Forum Discussion
AHMADAD
Altostratus
AltostratusBlock specific parameter value
Hello All, I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below. BLOCK : https://hostname/index.html?para1=https://exampl...
Daniel_Wolf
MVP
MVPHi AHMADAD,
you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:
ALLOW: https://hostname/index.html?para1=name1.html
Or do you consider this a page and pages are allowed?
Could you explain what you are trying to protect or prevent with this? Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature.
However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.
KR
Daniel
AHMADADHi Daniel,
Thank you for your response.
Exactly, i considered this a page and its allowed but i don't want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉
Thanks for sharing the CSRF link, we don't want to apply this solution as we have not tested it for this specific application and it may has negative side effects