Create an Application Security Policy

1. Go to “Security > Application Security > Security Policies”

2. Click Create

3. Select Advanced View

4. Policy Name: asmpolicy_careX

5. Virtual Server: Select the virtual server you created in the previous tasks

6. Application Language: Unicode UTF-8 (Need to do this before Learning Mode)

7. Learning Mode: Manual

8. Server Technologies: Select Node.js

9. Signature Staging: Disabled (only for lab purposes, staging is recommended for production)

10. Click Create Policy

    

11. The API GW uses other HTTP Methods that are not included by default in the ASM Policy. Let’s add them. Go to “Security > Application Security > Headers > Methods” and click Create.

12. Select OPTIONS, then Create.

    

13. Repeat the process to add DELETE:

    

14. At this time we’ll not map all the parameters and URLs our web app has. So, we will just enforce the “*” parameter so our signatures can work.

    Go to “Security > Application Security > Parameters > Parameters List”

15. Mark the checkbox of the “*” parameter and click Enforce, then Ok.

16. Go to “Security > Application Security > URLs > Allowed URLs”

17. Select both, HTTP and HTTPS “*”

    

18. Click Enforce

19. By default, ASM shows an HTML blocking page when blocking a request. Since we are in front of the API Gateway, we need to proper respond the client with a JSON message. Go to “Security > Application Security > Policy > Response Pages”

20. Change the Response Type to “Custom Response”

21. Paste the content of BlockResponseBody.txt you have in your Desktop (Windows Jump Host)

    {
        "status": "error",
        "data": {
        "message": "The requested URL was rejected. Please consult with your
     administrator. Your support ID is: <%TS.request.ID()%>"
        }
     }
    

    

    

22. Click Save.

23. Click Apply Policy, then Ok.