In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers (U.S. only). The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing).

Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.

The system can examine the content of responses for specific types of files that you do not want to be returned to users, such as ELF binary files or Microsoft Word documents. File content checking causes the system to examine responses for the file content types you select, and to block sensitive file content (depending on the blocking modes), but it does not mask the sensitive file content.

Data Guard examines responses that have the following content-type headers:

• "text/..."
• "application/x-shockwave-flash"
• "application/sgml"
• "application/x-javascript"
• "application/xml"
• "application/x-asp"
• "application/x-aspx"
• "application/xhtml+xml"

You can configure one additional user-defined response content-type using the system variable user_defined_accum_type. If response logging is enabled, these responses can also be logged.

1. On the Main tab, click Security > Application Security > Data Guard. The Data Guard screen opens.
2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
3. Select the Data Guard check box.
4. If you want the system to consider credit card numbers as sensitive data, select the Credit Card Numbers check box.
5. If you want the system to consider U.S. social security numbers (in the form nnn-nn-nnnn, where n is an integer) as sensitive data, select the U.S. Social Security Numbers check box.
6. To specify additional sensitive data patterns that occur in the application:
   1. Select the Custom Patterns check box.
   2. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add. For example, 999-[/d][/d]-[/d][/d][/d][/d].
      Tip: You can validate the regular expression using the tool at Security > Options > Application Security > RegExp Validator.
   3. Add as many custom patterns as needed for the application.
7. To specify data patterns not to consider sensitive:
   1. Select the Exception Patterns check box.
   2. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add.
   3. Add as many custom patterns as needed for the application.
8. If, in responses (when not blocked), you want the system to replace the sensitive data with asterisks (****), select the Mask Data check box. This setting is not relevant if blocking is enabled for the violation, because the system blocks responses containing sensitive data.
9. To review responses for specific file content (for example, to determine whether someone is trying to download a sensitive type of document):
   1. For the File Content Detection setting, select the Check File Content check box. The screen displays a list of available file types.
   2. Move the file types you want the system to consider sensitive from the Available list into the Members list.
10. To specify which URLs to examine for sensitive data, use the Enforcement Mode setting:
    • To inspect all URLs, use the default value of Ignore URLs in list, and do not add any URLs to the list.
    • To inspect all but a few specific URLs, use the default value of Ignore URLs in list, and add the exceptions to the list.
    • To inspect only specific URLs, select Enforce URLs in list, and add the URLs to check to the list.
    When adding URLs, you can type either explicit (/index.html) or wildcard (*xyz.html) URLs.