OWASP settings object used when configuring WAF.

Data model

allowed_http_versionsStringAllowed HTTP versions (default HTTP/1.0 HTTP/1.1 HTTP/2).
allowed_methodsStringA space-separated list of HTTP method names (default GET HEAD POST OPTIONS PUT PATCH DELETE).
allowed_request_content_typeStringAllowed request content types (default application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain).
arg_lengthIntegerThe maximum number of arguments allowed (default 400).
arg_name_lengthIntegerThe maximum allowed argument name length (default 100).
combined_file_sizesIntegerThe maximum allowed size of all files (in bytes, default 10000000).
created_atStringDate and time that the settings object was created.
critical_anomaly_scoreIntegerScore value to add for critical anomalies (default 6).
crs_validate_utf8_encodingBooleanCRS validate UTF8 encoding.
error_anomaly_scoreIntegerScore value to add for error anomalies (default 5).
high_risk_country_codesStringA space-separated list of country codes in ISO 3166-1 (two-letter) format.
http_violation_score_thresholdIntegerHTTP violation threshold.
inbound_anomaly_score_thresholdIntegerInbound anomaly threshold.
lfi_score_thresholdIntegerLocal file inclusion attack threshold.
max_file_sizeIntegerThe maximum allowed file size (in bytes, default 10000000).
max_num_argsIntegerThe maximum number of arguments allowed (default 255).
notice_anomaly_scoreIntegerScore value to add for notice anomalies (default 4).
paranoia_levelIntegerThe configured paranoia level (default 1).
php_injection_score_thresholdIntegerPHP injection threshold.
rce_score_thresholdIntegerRemote code execution threshold.
restricted_extensionsStringA space-separated list of allowed file extensions (default .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx).
restricted_headersStringA space-separated list of allowed header names (default /proxy/ /lock-token/ /content-range/ /translate/ /if/).
rfi_score_thresholdIntegerRemote file inclusion attack threshold.
session_fixation_score_thresholdIntegerSession fixation attack threshold.
sql_injection_score_thresholdIntegerSQL injection attack threshold.
total_arg_lengthIntegerThe maximum size of argument names and values (default 6400).
updated_atStringDate and time that the settings object was last updated.
warning_anomaly_scoreIntegerScore value to add for warning anomalies.
xss_score_thresholdIntegerXSS attack threshold.


Get the OWASP settings object


Create an OWASP settings object


Update the OWASP settings object


User contributed notes

We welcome comments that add use cases, ideas, tips, and caveats. All comments will be moderated before publication. To post support questions, visit our support center and we'll find you the help you need.