Applies To:
Show VersionsBIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About protecting sensitive data with Data Guard
In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers (U.S. only). The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you specify.
Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.
The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the DataGuard: Information Leakage Detected violation).
Response headers that Data Guard inspects
Data Guard examines responses that have the following content-type headers:
- "text/..."
- "application/x-shockwave-flash"
- "application/sgml"
- "application/x-javascript"
- "application/xml"
- "application/x-asp"
- "application/x-aspx"
- "application/xhtml+xml"
You can configure one additional user-defined response content-type using the system variable user_defined_accum_type. If response logging is enabled, these responses can also be logged.
Protecting sensitive data
When the system detects sensitive information in a response, it generates the Data Guard: Information leakage detected violation (if the violation is set to alarm or block). If the security policy enforcement mode is set to blocking and the violation is set to block, the system does not send the response to the client.