For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

The WAF Dilemma

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’. How I lowered false positives with NGINX App Protect without compromising security. We are always facin...

Updated Nov 11, 2025

Version 3.0

application delivery

Icon for MVP rank

MVP

Joined July 21, 2008

Icon for MVP rank

MVP

Aug 15, 2025

to avoid waf sqli, xss, etc. false positives of http post payload, the app developer can encode the payload using common base64 then app server can easily decode it back.
https://developer.mozilla.org/en-US/docs/Web/API/Window/btoa

encrypting the payload using light cipher such as aes128 is also possible.
javascript can do aes encryption and it will be hardware accelerated.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt
https://en.wikipedia.org/wiki/AES_instruction_set

Icon for MVP rank

MVP

Aug 20, 2025

The F5 AWAF/ASM has an option "Do nothing" as shown in https://my.f5.com/manage/s/article/K38690758 (the bd process is used in the two cases so most options should be the same) and I checked https://docs.nginx.com/nginx-app-protect-waf/v4/configuration-guide/configuration/ and the " do-nothing " option seems to be there as well that does not inspect the body. Many use cases and ways to do stuff in Nginx like with F5 BIG-IP and it is great 😀

lnxgeek
MVP
Aug 20, 2025
How could I miss that?!?! I have been looking for that specific feature like forever in NAP 😆

It will solve a lot of issues for sure - Thanks!