Overview: Blocking response pages¶
The Application Security Manager has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. The system also has a login response page for login violations. You can change the way the system responds to blocked logins or blocked requests.
The system issues response pages only when the enforcement mode is set to Blocking. A security policy can respond to blocked requests in these ways:
Default response
Custom response
Redirect URL
The system uses default pages in response to a blocked request or blocked login. If the default pages are acceptable, you do not need to change them and they work automatically. However, if you want to customize the response or include AJAX formatting in the blocking responses, you need to enable the blocking behavior first.
All default response pages contain a variable <%TS.request.ID()%> that WAF replaces with a support ID number when it issues the page. Customers can use the support ID to identify the request when making inquiries.
Adding AJAX blocking and login response behavior¶
Normal policy blocking and login response behavior could interfere with applications that use AJAX. If you want to display a message or redirect traffic without interfering with the user experience while browsing to an AJAX-featured web application, you need to enable AJAX blocking behavior (JavaScript injection). You can implement blocking and login response behavior for applications that use AJAX with JSON or XML for data transfer.
You can implement AJAX blocking behavior only for applications developed using one of the following frameworks:
Microsoft ASP.NET
jQuery
Prototype
MooTools
By default, if you enable AJAX blocking behavior, when an AJAX request results in a violation that is set to Block, WAF performs the default AJAX response page action. The system presents a login response if the application user sends an AJAX request that attempts to directly access a URL that should only be accessed after logging in.