/
Security Policy

Security Policy

Jul 06, 2021

A security policy determines what action to take when one or more of the rules match the request. All security policies are global and can be shared among multiple services configured on the Barracuda Web Application Firewall. 

Creating a Security Policy

URL:  /v1/security_policies

Method: POST

Description: Creates a security policy with the default values.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

name

Alphanumeric

Yes

The name of the security policy that needs to be created.

Example:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies -u 'eyJldCI6IjEzODY3IidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"new_policy"}'

 

Response:

{"id":"new_policy","token":"eyJldCI6IjEZkIiwidXNlciI6ImFkbWluIn0=\n"}

Retrieving Security Policies

URL:  /v1/security_policies

          /v1/security_policies/{policy_id}

Method: GET

Description: Lists all security policies if “policy_id” is not specified.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved. See Example 2.

Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy -u 'eyJldCI6IGY3IiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{
"default_character_set": "UTF-8",
"cloaking": {
"suppress_return_code": "1",
"headers_to_filter": [
"Server",
"X-Powered-By",
"X-AspNet-Version"
],
"return_codes_to_exempt": [

],
"filter_response_header": "1"
},
"apply_double_decoding": "No",
"data_theft_protection": [
"credit-cards",
"ssn",
"directory-indexing"
],
"url_protection_status": "1",
"allowed_acls": 2,
"request_limits": {
"max_number_of_headers": "20",
"enable": "1",
"max_header_name_length": "32",
"max_cookie_name_length": "64",
"max_query_length": "4096",
"max_cookie_value_length": "4096",
"max_request_length": "32768",
"max_header_value_length": "512",
"max_url_length": "4096",
"max_request_line_length": "4096",
"max_number_of_cookies": "40"
},
"parameter_protection": {
"enable": "1",
"denied_metacharacters": "%00%04%1b%08%7f",
"file_upload_extensions": [
"JPG",
"GIF",
"PDF"
],
"maximum_upload_file_size": "1024",
"blocked_attack_types": null,
"ignore_parameters": [
"__VIEWSTATE"
],
"custom_blocked_attack_types": [

],
"allowed_file_upload_type": "extensions",
"maximum_parameter_value_length": "1000",
"maximum_instances": null,
"file_upload_mime_types": [
"image/jpeg",
"image/gif",
"application/pdf"
],
"exception_patterns": [

]
},
"id": "new_policy",
"token": "eyJldCI6IRjIiwidXNlciI6ImFkbWluIn0=\n",
"url_protection": {
"enable": "1",
"maximum_parameter_name_length": "64",
"max_content_length": "32768",
"max_parameters": "40",
"allowed_content_types": [
"application/x-www-form-urlencoded",
"multipart/form-data",
"text/xml"
],
"maximum_upload_files": "5",
"blocked_attack_types": null,
"custom_blocked_attack_types": [

],
"csrf_prevention": "none",
"allowed_methods": [
"GET",
"POST",
"HEAD"
],
"exception_patterns": [

]
},
"cookie_security": {
"secure_cookie": "0",
"cookies_exempted": [
"__utma",
"__utmc",
"__utmz",
"__utmb",
"AuthSuccessURL",
"CTSESSION",
"SMSESSION",
"SMCHALLENGE"
],
"cookie_max_age": "1440",
"cookie_replay_protection_type": "IP",
"http_only": "0",
"days_allowed": "7",
"tamper_proof_mode": "signed",
"custom_headers": [

],
"allow_unrecognized_cookies": "custom"
},
"url_normalization": {
"parameter_separators": "ampersand",
"default_charset": "UTF-8",
"double_decoding": "No",
"detect_response_charset": "0"
},
"cookie_protection": "signed",
"limit_checks": "1",
"name": "new_policy",
"parameter_protection_status": "1",
"disallowed_acls": 7
}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy -u 'eyJldCI6IjE1NlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=cookie_security,cloaking

 

Response:

{
"cookie_security": {
"secure_cookie": "yes",
"cookies_exempted": [
"__utma",
"__utmc",
"__utmz",
"__utmb",
"AuthSuccessURL",
"CTSESSION",
"SMSESSION",
"SMCHALLENGlE"
],
"cookie_max_age": "50000",
"cookie_replay_protection_type": "none",
"http_only": "yes",
"days_allowed": "Never",
"tamper_proof_mode": "encrypted",
"custom_headers": [
"host",
"Cookie",
"User-Agent"
],
"allow_unrecognized_cookies": "never"
},
"cloaking": {
"suppress_return_code": "yes",
"headers_to_filter": [
"Server",
"date"
],
"return_codes_to_exempt": [
"403"
],
"filter_response_header": "yes"
},
"id": "new_policy",
"token": "eyJldCI6IjIiwidXNlciI6ImFkbWluIn0=\n"
}

Updating a Security Policy

In this REST API call, the parameters can be passed in a simple JSON request or a nested JSON request based on the parameters that needs to be modified. For information on JSON requests, see Request Syntax.

URL:  /v1/security_policies/{policy_id}

Method:  PUT

Description: Updates a security policy with the given values.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

request_limits. enable

String

Optional

Enforce size-limit checks on request headers or not. The values include:

  • yes

  • no

request_limits. max_request_length

Numeric

Optional

The maximum allowable request length. This includes the request line and all HTTP request headers (for example, User Agent, Cookies, Referer etc.).

request_limits.max_request_line_length

Numeric

Optional

The maximum allowable length for the request line. The request line consists of the method, the URL (including any query strings) and the HTTP version.

request_limits.max_url_length

Numeric

Optional

The maximum allowable URL length, including the query string portion of the URL.

request_limits.max_query_length

Numeric

Optional

The maximum allowable length for the query string portion of the URL.

request_limits.max_number_of_cookies

Numeric

Optional

The maximum number of cookies to be allowed.

request_limits.max_cookie_name_length

Numeric

Optional

The maximum allowable length for a cookie name.

request_limits.max_cookie_value_length

Numeric

Optional

The maximum allowable length for a cookie value.

request_limits.max_number_of_headers

Numeric

Optional

The maximum number of headers to be allowed in a request.

request_limits.max_header_name_length

Numeric

Optional

The maximum allowable length for a header name.

request_limits.max_header_value_length

Numeric

Optional

The maximum allowable length for header value in a request.

cookie_security.tamper_proof_mode

Enumeration

Optional

The tamper-proof mode for cookies. The enumerated values include:

  • signed

  • encrypted

  • none

cookie_security.cookie_max_age

Numeric

Optional

The maximum age for session cookies.

cookie_security.cookie_replay_protection_type

Enumeration

Optional

The type of protection to be used to prevent the cookie replay attacks. The enumerated values include:

  • none

  • IP

  • IP_and_custom_headers

  • custom_headers

cookie_security.custom_headers

Alphanumeric

Optional

The custom headers to be used in the cookie if the parameter "Cookie Replay Protection Type" is set to "Custom Headers" or "IP and Custom Headers".

cookie_security.secure_cookie

String

Optional

Determines whether to allow the cookies if the client makes secure HTTPS connection. The values include:

  • yes

  • no

cookie_security.http_only

String

Optional

Determines whether the cookie security feature will be enabled for HTTP cookies. The values include;

  • yes

  • no

cookie_security.allow_unrecognized_cookies

Enumeration

Optional

Determines whether unrecognized cookies should be allowed. The enumerated values include:

  • custom

  • always

  • never

cookie_security.days_allowed

Numeric

Optional

The number of days the Barracuda Web Application Firewall should not reject unrecognized cookies.

cookie_security.cookies_exempted

Alphanumeric

Optional

The names of the cookies that need to be exempted from the cookie security policy.

url_protection.enable

String

Optional

Determines whether to enforce URL protection. The values include:

  • yes

  • no

url_protection.allowed_methods

Alphanumeric

Optional

The list of allowable methods in a request. 

url_protection.allowed_content_types

String

Optional

The list of content types to be allowed in the POST body of a request.

url_protection.max_content_length

Numeric

Optional

The maximum content length to be allowed for POST request body.

url_protection.max_parameters

Numeric

Optional

The maximum number of parameters to be allowed in a request.

url_protection.maximum_upload_files

Numeric

Optional

The maximum number of files that can be of file-upload type in a request.

url_protection.csrf_prevention

Enumeration

Optional

The Cross-Site Request Forgery (CSRF) prevention for the forms and URLs. The enumerated values include:

  • forms_and_urls

  • none

  • forms

url_protection.maximum_parameter_name_length

Numeric

Optional

The maximum length of a parameter name in a request.

url_protection.blocked_attack_types

Enumeration

Optional

The attack types to be matched in a request. The enumerated values include:

  • cross_site_scripting

  • remote_file_inclusion

  • sql_injection_strict

  • sql_injection

  • os_command_injection

  • remote_file_inclusion_strict

  • os_command_injection_strict

  • cross_site_scripting_strict

Contact Us
Barracuda Campus
Barracuda Support