Forum Discussion

kimhenriksen's avatar
Icon for Cirrostratus rankCirrostratus
May 25, 2023

ASM block page for use with API waf policy

Hey all!

I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK. 

What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source.

I´ve got most of it figured out, except the header part... 

So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?

  • Nikoolayy1's avatar
    May 25, 2023

    Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

  • Just an update from me. I found a much much simpler way to accomplish this.

    In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

17 Replies