in headers that could potentially hide malicious code.
Not all headers need to be normalized. You should normalize referer headers, and custom headers containing binary data, URLs, or other encoded information. But there is a performance trade-off when using normalization, so you should implement it only when needed.
You configure header normalization on the HTTP Headers screen when you select the option to check signatures for the header.

About default HTTP headers

Application Security Manager (ASM) includes the default HTTP headers listed in the table.
Header Name
* (wildcard)
This wildcard HTTP header checks signatures against all requests unless they match another HTTP header. No normalization settings are selected by default, but you can edit them. Realize that enabling normalization on the wildcard header may impact performance. The
Base64 Decoding
check boxes are unavailable for this header.
When requests have referer headers, they include URLs. The system checks signatures against them, performs URL normalization, and validates the URL syntax. Violations are issued if problems are encountered during normalization. The other settings are not typically relevant for this header.
Cookies have their own process for normalization and attack signature check and so the cookie as a header is always excluded from the normalization and attack signature check. You cannot change the settings, but you can configure the settings of a specific cookie by clicking the
Cookie configuration
Although the user name may be encoded as Base64, the Base64 decoding is always off for this header; the reason for this is that the user name (and password) are only part of the Authorization header value. ASM detects what and when to decode, so the generic Base64 setting should always be off. Therefore, the
Base64 Decoding
check box is unavailable for this header. Realize that enabling normalization on the authorization header may impact performance.
You cannot delete any of the default HTTP headers.

Overview: Configuring HTTP headers

This is an advanced task not required in all environments.
Application Security Manager (ASM) lets you configure custom headers that deserve special treatment in your security policy. You can add these types of headers:
  • Mandatory headers
  • Headers that require Base64 decoding
  • Headers to exclude from signature checks
  • Headers that need to be normalized
The security policy can recognize requests with these headers and handles them with special consideration. For example, if your application uses custom headers that must occur in every request, you can configure mandatory headers in the security policy. Or, if some request headers include binary content encoded in Base64, you can instruct ASM to decode the data and examine it for discrepancies.
You can also specify many different options to normalize an HTTP header for which you want to check signatures.

Configuring HTTP headers

You add HTTP headers to a security policy when you need to define certain headers that require special treatment when found in requests. For example, if you are receiving false positives for a certain type of header, you can create the header and exclude it from signature checks.
  1. On the Main tab, click
    Application Security
    HTTP Headers
    The HTTP Headers screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click
    The New Header screen opens.
  4. From the
    list, select a standard HTTP header name type or select
    and type the custom header name that appears in requests.
  5. If you want this to be a header that is required in every request, select the
    check box.
    If a request does not include this header, the
    Mandatory HTTP header is missing
    violation occurs (if set to alarm or block).
  6. If you want the security policy to check this header against attack signatures, select the
    Check Attack Signatures
    check box. Otherwise, this header is excluded from signature checks.
    If the check box is selected, the screen displays additional settings for header normalization and the Attack Signatures tab.
  7. If this is a custom header that may include base64 encoding, select the
    Base64 Decoding
    check box.
    When this check box is selected, the options
    Percent Decoding
    Url Normalization
    , and
    Normalization Violations
    are unavailable because they are not compatible with Base64 decoding.
    The system performs decoding on the header and if decoding fails, the Illegal Base64 Value violation occurs (if set to alarm or block).
  8. If you want to normalize this header, select the options you need.
    Percent Decoding
    This option normalizes referer headers or custom headers that may include strings with encoded percent codes (%xx) that replace certain characters, perform unescaping, and require other checks. This is included in URL normalization and thus is not available when checking the URL Normalization option.
    Url Normalization
    This option normalizes URLs in referer headers or custom headers that may include URLs with multiple slashes, directory traversal, or which require backslash replacement or path parameter removal. Includes percent decoding also.
    HTML Normalization
    This option removes non-printable characters, comment delimiters, HTML, hex, and decimal codes, and other HTML extras.
  9. If you want evasion violations to be issued in case of problems while normalizing the header, select the
    Evasion Techniques Violations
    check box.
    This check box is only available if using
    Percent Decoding
    Url Normalization
  10. If the attack signatures included in the security policy apply differently to this HTTP header, you can adjust them on the Attack Signatures tab.
    1. Ensure that
      Check Attack Signatures
      is selected.
    2. From the
      Global Security Policy Settings
      list, move any attack signatures whose global settings you want to override into the
      Overridden Security Policy Settings
      and adjust the state as needed (from
      or vice versa).
    The most common action you perform here is to disable an attack signature for a specific URL.
    Overridden attack signatures are preceded with a yellow alert triangle in the attack signature list, and you can filter the list to view them.
  11. Click
    The HTTP Headers screen opens and lists the new header.
When ASM receives a request with the type of header you created, the system performs the special considerations indicated in the HTTP header.

Configuring the maximum HTTP header length

You specify a maximum HTTP header length so that the system knows the acceptable maximum length for the HTTP header in an incoming request. This setting is useful primarily in preventing buffer overflow attacks.
  1. On the Main tab, click
    Application Security
    Security Policies
    The Policies List screen opens.
  2. Click the name of the security policy you want to work on.
    The Policy Summary opens.
  3. From the list, select
  4. For the
    Maximum HTTP Header Length
    setting, select one of the options.
    Specifies that the system accepts requests with HTTP headers of any length.
    with a value in bytes
    Specifies that the system accepts HTTP headers up to that length. The default maximum length is
  5. Click
    to save your settings.
  6. To put the security policy changes into effect immediately, click
    Apply Policy
The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.

Implementation Result

When Application Security Manager receives requests, the system checks the header to see if it matches any of the HTTP headers other than the wildcard header. If the request header matches one of the headers, the system performs the configured options for that header.
You can review suggestions related to violations that occur on the Traffic Learning screen. HTTP header violations are listed under Evasion Techniques in the section Evasion Techniques Detected in Headers. You can examine the requests to see if they are legitimate or false positives. If they are false positives, you can consider turning off evasion violations or normalization for the header. You can drill down and view the headers causing violations. If a header violation is a false positive, you can also disable normalization from the Evasion Techniques Detected in Headers screen.
If signature violations occur in the header, the system suggests disabling the signature that cause the violation, or disabling the signature check for that header. If a header declared mandatory is missing, the system suggests disabling the violation or making the missing header non-mandatory.
If the Base64 violation occurs in the header, the system suggests disabling the violation or disabling the Base64 decoding for that header.