Start your Barracuda WAF-as-a-Service deployment with reasonable default settings for several components. If needed, you can change these settings on a site-wide, per-URL, or per-parameter basis.
Mechanism | Description | Default Setting | WAFaaS Component |
|---|---|---|---|
Check Protocol Limits | When enabled, checks size limits on various HTTP protocol elements, including request length and header length. These checks prevent a wide array of possible Buffer Overflow attacks. | Yes | |
Cookie Security Mode | Handles cookies from external sources (i.e., those not created by Barracuda WAF-as-a-Service). Available settings:
| Signed | |
URL Protection | When enabled, offers protection on a URL. These settings are ignored when URL Profiles are used for validating the incoming requests. | Yes | |
Parameter Protection | When enabled, offers protection on request parameters by enforcing limits on various sizes. | Yes | |
SQL Injection Prevention | When enabled, defends against SQL injection attacks that allow commands to be executed directly against the database, allowing disclosure and modification of data in the database. | Enabled | |
OS Command Injection Prevention | When enabled, defends against OS commands that can be used to give attackers access to data and escalate privileges on servers. | Enabled | |
XSS Injection Prevention | When enabled, defends against Cross-Site Scripting (XSS), that takes advantage of a vulnerable web site to attack clients who visit it. | Enabled | |
Default Character Set | Affects how incoming requests are decoded before inspection. The Default Character Set is used when the charset cannot be determined by other means. | UTF-8 | |
Suppress Server Errors / Cloak Status Code | When active, enables Barracuda WAF-as-a-Service to insert a default or custom page in reaction to server response errors. | Yes |