F5 is not blocking Cross Site Script attack

Hello Moinul, cross-site scripting (XSS) protection is done by the attack signatures in ASM which detect known character sequences and patterns in the XSS class of attacks. Cross site request forgery (CSRF) is a separate mechanism that relies on an ASM token. If you are testing your system, and XSS attacks are not being blocked, there are a few reasons. One is that the security policy is in transparent mode. In transparent mode, all requests pass, but you can check the "Learn" and "Alarm" flags on the blocking settings screen to ensure you are alerted on specific violations. Another reason is that your attack signatures, or one specific signature, are in staging. Staging gives you time to determine if a triggered attack signature is a false positive before enforcing it (removing it from staging). Another reason is that if an attack signature was triggered on a parameter, and the parameter is in staging, the request still will not be blocked. Make any sense?