Output Filter
The Alert Logic Managed Web Application Firewall (WAF) Output Filter page includes the following sections. Click on the link to go to the corresponding section to learn more:
To go to the documentation for the previous section of Alert Logic Managed Web Application Firewall (WAF), see Web Applications. To go to the documentation for next section in the WAF section, see Regular Expressions.
To access the Output filter section in the WAF management interface:
- On the left panel, under Services, click Websites.
- On the Websites page, click the website you want to manage.
- Under WAF, click Policy, and then scroll down to the Output filter section.
If you want to see all the settings on the Policy page, on the upper-right corner, change the Display preset to Advance.
To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.
The Output filter section allows for configuring policies for rewriting headers and body of server responses sent to the client.
A typical web server gives out a lot of information about it's version, installed software, operating system, etc.
This information is completely irrelevant for normal HTTP/HTTPS communication between clients and web server. However, attackers and worms can misuse this information to craft more targeted attacks on a vulnerable web application or server.
| Server ID
Input field |
The server name string that is sent in respones to clients in the Server header. When the website proxy is created the value is extracted from the backend server response in a short form. Leave the field empty to omit the Server header from responses.
|
| Enable Web server cloaking mode
Check box |
Enable / disable Web server cloaking mode. If enabled, WAF removes web server information from the response sent back from the back-end server before forwarding it to the client thus protecting the web application and server from leaking potentially sensitive information. This includes stripping of all HTTP headers that start with "X-". Eg. header "X-Powered-By: PHP/4.4.0" will be removed. Default: |
| Intercept backend error pages
Check box |
Intercept error pages with error code 400 or higher sent by the backend web server and replace with a general error page. Configure error pages in Error messages. Default: <checked> When enabled the original error code can be replaced with a general one (ie. 405 > 404) or the original error can be sent to the client.
|
| Exclude status codes
Input field |
Exclude specific error codes from error interception (if enabled).
|
Redirects validation protects against attacks that redirect victims to phishing or malware sites through target applications that use untrusted data to determine the destination pages.
| Block redirects to non trusted domains |
When enabled WAF will validate redirects from the protected web applications and only allow redirects to domains in the trusted domains whitelist. |
| Whitelist |
The whitelist is the effective list of trusted domains. Redirects are allowed to hosts in the domains in this list. The list can be edited in Trusted domains ( See Trusted Domains) in the global policy section. |
WAF allows for rewriting arbitrary response header values using regular expressions for matching the value to rewrite.
| Enable response header rewriting |
Check or clear the check box Enable response header re-writing to enable this feature. |
| Header |
In the list enter a the name of the header to match.
|
| Action
Drop-down options |
Action to take if there is a search match. Replace: replace matched string with replace string.
|
| Search for |
A regular expression matching the string to replace.
Notice the use of backslash ("\") in the examples above to escape the metacharacter ".". Without escaping the "." it will be interpreted as a metacharacter matching any character resulting in the regular expression also matching strings like xxxyhost2xxx4tld and xxxhost_xxx_tld (a.o.). The regular expressions matches case insensitive in a repetitive fashion meaning that if more than one instance of the search pattern is present in the string they will all be replaced. |
| Replace with |
A string to replace with
|
WAF allows for parsing and rewriting the body of server responses. This is useful for screening (and replacing) output for confidential data like credit card numbers. Note however that rewriting server responses involves parsing the complete document and therefore will introduce added latency.
It is important that the correct response content type is configured in Web application behavior.
| Search for |
A regular expression matching the string to replace.
As with the response header rewrite function the the regular expressions matches case insensitive in a repetitive fashion meaning that if more than one instance of the search pattern is present in the string they will all be replaced. Also meta characters should be escaped if they are to be interpreted literally. |
| Action
Drop-down options |
Action to take if there is a search match. Replace: replace matched string with replace string. Block: block the rest of the response and log the violation.
|
| Replace with |
A string to replace with
|
WAF can be configured to not rewrite the response body if the request is originating from trusted clients or if the requested path matches a regular expression.
| Do not re-write from whitelisted IP's (trusted clients) |
Check or clear the check box to exclude requests from trusted clients / whitelisted IP from being rewritten. The list of trusted clients is edited in the Global Policy section. |
| Do not re-write from URIs matching regex |
Enter a regular expressions matching the path part of the requests to be excluded. Only responses with content types text/
|