Custom block page with ASM

Question

Hi,&nbsp;
I'm fairly new to the ASM and have very little experience with iRules (which I have a feeling will be the only way to accomplish what I want.)&nbsp;
Basically, I'd like to know if there's a way to insert the reason for a block in the block response page. Something like Illegal character, or whatever. The reason being is that I have large forms that are being filled out by users, there's currently little to no client side validation, and if a user accidentally enters a wrong character, they will have no idea what it was and how to fix it.&nbsp;
So are there any ways to do this, or other variables that can be used other than &lt;%TS.request.ID()%&gt; ?&nbsp;
I'm on 11.2, FYI.&nbsp;
Thanks!&nbsp;

cory_50405 · Answer

Unsure it would be a very good idea to inform the end user why the ASM is blocking the request.  Sure it might be helpful in diagnosing false positives, but it also informs a malicious user why their attempts are being blocked. 
&nbsp;  
&nbsp; The better approach would be to disable certain attack signatures on specific parameters or URLs/URIs.  Yes it would probably take a while to build and get everything right, but you are using ASM for a reason.

bt_90520 · Answer

Agree with Cory. Legit user will not care about specific but can be bothered if cannot access resource but not for the those trying to "poke" holes using scanner ...:) Sometimes, it need not be too verbose but can be for your internal staging site which replicate for troubleshooting and validation... 
&nbsp;  
&nbsp; For the specific, you can check out the "ASM::violation_data" 
&nbsp; https://devcentral.f5.com/wiki/iRules.ASM_REQUEST_VIOLATION.ashx

bob_28727 · Answer

I agree with not wanting to be specific in the error response, it would just be to somehow inform the end user that their request was blocked because they entered an illegal character. Most of these end users are going to be very computer illiterate, so when they get a generic block page, they're most likely going to resubmit the same form 5x and then quit from frustration before realizing that they accidentally entered a right bracket in their first name when hitting enter.  
&nbsp; Thanks for the input and the violation resource data. I'll see what I can do and try to find a good solution without weakening the security. &nbsp;

Forum Discussion

Custom block page with ASM

3 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Related Content

SSL Orchestrator Advanced Use Cases: Custom Blocking Pages

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

custom response page for api

WAF custom block page settings

Logging/Blocking possible prompt injection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS