Forum Discussion

Nikoolayy1's avatar
Aug 02, 2022

Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

Hello,

 

Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

 

My idea is that the F5 can monitor a cookie or parameter from tampering but what about if the a JWT token is used and the client changes the HTTP header with another value that is not a web attack but another stolen JWT token.

  • I don't think that ASM has session awareness functionality for JWT tokens at this time; at least based on what I've been able to research for you.

    APM can validate JWT tokens (https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protection-use-cases.html) which sounds like it would achieve what you're looking for (although I'm not specifically an APM person, so my knowledge there is a little limited).

    There is an open RFE (Request For Enhancement) ID against ASM for JWS (JSON Web Security) support which might also bring in the functionality you're looking for - it has been open for a while with little customer/account team interest unfortunately but if you open a case with Support you can ask for your interest to be linked to the ID (ID601999) to help prioritize future development efforts.

    • Thanks for the reply and checks. I was asked if like the session cookie hijacking similar thing can be done for the HTTP header tolken. The APM has nice options of generating such token and validating it as to what can be accessed with it but for hijacking protection when the API clients that are applications can't be checked like for example APM Zero Trust where the users and their devices are non stop checked with APM per-request policies and installed agents on the user devices I will have to review if that is possible.