security http profile
security http profile(1) BIG-IP TMSH Manual security http profile(1)
NAME
profile - Configures an HTTP security profile.
MODULE
security http
SYNTAX
Configure the profile component within the security http module using the syntax shown in the following
sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
[case-sensitive | case-insensitive]
defaults-from [[name] | none]
description [[string] | none]
evasion-techniques {
options:
alarm [disabled | enabled]
block [disabled | enabled]
}
file-types {
options:
alarm [disabled | enabled]
[allowed | disallowed]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
http-rfc {
options:
alarm [disabled | enabled]
bad-host-header [disabled | enabled]
bad-version [disabled | enabled]
block [disabled | enabled]
body-in-get-head [disabled | enabled]
chunked-with-content-length [disabled | enabled]
content-length-is-positive [disabled | enabled]
header-name-without-value [disabled | enabled]
high-ascii-in-headers [disabled | enabled]
host-header-is-ip [disabled | enabled]
maximum-headers [[integer] | disabled]
null-in-body [disabled | enabled]
null-in-headers [disabled | enabled]
post-with-zero-length [disabled | enabled]
several-content-length [disabled | enabled]
unparsable-content [disabled | enabled]
}
mandatory-headers {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
maximum-length {
options:
alarm [disabled | enabled]
block [disabled | enabled]
post-data [[integer] | any]
query-string [[integer] | any]
request [[integer] | any]
uri [[integer] | any]
}
methods {
options:
alarm [disabled | enabled]
block [disabled | enabled]
values [add | delete | none | replace-all-with] { [string] ... }
}
response {
options:
body [[string] | none]
headers [[new line separated headers] | none]
type [custom | default | redirect | soap-fault]
url [[string] | none]
}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete an HTTP security profile for use with
HTTP Protocol Security functionality.
EXAMPLES
create http my_http_profile defaults-from http_security
Creates a custom HTTP security named my_http_profile that inherits its settings from the system default HTTP
security profile.
list profile
Displays the properties of all HTTP security profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
[case-sensitive | case-insensitive]
Specifies whether the security profile treats file types as case sensitive, or not. The default value is
case-sensitive. Note: If you create a profile, you can use either property, thereafter it becomes read
only. If the security profile is case insensitive, the system stores file types in lowercase in the
security profile configuration.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile specified. The default value is none.
description
User defined description.
evasion-techniques
Specifies what action the system takes when it detects an evasion technique. Evasion techniques are
methods used by attackers to avoid detection of their attack. You can configure the following options for
evasion technique checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it in the Protocol
Security Statistics screen whenever the system detects an evasion technique. The default value is
enabled.
block
Specifies, when enabled, that the system stops requests whenever the system detects an evasion
technique. The default value is disabled.
file-types
Specifies which file types the security profile considers legal, and specifies what action the system
takes when it detects a request for an illegal file type. You can configure the following options for
file types:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol
Security Statistics screen whenever the system detects a request for an illegal file type. The
default value is enabled.
[allowed | disallowed]
Indicates whether the values property lists file types that the security profile permits or
prohibits. Note: For each security profile you may define either allowed file types or disallowed
file types.
block
Specifies, when enabled, that the system stops requests for an illegal file type. The default value
is disabled.
values
Adds, deletes, or replaces a set of file types considered either legal or illegal by the security
profile. You can either select an available file-type or add a new one.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
http-rfc
Specifies which validations the system should check and what action the system takes when it detects a
request that is not formatted properly. You can configure the following options for HTTP protocol checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it in the Protocol
Security Statistics screen whenever a request fails one of the enabled HTTP protocol checks. The
default value is enabled.
bad-host-header
Specifies, when enabled, that the system inspects requests to see whether they contain a non RFC
compliant header value. The default value is enabled.
bad-version
Specifies, when enabled, that the system inspects requests to see whether they request information
from a client using an HTTP protocol version 1.0 or higher. The default value is enabled.
block
Specifies, when enabled, that the system stops requests whenever the system detects an evasion
technique. The default value is disabled.
body-in-get-head
Specifies, when enabled, that the system examines requests that use the HEAD or GET methods to see
whether the requests contain data in their bodies, which is considered illegal. The default value is
disabled.
chunked-with-content-length
Specifies, when enabled, that the system examines chunked requests for a content-length header,
which is not permitted. The default value is enabled.
content-length-is-positive
Specifies, when enabled, that the system examines requests to see whether their content length value
is greater than zero. The default value is enabled.
header-name-without-value
Specifies, when enabled, that the system checks requests for valueless header names, which are
considered illegal. The default value is enabled.
high-ascii-in-headers
Specifies, when enabled, that the system inspects request headers for ASCII characters greater than
127, which are not permitted. The default value is disabled.
host-header-is-ip
Specifies, when enabled, that the system verifies that the request's host header value is not an IP
address. The default value is disabled.
maximum-headers
Specifies whether the system compares the number of headers in the requests against the maximum
number, and if so, how many headers are allowed. The default value is a maximum of 20 headers.
null-in-body
Specifies, when enabled, that the system inspects request bodies to see whether they contain a Null
character, which is not allowed. The default value is disabled.
null-in-headers
Specifies, when enabled, that the system inspects request headers to see whether they contain a Null
character, which is not allowed. The default value is enabled.
post-with-zero-length
Specifies, when enabled, that the system examines POST method requests for no content-length header,
and for a content length of 0. The default value is disabled.
several-content-length
Specifies, when enabled, that the system examines each request to see whether it has more than one
content-length header, which is considered illegal. The default value is enabled.
unparsable-content
Specifies, when enabled, that the system examines requests for content that the system cannot parse,
which is not permitted. The default value is enabled.
mandatory-headers
Specifies which headers must appear in requests, and specifies what action the system takes when it
detects a request without a mandatory header. You can configure the following options for mandatory
headers:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol
Security Statistics screen whenever a request does not include a mandatory header. The default value
is enabled.
block
Specifies, when enabled, that the system stops requests that do not include a mandatory header. The
default value is disabled.
values
Adds, deletes, or replaces a set of headers that must appear in requests to be considered legal by
the security profile. You can either select an available mandatory-header or add a new one. Note:
The system stores mandatory headers in lowercase in the security profile configuration, regardless
of whether it is case sensitive or not.
maximum-length
Specifies the default maximum length settings that the security profile considers legal, and specifies
what action the system should take when it detects a request using an illegal length. You can configure
the following options for length checks:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol
Security Statistics screen whenever a request fails one of the length checks. The default value is
enabled.
block
Specifies, when enabled, that the system stops requests that fail one of the length checks. The
default value is disabled.
post-data
Indicates whether there is a maximum acceptable length, in bytes, for the POST data portion of a
request, and if so, specifies it. The default value is any (no restriction).
query-string
Indicates whether there is a maximum acceptable length, in bytes, for the query string portion of a
request, and if so, specifies it. The default value is 1024 bytes.
request
Indicates whether there is a maximum acceptable length, in bytes, of a request, and if so, specifies
it. The default value is any (no restriction).
uri Indicates whether there is a maximum acceptable length, in bytes, for a URL, and if so, specifies
it. The default value is 1024 bytes.
methods
Specifies which HTTP methods the security profile considers legal, and specifies what action the system
takes when it detects a request using an illegal method. You can configure the following options for
methods:
alarm
Specifies, when enabled, that the system logs the request data and displays it on the Protocol
Security Statistics screen whenever a request uses an illegal method. The default value is enabled.
block
Specifies, when enabled, that the system stops requests that use an illegal method. The default
value is disabled.
values
Adds, deletes, or replaces a set of HTTP methods considered legal by the security profile. You can
either select an available asm http-method or add a new one. Note: HTTP methods are case sensitive
even if the security profile is case insensitive.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
response
Specifies information to display when the security profile blocks a client request. You can configure the
following options for blocking page:
body Specifies the HTML code the system sends to the client in response to an illegal blocked request.
Only if the response type is custom, you can edit this text.
headers
Specifies the set of response headers that the system sends to the client in response to an illegal
blocked request. Only if the response type is custom, you can edit this text. Separate each header
with a new line (Ctrl-V followed by Ctrl-J).
type Specifies which content, or URL, the system sends to the client in response to an illegal blocked
request.
custom
Specifies a modified response text. You can edit the response header and HTML code in the
properties headers and body.
default
Specifies the system-supplied response text written in HTML. You cannot edit that text. This is
the default value.
redirect
Specifies that the system redirects the user to a specific web page instead of viewing a
blocking page. You can edit the redirect web page in the url property.
soap-fault
Specifies the system-supplied response written in SOAP fault message structure. You cannot edit
that text. Use this type when a SOAP request is blocked due to an XML related violation.
url Specifies the particular URL to which the system redirects the user. Only if the response type is
redirect, you can edit this text. The web page should include a full URL path, for example,
http://www.myredirectpage.com.
SEE ALSO
asm http-method, create, delete, edit, glob, list, ltm virtual, modify, regex, security, security http,
security http file-type, security http mandatory-header, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013. All rights reserved.
BIG-IP 2017-05-24 security http profile(1)