|
1 | | -| Feature | Description | |
2 | | -| ----------------- | ----------- | |
| 1 | +--- |
| 2 | +--- |
| 3 | + |
| 4 | +{{< table >}} |
| 5 | + |
| 6 | +| Feature | Description | |
| 7 | +| ----------------------------------- | ----------- | |
| 8 | +| [Allowed methods]() | Checks allowed HTTP methods. By default, all the standard HTTP methods are allowed. | |
3 | 9 | | [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) | The default policy covers the OWASP top 10 attack patterns. Specific signature sets can be added or disabled. | |
| 10 | +| [Brute force attack preventions]() | Configure parameters to secure areas of a web application from brute force attacks. | |
| 11 | +| [Cooke enforcement]() | By default all cookies are allowed and not enforced for integrity. The user can add specific cookies, wildcards or explicit, that will be enforced for integrity. It is also possible to set the cookie attributes: HttpOnly, Secure and SameSite for cookies found in the response. | |
| 12 | +| [Data guard]() | Detects and masks Credit Card Number (CCN) and/or U.S. Social Security Number (SSN) and/or custom patterns in HTTP responses. Disabled by default. | |
| 13 | +| [Deny and Allow IP lists]() | Manually define denied & allowed IP addresses as well as IP addresses to never log. | |
| 14 | +| [Disallowed file type extensions]() | Support any file type, and includes a predefined list of file types by default | |
| 15 | +| [Evasion techniques]() | All evasion techniques are enabled by default can be disabled individually. These include directory traversal, bad escaped characters and more. | |
| 16 | +| [gRPC protection]() | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on unary or bidirectional traffic. | |
| 17 | +| [HTTP compliance]() | All HTTP protocol compliance checks are enabled by default except for GET with body and POST without body. It is possible to enable any of these two. Some of the checks enabled by default can be disabled, but others, such as bad HTTP version and null in request are performed by the NGINX parser and NGINX App Protect WAF only reports them. These checks cannot be disabled. | |
| 18 | +| [IP address lists]() | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. | |
4 | 19 | | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. | |
| 20 | +| [JSON content]() | JSON content detects malformed content and detects signatures and metacharacters in the property values. Default policy checks maximum structure depth. It is possible to enforce a provided JSON schema and/or enable more size restrictions: maximum total length Of JSON data; maximum value length; maximum array length; tolerate JSON parsing errors. | |
| 21 | +| [Parameter parsing]() | Support only auto-detect parameter value type and acts according to the result: plain alphanumeric string, XML or JSON. | |
| 22 | +| [Sensitive parameters]() | The default policy masks the “password” parameter in the security log, and can be customized for more | |
| 23 | +| [Server technology signatures]() | Support adding signatures per added server technology. | |
| 24 | +| [Threat campaigns]() | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. | |
5 | 25 | | [User-defined HTTP headers]({{< ref "/waf/policies/user-headers.md" >}}) | Handling headers as a special part of requests | |
6 | | -| [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. | |
| 26 | +| [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. | |
| 27 | +| [XML content]() | XML content detects malformed content and detects signatures in the element values. Default policy checks maximum structure depth. It is possible to enable more size restrictions: maximum total length of XML data, maximum number of elements are more. SOAP, Web Services and XML schema features are not supported. | |
| 28 | + |
| 29 | +{{< /table >}} |
0 commit comments