The URL encryption feature serves to prevent forceful browsing. It encrypts the URLs for a service, hiding the internal directory structure of the web application from users. You can configure the URL encryption rule on the WEBSITES > URL Encryption page. When URL encryption is enabled for a Service, based on the URL specified in the URL Match field, all response pages from that Service will have the encrypted URLs in the links.
You can configure multiple URL encryption rules for a Service, and enable or disable individual rules based on your requirement. The rules are matched with the requests only when URL Encryption Status is enabled for the Service.
How It Works
URL encryption requires no changes to the application. It only requires you to specify the URL, which contains the links/sub-directories that must be encrypted. The following diagram illustrates how URLs for the web application at "https://www.myapp.com" are encrypted in response to users.
- The user sends a request to "https://www.myapp.com".
- The web application returns the requested page containing many links, which lead to other files in the same web application.
- The Barracuda Web Application Firewall processes the response to the user and encrypts all URLs associated with the requested page (i.e., the path, file name and all the parameters of an URL).
- If the encrypted URLs are manipulated or tampered with in subsequent requests from the user, the requests are blocked and logged on the BASIC > Web Firewall Logs page.
Configuring URL Encryption Rule
Create a rule to enable URL encryption for the service.
- Go to the WEBSITES > URL Encryption page.
- Next to the service, click Add.
- In the Add URL Encryption Rule window, enter a name and enable the rule. Specify the URL and host name of the links that must be encrypted. You can also choose to allow valid unencrypted requests and specify exclusions to the rule.
- The URL must start with a forward slash (/) and can have a maximum of one asterisk (*). For example, if you enter /forms.html, for any requests that match this URL, all the URLs associated with this URL will be encrypted. To encrypt all URLs in the domain for the service, enter: /*
- For the host, you can enter either a specific host match or a wildcard host match with a single asterisk (*) anywhere in the URL.
- Click Add.
- If you want to exclude any URL patterns from URL encryption validation, click Edit next to the URL encryption rule and add the patterns in Exclude URL Patterns.
- Modify the values of other parameters (if required), and click Save.