Overview: Data Guard¶
Data Guard is a security feature that can be used to prevent the leakage of sensitive information from an application. This could be credit card numbers or Social Security numbers (CCN, SSN, etc.). Once this feature is enabled, sensitive data is either blocked or masked, depending on the configuration. Therefore, enabling Data Guard helps meet the GDPR and PCI DSS requirements for securing personal and credit card data.
How Data Guard protects sensitive data¶
In some web applications, a response may contain sensitive user information, such as credit card numbers or U.S. Social Security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans the text in responses looking for the types of sensitive information that you specify.
When you mask the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting, otherwise, when the system returns a response, sensitive data could be exposed to the client.
Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data. The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the DataGuard: Information Leakage Detected violation).
Response headers that Data Guard inspects¶
Data Guard examines responses that have the following content-type headers:
“text/…”
“application/x-shockwave-flash”
“application/sgml”
“application/x-javascript”
“application/xml”
“application/x-asp”
“application/x-aspx”
“application/xhtml+xml”
You can configure one additional user-defined response content-type using the system variable user_defined_accum_type.