Forum Discussion
WildCard Parameters
- Aug 25, 2016
Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).
What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.
tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.
Depends on your environment. I use wildcard parameters in 95% of deployments in conjunction with 3-5 specific (the most important) parameters. I think it's a smart thing to do, because listing out all individual parameters for maximum granularity is too expensive to manage. It's also a very risky strategy (any minor application patch could come with an impact).
What will you lose? Parameter Length and Meta Character restrictions are universal. To give you an example, value of a parameter "2-letter-country-code" never needs to exceed 2 bytes. But due to your wildcard strategy, setting such a low limit is not viable because other parameters require more bytes for their legitimate values. Is it a significant loss? In my opinion, it's quite marginal.
tl;dr: go with a wildcard, and list out only those parameters that are of key importance. To give you an idea of important parameters that are worth dedicated security specifications: session-id, social-security-number, password, api-access-token, credit-card-no, passport-number.
Thanks a lot for your kind feedback, appreciate your time and efforts
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com