add instructions for urls/cookies/parameters

sylwang · sylwang · commit fd22e59a1b0b · 2025-10-03T11:19:49.000-07:00
diff --git a/content/includes/nginx-one/nap-policy-matching-types.md b/content/includes/nginx-one/nap-policy-matching-types.md
@@ -0,0 +1,24 @@
+# Matching Types: Explicit vs Wildcard
+
+In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways:
+
+## Explicit Matching
+Explicit matching refers to direct matches to specific names or paths in your application. For example:
+- URLs: `/index.html`, `/api/data`
+- Cookies: `sessionId`, `userPrefs`
+- Parameters: `username`, `email`
+
+Use explicit matching when you need to protect specific, known entities.
+
+## Wildcard Matching
+Wildcard matching uses patterns to match multiple similar names or paths. For example:
+- URLs: `/test*` matches `/test`, `/test123`, `/testing`
+- Cookies: `test*` matches `test`, `test123`, `testing`
+- Parameters: `user*` matches `username`, `user_id`, `userEmail`
+
+Wildcard matching is useful when:
+- You need to protect multiple similar entities
+- You want to apply the same security controls to a group
+- The exact names or paths may vary or are dynamically generated
+
+Both explicit and wildcard matching allow you to configure additional properties, such as enforcement type, attack signatures, and more, depending on the entity being protected.
diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md
@@ -0,0 +1,51 @@
+# Managing Cookies in NAP Policy
+Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option.
+
+## Cookie Properties and Types
+Each cookie configuration includes:
+- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section.
+- `Cookie Name`: The name of the cookie to be monitored or protected
+- `Enforcement Type`: 
+  - **Allow**: Permits the cookie with optional attack signature checks
+  - **Disallow**: Blocks the use of the cookie entirely
+- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable
+- `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy
+
+**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary.
+
+For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section.
+
+## Cookie Violations
+Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies:
+
+- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired
+- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit
+- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant
+- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `alarm` and `block` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+# Adding a Cookie to Your Policy
+
+1. Choose Cookie Type:
+   - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching
+
+2. Configure Basic Properties:
+   - Enter the `Cookie Name`
+   - Choose whether to mask the cookie value in logs
+
+3. Set Enforcement:
+   - Choose whether to allow or disallow the cookie
+   - If `Allow Cookie` is selected, you can optionally enable attack signatures
+
+**⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies.
+
+4. Optional: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific cookie
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+5. Click **Add Cookie** to save your configuration
diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md
@@ -0,0 +1,57 @@
+# Managing Parameters in NAP Policy
+Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option.
+
+## Parameter Properties and Types
+Each parameter configuration includes:
+- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section.
+- `Name`: The name of the parameter
+- `Location`: Where the parameter is expected (URL query string, POST data, etc.)
+- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email)
+- `Attack Signatures`: Whether attack signature checking is enabled for this parameter
+- `Mask Value in Logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy
+
+
+For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section.
+
+## Parameter Violations
+Click on **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters:
+
+- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected
+- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal
+- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configuration
+- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be
+- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location
+- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name
+- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range
+- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally
+- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configuration
+- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits
+- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value
+- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `alarm` and `block` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+# Adding a Parameter to Your Policy
+
+1. Choose Parameter Type:
+   - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching
+
+2. Configure Basic Properties:
+   - Enter the parameter `Name`
+   - Select the `Location` where the parameter is expected
+   - Choose the `Value Type` (alpha-numeric, integer, email, etc.)
+   - Set the `Data Type` if applicable
+
+3. Set Security Options:
+   - Choose whether to enable attack signatures
+   - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}})
+
+4. Optional: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific parameter
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+5. Click **Add Parameter** to save your configuration
diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md
diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md
@@ -0,0 +1,52 @@
+# Managing URLs in NAP Policy
+URLs can be configured and managed directly within the policy editor by selecting the **URLs** option.
+
+## URL Properties and Types
+Each URL configuration includes:
+- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section
+- `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.)
+- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`)
+- `Enforcement Type`: 
+  - **Allow**: Permits access to the URL with optional attack signature checks
+  - **Disallow**: Blocks access to the URL entirely
+- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable
+
+**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary.
+
+For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section.
+
+## URL Violations
+Click on **Edit Configuration** to configure URL violations. The following violations can be configured for URLs:
+
+- `VIOL_URL`: Triggered when an illegal URL is accessed
+- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type
+- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit
+- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `alarm` and `block` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+# Adding a URL to Your Policy
+
+1. Choose URL Type:
+   - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching
+
+2. Configure Basic Properties:
+   - Enter the `URL` path
+   - Select allowed `Method(s)` (e.g., `GET`, `POST`, *)
+   - Choose the `Protocol` (`HTTP`/`HTTPS`)
+
+3. Set Enforcement:
+   - Choose whether to allow or disallow the URL
+   - If `Allow URL` is selected, you can optionally enable attack signatures
+
+**⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs.
+
+4. **Optional**: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific URL
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+5. Click **Add URL** to save your configuration
diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md
@@ -0,0 +1,33 @@
+# Advanced Configuration for NAP Policies
+
+This document consolidates advanced configuration options for parameters, URLs, and cookies in NGINX App Protect (NAP) policies. These configurations allow for fine-tuning security settings to meet specific application requirements. By centralizing these options, this guide provides a unified reference for creating granular and robust security policies.
+
+## Shared Advanced Configuration Options
+
+The following advanced configuration options are common to parameters, URLs, and cookies:
+
+- **Length Restrictions**: Define maximum allowable lengths to prevent excessively long inputs that could indicate malicious activity.
+- **Meta Character Overrides**: Specify allowed or disallowed meta characters to ensure compliance with application-specific requirements.
+- **Custom Signature Sets**: Apply custom signature sets to tailor attack detection mechanisms for specific use cases.
+
+## Parameter-Specific Configuration Options
+
+In addition to the shared options, parameters support the following advanced configurations:
+
+- **Regular Expression Patterns**: Use regex patterns to validate parameter values against expected formats, enhancing security and reducing false positives.
+- **Static Value Constraints**: Set fixed values for parameters to enforce strict compliance with predefined rules.
+- **Numeric Value Ranges**: Define acceptable numeric ranges for parameters to prevent out-of-bound values.
+
+## URL-Specific Configuration Options
+
+In addition to the shared options, URLs support the following advanced configurations:
+
+- **Content Type Profiles**: Configure content type profiles (e.g., JSON, XML, form-data) to validate request payloads.
+
+## Cookie-Specific Configuration Options
+
+In addition to the shared options, cookies support the following advanced configurations:
+
+- **Mask Value in Logs**: Enable masking of cookie values in logs for enhanced security and privacy.
+
+These configurations help create a more granular and specific security policy for your application. For detailed instructions on implementing these options, refer to the [Policy Parameter Reference]({{< ref "/waf/policies/parameter-reference.md" >}}).
