Securing HTTP/HTTPS Traffic
The Barracuda Web Application Firewall protects your application from the attacks that are categorized by OWASP, as well as additional attacks such as application DDoS attacks, Slow Client attacks, Session hijacking attacks, XML / SOAP based attacks, etc. This is applicable to both HTTP and HTTPS application traffic. The Barracuda Web Application Firewall provides a variety of security policies to protect websites and web services. Security Policies define matching criteria for requests, and specify what actions to take when a request matches. All policies are global and they can be shared among multiple services configured on the Barracuda Web Application Firewall. For HTTPS applications, the Barracuda Web Application Firewall decrypts the SSL traffic before matching the HTTP requests with security policies.
When a Service requires customized settings, the provided security policies can be tuned, or customized policies can be created. Each policy is a collection of nine sub-policies. Modify a policy by editing the value of the parameter(s) on the sub-policy page.
In this Section:
- Evaluation Policy and Flow
- Smart Signatures
- Rule Matching
- Content-Based Rules
- Security Policies
- Configuring Request Limits
- How to Secure HTTP Cookies
- Configuring URL Protection
- Configuring Parameter Protection
- Limiting Allowed Methods in HTTP Headers and Content
- Configuring Cloaking
- Configuring Data Theft Protection
- Configuring URL Normalization
- Configuring Global ACLs
- Configuring Action Policy
- Configuring Client Profile
- Allow/Deny Rules for Headers and URLs
- Back-end SSL Server Configuration
- How to Configure URL Encryption Rule
- How to Create a Custom Response Page
- How to Enable HTTP/2
- How to Enable Client Fingerprinting
- How to Enable WebSocket
- How to Enable Proxy Protocol
- Detecting website defacement using Application Layer Health Check
- OWASP TOP 10 Web Application Threat Protection
Enabling the features listed below requires the response content from the server to be rewritten. Therefore, a request rewrite rule gets added to remove the Accept-Encoding header in the HTTP Request Rewrite section on the Website Translations page. This instructs the web server to send uncompressed responses. In the Barracuda Web Application Firewall 460 and above, the responses can be compressed using the compression feature. For more information on compression, see Configuring Caching and Compression.
The features to which rewrite rule is added when enabled are:
URL Encryption
CSRF Protection
Hidden Parameter Protection
Data Theft Protection
Web Scraping
DDoS Prevention
Instant SSL
Response Body Rewrite
Learning (Website Profiles)
CSRF under Parameter Protection
URL Protection (only if CSRF is enabled)
Contact Us
Barracuda Campus
Barracuda Support