Forum Discussion

mnocciolino's avatar
mnocciolino
Icon for Nimbostratus rankNimbostratus
Jan 10, 2018

What is the best way to block ajax requests?

I have a page running behind the F5, the application makes queries to a database through AJAX, however for a programming error they left part of the code open, and after the time we discovered that a...
ASM Advanced WAF
LTM
security
nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Jan 18, 2018

What about an irule like this?

when HTTP_REQUEST { 
if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } { 
drop 
   } 
 }

Or a custom ASM signature with the following rule?

headercontent:"XMLHttpRequest"; nocase;

To be honest, a bit of a punt this. Other DCers may come back and highlight major errors with these approaches 🙂