HTTP profile settings

This wizard lets you filter HTTP protocol oriented attributes (methods, content-type, declarative security, and information leakage attributes).

Want to create a new HTTP profile? Go to Security > HTTP Profiles and click the New HTTP Profile button.

Name of the HTTP profile

Enter the name and description for the HTTP profile. Initially the user who creates the HTTP profile is the owner. When editing an HTTP profile, you can choose another owner.


Select tags to apply to the HTTP profile. Users with the applied tags in their scope will have access to it. Click Create to add a new tag.

Allow All, Detect Violations

Select to allow all HTTP request methods and detect violations. If selected, you have the option to block invalid request methods and/or TRACE and TRACK methods.

Deny All, But Explicitly Allow

Select to deny all HTTP requests methods except those you explicitly allow. Enter the request types to be allowed. Use commas to separate request types.


Define handling for Accept-Encoding request headers.

Choose "Keep Accept-Encoding" to keep the HTTP header in the requests.

Request Headers

Define handling for suspicious HTTP request headers.

Choose "Detect Invalid Headers" to detect headers with empty names or invalid characters in the name.

Choose "Detect Repeated Headers" to detect multiple headers with the same name.

Choose "Detect Chunked Encoding" to detect headers with chunked encoding.

Request Content -Types

Allow or exclude certain request content types (e.g., application/xml) and file uploads.

Allow All, Detect Invalid

Select to allow all request content types, but detect invalid content types. The WAF service will allow all valid MIME content, and detect all invalid content. If selected, file uploads will be allowed unless you select the Detect File Uploads check box.

Deny All, but Explicitly Allow

Select to deny all request content types except for those you explicitly want to allow. If selected, specify the allowed content types in the field provided. Only the specified content types will be allowed.

In the "Allowed content types" field, enter the content types that you want to allow for a request. We have rules related to format and maximum length for defining content types. As WAF UI validates a request content type by its MIME type that is by type/subtype e.g. text/html, you are required to specify the same format when defining allowed content types for a request.

MIME types that you will specify can contain any letters from a to z and any numbers from 0 through 9, but no special characters such as #,$,!,& *. Maximum characters allowed for specifying a MIME type is 128 characters. The requests that have allowed MIME content types in the Content Type header are accepted.

The application shows an error message when a MIME type specified is not in proper format or the length of a MIME type that is type/subtype combination exceeds the maximum allowed length of 128 characters.

You also have the option to define custom rules to filter a request based on the full header "Content-Type" value. You can provide an exact value for full content type header or specify payloads that are forbidden e.g. deny requests posted as US-ASCII.

If you want to allow all requests that have the type “application”, subtype “json” and charset “UTF 8”, use our Custom Rule wizard to create a rule with this rule condition:

request.header "Content-Type" EQUAL "application/json; charset=UTF-8"

Then click the Actions tab and select “Allow” from the Actions drop-down field. See Custom Rules.

Enable protocol anomalies detection

If you select this option we'll check that web requests respect the protocol part (e.g. "HTTP/1.1") of the "HTTP/1.1" specification (IETF RFC 2616). A web request respecting this specification looks like this: GET /directory/script.php?parameters HTTP/1.1. Specifically we'll check that the protocol part has the form "HTTP/" followed by a valid HTTP version number (0.9, 1.0, 1.1, ...). If the protocol part of a web request has one or more anomalies we will generate a security event.

Web Services Protection

You can enable XML/JSON parsing to validate that transmitted payload is XML/JSON compliant. Parsing is not enabled by default.

Provide values for:

Size: Maximum size of data parsed (in bytes). Note that the size of data can get inflated due to pattern reuse (e.g. reuse of XML entities). Size also includes extra payloads added for preventing against attacks. For example, to prevent a Billion laughs attack (a DoS attack aimed at XML parsers).

Item: Maximum number of items parsed. An "item" can be an attribute, element tag, etc. (Depending on format: whether XML or JSON).

Level: Maximum depth reachable when parsing structured content. This enables you to avoid parsing data with huge depth, but protects servers against DDOS attacks.

Server Cloaking

Select to enable server cloaking. If enabled, enter the web server name to display in the HTTP(S) server header.

Sensitive Headers

This option allows you to remove certain headers, for example headers inserted by web frameworks or development kits.

Cookies Protection

Tell us whether you want to accept all, none or selected cookies. If you choose "Selected" enter the cookies to allow.

Discourage Content-Type Sniffing

Select to modify origin site responses to discourage browsers from guessing the MIME types.

Default Content Type

Select to force a default content type on responses where the origin site provides none. If enabled, enter the default content type in the field provided.

Default Character Encoding

Configure default character encoding for site responses.

Choose "None" to do nothing,

Choose "Apply when not set" to apply a default character encoding when none is set. Then choose a character encoding from the menu provided.

Choose "Always apply" to always apply a specific character encoding. Then choose a character encoding from the menu provided.

Content Security Policy

Select to enable a Content Security Policy header to restrict the sources from which a browser will accept content. If enabled, enter the content security policy header.

HTTP Strict Transport Security

Enable HTTP Strict Transport Security (HSTS) header to let web sites inform browsers that they are accessible only via HTTPS secure connection. Maximum age is the time in seconds during which web sites can only be accessed by a browser using HTTPS. Enable Include sub domains to apply HSTS policy to sub domains of the host. For more information, refer RFC 6797.

Discourage Clickjacking (UI Redress)

You can modify origin responses to discourage clickjacking attacks against site visitors.

Choose "None" to do nothing, "No Framing" to deny framing or "Same-origin framing" to allow same-origin page framing.

Browser XSS Protection

Control browser-based cross-site scripting.

Choose "None" to do nothing, "Disable" to disable browser cross-site scripting detection, "Enable without blocking" to enable browser cross-site scripting detection without blocking, or "Enable with blocking" to enable browser cross-site scripting detection and blocking.