Data guard

This page describes the data guard feature of F5 WAF for NGINX.

Data guard is a security feature that can be used to prevent the leakage of sensitive information from an application.

Examples include credit card numbers (CCN), Social Security numbers (SSN) or custom-defined patterns.

Sensitive data is either blocked or masked based on configuration.

The following example enables blocking mode:

json{  "policy": {  "name": "dataguard_blocking",  "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },  "applicationLanguage": "utf-8",  "enforcementMode": "blocking",  "blocking-settings": {  "violations": [  {  "name": "VIOL_DATA_GUARD",  "alarm": true,  "block": true  }  ]  },  "data-guard": {  "enabled": true,  "maskData": true,  "creditCardNumbers": true,  "usSocialSecurityNumbers": true,  "enforcementMode": "ignore-urls-in-list",  "enforcementUrls": []  }  } }

In blocking mode, data masking has no effect.

This next example enables alarm mode, which allows you to use data masking.

Data masking allows a page to load while masking all sensitive data.

json{  "policy": {  "name": "nginx_default_policy",  "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },  "applicationLanguage": "utf-8",  "enforcementMode": "blocking",  "blocking-settings": {  "violations": [  {  "name": "VIOL_DATA_GUARD",  "alarm": true,  "block": false  }  ]  },  "data-guard": {  "enabled": true,  "maskData": true,  "creditCardNumbers": true,  "usSocialSecurityNumbers": true,  "enforcementMode": "ignore-urls-in-list",  "enforcementUrls": []  }  } }

This final example shows partial masking using a custom pattern.

Custom patterns are defined in customPatternsList, with the numbers of unmasked leading and trailing characters defined by firstCustomCharactersToExpose and lastCustomCharactersToExpose, respectively.

json{  "policy": {  "name": "custom_pattern_mask_policy",  "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },  "applicationLanguage": "utf-8",  "enforcementMode": "blocking",  "blocking-settings": {  "violations": [  {  "name": "VIOL_DATA_GUARD",  "alarm": true,  "block": false  }  ]  },  "data-guard": {  "enabled": true,  "maskData": true,  "creditCardNumbers": false,  "usSocialSecurityNumbers": true,  "enforcementMode": "ignore-urls-in-list",  "enforcementUrls": [],  "customPatterns": true,  "firstCustomCharactersToExpose": 2,  "lastCustomCharactersToExpose": 4,  "customPatternsList": [  "....-....-....-....",  "siteTk_[0-9]+"  ]  }  } }

View source

Edit this page

Create a new issue