Authentication tokensAuthentication tokens
AccountAccount
ServicesServices
Access control listsAccess control lists
Edge dictionariesEdge dictionaries
VCL objectsVCL objects
PurgingPurging
Metrics and statsMetrics and stats
Real-time loggingReal-time logging
Load balancingLoad balancing
TLSTLS
Web Application FirewallWeb Application Firewall
Legacy Web Application FirewallLegacy Web Application Firewall
- Configuration setConfiguration set
- FirewallFirewall
- OWASPOWASP
- RuleRule
- Rule setRule set
- Rule statusRule status
- TagTag
- Update statusUpdate status
UtilitiesUtilities

OWASP

OWASP settings object used when configuring WAF.

Data model

`allowed_http_versions`	String	Allowed HTTP versions (default `HTTP/1.0 HTTP/1.1 HTTP/2`).
`allowed_methods`	String	A space-separated list of HTTP method names (default `GET HEAD POST OPTIONS PUT PATCH DELETE`).
`allowed_request_content_type`	String	Allowed request content types (default `application/x-www-form-urlencoded\|multipart/form-data\|text/xml\|application/xml\|application/x-amf\|application/json\|text/plain`).
`arg_length`	Integer	The maximum number of arguments allowed (default `400`).
`arg_name_length`	Integer	The maximum allowed argument name length (default `100`).
`combined_file_sizes`	Integer	The maximum allowed size of all files (in bytes, default `10000000`).
`created_at`	String	Date and time that the settings object was created.
`critical_anomaly_score`	Integer	Score value to add for critical anomalies (default `6`).
`crs_validate_utf8_encoding`	Boolean	CRS validate UTF8 encoding.
`error_anomaly_score`	Integer	Score value to add for error anomalies (default `5`).
`high_risk_country_codes`	String	A space-separated list of country codes in ISO 3166-1 (two-letter) format.
`http_violation_score_threshold`	Integer	HTTP violation threshold.
`inbound_anomaly_score_threshold`	Integer	Inbound anomaly threshold.
`lfi_score_threshold`	Integer	Local file inclusion attack threshold.
`max_file_size`	Integer	The maximum allowed file size (in bytes, default `10000000`).
`max_num_args`	Integer	The maximum number of arguments allowed (default `255`).
`notice_anomaly_score`	Integer	Score value to add for notice anomalies (default `4`).
`paranoia_level`	Integer	The configured paranoia level (default `1`).
`php_injection_score_threshold`	Integer	PHP injection threshold.
`rce_score_threshold`	Integer	Remote code execution threshold.
`restricted_extensions`	String	A space-separated list of allowed file extensions (default `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx`).
`restricted_headers`	String	A space-separated list of allowed header names (default `/proxy/ /lock-token/ /content-range/ /translate/ /if/`).
`rfi_score_threshold`	Integer	Remote file inclusion attack threshold.
`session_fixation_score_threshold`	Integer	Session fixation attack threshold.
`sql_injection_score_threshold`	Integer	SQL injection attack threshold.
`total_arg_length`	Integer	The maximum size of argument names and values (default `6400`).
`updated_at`	String	Date and time that the settings object was last updated.
`warning_anomaly_score`	Integer	Score value to add for warning anomalies.
`xss_score_threshold`	Integer	XSS attack threshold.

Endpoints

Get the OWASP settings object

GET/service/service_id/wafs/waf_id/owasp

Create an OWASP settings object

POST/service/service_id/wafs/waf_id/owasp

Update the OWASP settings object

PATCH/service/service_id/wafs/waf_id/owasp

User contributed notes

We welcome comments that add use cases, ideas, tips, and caveats. All comments will be moderated before publication. To post support questions, visit our support center and we'll find you the help you need.