cancel
Showing results for 
Search instead for 
Did you mean: 

Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

Hello,

 

Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

 

My idea is that the F5 can monitor a cookie or parameter from tampering but what about if the a JWT token is used and the client changes the HTTP header with another value that is not a web attack but another stolen JWT token.

3 REPLIES 3

LiefZimmerman
Community Manager
Community Manager

@Nikoolayy1 - I'll see if I can get someone to take a look at your idea and get back to you.

------
Lief ZimmermanLiefZimmerman | @LiefZF5 | DevCentral Community Manager

AaronJB
F5 SIRT
F5 SIRT

I don't think that ASM has session awareness functionality for JWT tokens at this time; at least based on what I've been able to research for you.

APM can validate JWT tokens (https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protectio...) which sounds like it would achieve what you're looking for (although I'm not specifically an APM person, so my knowledge there is a little limited).

There is an open RFE (Request For Enhancement) ID against ASM for JWS (JSON Web Security) support which might also bring in the functionality you're looking for - it has been open for a while with little customer/account team interest unfortunately but if you open a case with Support you can ask for your interest to be linked to the ID (ID601999) to help prioritize future development efforts.

Thanks for the reply and checks. I was asked if like the session cookie hijacking similar thing can be done for the HTTP header tolken. The APM has nice options of generating such token and validating it as to what can be accessed with it but for hijacking protection when the API clients that are applications can't be checked like for example APM Zero Trust where the users and their devices are non stop checked with APM per-request policies and installed agents on the user devices I will have to review if that is possible.