Forum Discussion
Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?
I don't think that ASM has session awareness functionality for JWT tokens at this time; at least based on what I've been able to research for you.
APM can validate JWT tokens (https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protection-use-cases.html) which sounds like it would achieve what you're looking for (although I'm not specifically an APM person, so my knowledge there is a little limited).
There is an open RFE (Request For Enhancement) ID against ASM for JWS (JSON Web Security) support which might also bring in the functionality you're looking for - it has been open for a while with little customer/account team interest unfortunately but if you open a case with Support you can ask for your interest to be linked to the ID (ID601999) to help prioritize future development efforts.
Thanks for the reply and checks. I was asked if like the session cookie hijacking similar thing can be done for the HTTP header tolken. The APM has nice options of generating such token and validating it as to what can be accessed with it but for hijacking protection when the API clients that are applications can't be checked like for example APM Zero Trust where the users and their devices are non stop checked with APM per-request policies and installed agents on the user devices I will have to review if that is possible.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com