Manage HTTP Methods¶
Overview¶
All security policies accept standard HTTP methods by default. If your web application uses HTTP methods other than the default allowed methods (default allowed methods vary according to your selected policy template), you can add them to the security policy. WAF treats any incoming HTTP request that uses an HTTP method other than an allowed method as an invalid request. The system ignores, learns, logs, or blocks the request depending on the settings configured for the Illegal Method violation.
Note: GET and POST methods are required and cannot be deleted. Other default allowed methods vary according to your selected policy template.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage policy HTTP methods¶
Manage allowed methods¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab, which lists the policy’s allowed HTTP methods.
To add an allowed method:
Click Create.
For the Method Type, select the type of method to allow:
Predefined - Select an HTTP method from a list provided in the Choose Method list.
Custom - Enter the name of an HTTP method under Method Name.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
To remove an allowed method:
Select the check box next to the method name.
Click Delete.
To confirm the action, click Delete. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Note: GET and POST are mandatory and cannot be removed.
Click Deploy to deploy changes.
Manage method violations¶
If a request includes an HTTP method that is not allowed by the policy, the request is illegal. You can manage how the WAF policy handles illegal methods when they are detected in traffic.
See Reference: Violation Protection for information about template default settings.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab, which lists the policy’s allowed HTTP methods.
Click Violations.
Select one of the following violation settings:
Check violation defaults per template.
Alarm - Sends an alert to the event log that the illegal method was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the illegal method.
Disabled - The policy does not enforce illegal methods.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
Resources¶
Configure using API¶
Violation Settings¶
HTTP method management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.