Before you can complete this task, you need to have already created a security
policy for your application.
This task describes how to create a JSON profile that defines the properties that
the security policy enforces for an application sending JSON payloads or WebSocket
payloads in JSON format.
Note: The system supports JSON in UTF-8 and UTF-16
encoding. WebSocket allows only UTF-8.
-
On the Main tab, click
.
-
Click Create.
The Create New JSON Profile screen opens.
-
Type the name of the profile.
-
Adjust the maximum values that define the JSON data for the AJAX application,
or use the default values.
-
If the signatures included in the security policy are not sufficient for this
JSON profile, you can change them.
-
On the Attack Signatures tab, in the Global Security Policy
Settings list, select any specific attack signatures
that you want to enable or disable for this profile, and then move them
into the Overridden Security Policy Settings
list.
Tip: If no attack signatures are listed in the Global
Security Policy Settings list, create the profile,
update the attack signatures, then edit the profile.
-
After you have moved any applicable attack signatures to the
Overridden Security Policy Settings list,
enable or disable each of them as needed:
-
Enabled - Enforces the attack signature for
this JSON profile, although the signature might be disabled in
general. The system reports the violation Attack
Signature Detected when the JSON in a request
matches the attack signature.
-
Disabled - Disables the attack signature
for this JSON profile, although the signature might be enabled
in general.
Tip: If no attack signatures are listed in the
Global Security Policy Settings list,
create the profile, update the attack signatures, then edit the
profile.
-
To allow or disallow specific meta characters in JSON data (and thus override
the global meta character settings), click the Value Meta Characters tab.
- Select the Check characters check box, if it is
not already selected.
- Move any meta characters that you want allow or disallow from the
Global Security Policy Settings list into the
Overridden Security Policy Settings
list.
- In the Overridden Security Policy Settings list,
change the meta character state to Allow or
Disallow.
-
To mask sensitive JSON data (replacing it with asterisks), click the Sensitive
Data Configuration tab.
- In the Element Name field, type the JSON element
whose values you want the system to consider sensitive.
- Click Add.
Important: If the JSON data causes violations and the system stops
parsing the data part way through a transaction, the system masks only the
sensitive data that was fully parsed.
Add any other elements that could contain sensitive data that you want to
mask.
-
Click Create.
The system creates the profile and displays it in the JSON Profiles
list.
This creates a JSON profile that affects the security policy when you associate the
profile with a URL, WebSocket URL, or parameter.
Next, you need to associate the JSON profile with any URLs, WebSocket URLs, or
parameters that might include JSON data.