security http profile
security http profile(1) BIG-IP TMSH Manual security http profile(1)
NAME
profile - Configures an HTTP security profile.
MODULE
security http
SYNTAX
Configure the profile component within the security http module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
[case-sensitive | case-insensitive]
defaults-from [[name] | none]
description [[string] | none]
evasion-techniques {
options:
alarm [disabled | enabled]
block [disabled | enabled]
}
file-types {
options:
alarm [disabled | enabled]
[allowed | disallowed]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
http-rfc {
options:
alarm [disabled | enabled]
bad-host-header [disabled | enabled]
bad-version [disabled | enabled]
block [disabled | enabled]
body-in-get-head [disabled | enabled]
chunked-with-content-length [disabled | enabled]
content-length-is-positive [disabled | enabled]
header-name-without-value [disabled | enabled]
high-ascii-in-headers [disabled | enabled]
host-header-is-ip [disabled | enabled]
maximum-headers [[integer] | disabled]
null-in-body [disabled | enabled]
null-in-headers [disabled | enabled]
post-with-zero-length [disabled | enabled]
several-content-length [disabled | enabled]
unparsable-content [disabled | enabled]
}
mandatory-headers {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
maximum-length {
options:
alarm [disabled | enabled]
block [disabled | enabled]
post-data [[integer] | any]
query-string [[integer] | any]
request [[integer] | any]
uri [[integer] | any]
}
methods {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
response {
options:
body [[string] | none]
headers [[new line separated headers] | none]
type [custom | default | redirect | soap-fault]
url [[string] | none]
}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete an HTTP security profile for use with HTTP Protocol
Security functionality.
EXAMPLES
create http my_http_profile defaults-from http_security
Creates a custom HTTP security named my_http_profile that inherits its settings from the system default HTTP security
profile.
list profile
Displays the properties of all HTTP security profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
profile. Only the application service can modify or delete the profile.
[case-sensitive | case-insensitive]
Specifies whether the security profile treats file types as case sensitive, or not. The default value is case-
sensitive. Note: If you create a profile, you can use either property, thereafter it becomes read only. If the
security profile is case insensitive, the system stores file types in lowercase in the security profile configuration.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values
from the parent profile specified. The default value is none.
description
User defined description.
evasion-techniques
Specifies what action the system takes when it detects an evasion technique. Evasion techniques are methods used by
attackers to avoid detection of their attack. You can configure the following options for evasion technique checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it in the Protocol Security
Statistics screen whenever the system detects an evasion technique. The default value is enabled.
block
Specifies, when enabled, that the system stops requests whenever the system detects an evasion technique. The
default value is disabled.
file-types
Specifies which file types the security profile considers legal, and specifies what action the system takes when it
detects a request for an illegal file type. You can configure the following options for file types:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol Security
Statistics screen whenever the system detects a request for an illegal file type. The default value is enabled.
[allowed | disallowed]
Indicates whether the values property lists file types that the security profile permits or prohibits. Note: For
each security profile you may define either allowed file types or disallowed file types.
block
Specifies, when enabled, that the system stops requests for an illegal file type. The default value is disabled.
values
Adds, deletes, or replaces a set of file types considered either legal or illegal by the security profile. You
can either select an available file-type or add a new one.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
http-rfc
Specifies which validations the system should check and what action the system takes when it detects a request that is
not formatted properly. You can configure the following options for HTTP protocol checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it in the Protocol Security
Statistics screen whenever a request fails one of the enabled HTTP protocol checks. The default value is enabled.
bad-host-header
Specifies, when enabled, that the system inspects requests to see whether they contain a non RFC compliant header
value. The default value is enabled.
bad-version
Specifies, when enabled, that the system inspects requests to see whether they request information from a client
using an HTTP protocol version 1.0 or higher. The default value is enabled.
block
Specifies, when enabled, that the system stops requests whenever the system detects an evasion technique. The
default value is disabled.
body-in-get-head
Specifies, when enabled, that the system examines requests that use the HEAD or GET methods to see whether the
requests contain data in their bodies, which is considered illegal. The default value is disabled.
chunked-with-content-length
Specifies, when enabled, that the system examines chunked requests for a content-length header, which is not
permitted. The default value is enabled.
content-length-is-positive
Specifies, when enabled, that the system examines requests to see whether their content length value is greater
than zero. The default value is enabled.
header-name-without-value
Specifies, when enabled, that the system checks requests for valueless header names, which are considered
illegal. The default value is enabled.
high-ascii-in-headers
Specifies, when enabled, that the system inspects request headers for ASCII characters greater than 127, which
are not permitted. The default value is disabled.
host-header-is-ip
Specifies, when enabled, that the system verifies that the request's host header value is not an IP address. The
default value is disabled.
maximum-headers
Specifies whether the system compares the number of headers in the requests against the maximum number, and if
so, how many headers are allowed. The default value is a maximum of 20 headers.
null-in-body
Specifies, when enabled, that the system inspects request bodies to see whether they contain a Null character,
which is not allowed. The default value is disabled.
null-in-headers
Specifies, when enabled, that the system inspects request headers to see whether they contain a Null character,
which is not allowed. The default value is enabled.
post-with-zero-length
Specifies, when enabled, that the system examines POST method requests for no content-length header, and for a
content length of 0. The default value is disabled.
several-content-length
Specifies, when enabled, that the system examines each request to see whether it has more than one content-length
header, which is considered illegal. The default value is enabled.
unparsable-content
Specifies, when enabled, that the system examines requests for content that the system cannot parse, which is not
permitted. The default value is enabled.
mandatory-headers
Specifies which headers must appear in requests, and specifies what action the system takes when it detects a request
without a mandatory header. You can configure the following options for mandatory headers:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol Security
Statistics screen whenever a request does not include a mandatory header. The default value is enabled.
block
Specifies, when enabled, that the system stops requests that do not include a mandatory header. The default value
is disabled.
values
Adds, deletes, or replaces a set of headers that must appear in requests to be considered legal by the security
profile. You can either select an available mandatory-header or add a new one. Note: The system stores mandatory
headers in lowercase in the security profile configuration, regardless of whether it is case sensitive or not.
maximum-length
Specifies the default maximum length settings that the security profile considers legal, and specifies what action the
system should take when it detects a request using an illegal length. You can configure the following options for
length checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol Security
Statistics screen whenever a request fails one of the length checks. The default value is enabled.
block
Specifies, when enabled, that the system stops requests that fail one of the length checks. The default value is
disabled.
post-data
Indicates whether there is a maximum acceptable length, in bytes, for the POST data portion of a request, and if
so, specifies it. The default value is any (no restriction).
query-string
Indicates whether there is a maximum acceptable length, in bytes, for the query string portion of a request, and
if so, specifies it. The default value is 1024 bytes.
request
Indicates whether there is a maximum acceptable length, in bytes, of a request, and if so, specifies it. The
default value is any (no restriction).
uri Indicates whether there is a maximum acceptable length, in bytes, for a URL, and if so, specifies it. The default
value is 1024 bytes.
methods
Specifies which HTTP methods the security profile considers legal, and specifies what action the system takes when it
detects a request using an illegal method. You can configure the following options for methods:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol Security
Statistics screen whenever a request uses an illegal method. The default value is enabled.
block
Specifies, when enabled, that the system stops requests that use an illegal method. The default value is
disabled.
values
Adds, deletes, or replaces a set of HTTP methods considered legal by the security profile. You can either select
an available asm http-method or add a new one. Note: HTTP methods are case sensitive even if the security profile
is case insensitive.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
response
Specifies information to display when the security profile blocks a client request. You can configure the following
options for blocking page:
body Specifies the HTML code the system sends to the client in response to an illegal blocked request. Only if the
response type is custom, you can edit this text.
headers
Specifies the set of response headers that the system sends to the client in response to an illegal blocked
request. Only if the response type is custom, you can edit this text. Separate each header with a new line (Ctrl-
V followed by Ctrl-J).
type Specifies which content, or URL, the system sends to the client in response to an illegal blocked request.
custom
Specifies a modified response text. You can edit the response header and HTML code in the properties headers
and body.
default
Specifies the system-supplied response text written in HTML. You cannot edit that text. This is the default
value.
redirect
Specifies that the system redirects the user to a specific web page instead of viewing a blocking page. You
can edit the redirect web page in the url property.
soap-fault
Specifies the system-supplied response written in SOAP fault message structure. You cannot edit that text.
Use this type when a SOAP request is blocked due to an XML related violation.
url Specifies the particular URL to which the system redirects the user. Only if the response type is redirect, you
can edit this text. The web page should include a full URL path, for example, http://www.myredirectpage.com.
SEE ALSO
asm http-method, create, delete, edit, glob, list, ltm virtual, modify, regex, security, security http, security http file-
type, security http mandatory-header, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013. All rights reserved.
BIG-IP 2017-05-24 security http profile(1)