The WAF Dilemma

How I lowered false positives with NGINX App Protect without compromising security.

We are always facing the dilemma "Security vs Usability" in the world of security. This becomes painfully obvious once you start implementing a WAF. I have now implemented a wide range of WAF secur...
Updated Aug 27, 2025
Version 2.0
application delivery
nap
njs
security
zamroni777's avatar
zamroni777
Icon for MVP rankMVP
Aug 15, 2025

to avoid waf sqli, xss, etc. false positives of http post payload, the app developer can encode the payload using common base64 then app server can easily decode it back.
https://developer.mozilla.org/en-US/docs/Web/API/Window/btoa

encrypting the payload using light cipher such as aes128 is also possible.
javascript can do aes encryption and it will be hardware accelerated.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt
https://en.wikipedia.org/wiki/AES_instruction_set

 

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Aug 20, 2025

The F5 AWAF/ASM has an option "Do nothing" as shown in https://my.f5.com/manage/s/article/K38690758  (the bd process is used in the two cases so most options should be the same) and I checked https://docs.nginx.com/nginx-app-protect-waf/v4/configuration-guide/configuration/ and the " do-nothing " option seems to be there as well that does not inspect the body. Many use cases and ways to do stuff in Nginx like with F5 BIG-IP and it is great 😀

  • lnxgeek's avatar
    lnxgeek
    Icon for MVP rankMVP
    Aug 20, 2025

    How could I miss that?!?! I have been looking for that specific feature like forever in NAP 😆

    It will solve a lot of issues for sure - Thanks!