What's New in Version 12.0
GraphQL security – Secures GraphQL APIs with capabilities that include native parsing of requests and enforcement of security checks. This feature can be found under the App Profiles component after upgrading the Datapath to 12.0.
JWT validation – Uses the received JSON Web Token (JWT) to validate the authenticity of the client sending HTTP requests and the token claims. This feature can be found under the App Profiles component after upgrading the Datapath to 12.0.
New Form protection UI and controls – Existing Features can now be applied to all of an application or limited to selected URLs directly from the UI. The following features have moved to the Form Protection component:
Brute force protection – This was previously included as part of DDoS prevention.
Data theft protection – Rules are still configured for the entire component. That is, all established rules will be applied to any portion of an application that receives Data Theft Protection.
File upload protection – This incorporates both the Advanced Threat Protection (BAPT) and Virus Scanning components. Each can be enabled independently. The Advanced Threat Protection licensing must be enabled for your application in that component before it can be applied here.
Credential attack protection – Protects against Credential Stuffing and/or Credential Spraying. This was previously part of Bot Protection.
Login form protection – For credential protection to work you need to specify the format and details for the login form. This was also previously part of Bot Protection.
After upgrading the Datapath to v12.0, the above Form Protections can be found under the Form Protection policy within the App Profiles component. In addition, the following new feature becomes available within the Form Protection policy:
- Privileged account protection – Watches for signs of account takeover by evaluating session elements such as the connecting entity’s geolocation, user agent, header value, and network details. This works in conjunction with Credential attack protection and Login form protection.
DNS Zones – We have shipped a new UI for this feature which provides control the DNS components of domains and/or sub-domains for your application instead of doing so through your domain provider. In addition to this convenience, WAF-as-a-Service protects these domains against DNS based DDoS attacks.
Content Delivery Network – We have shipped a new UI for this feature which provides a network of edge servers dispersed throughout 170+ worldwide Points of Presence (PoP) to enable faster web performance. This is done by caching copies of web application content closer to where it is requested. A minimum level of encryption can be enforced for all traffic and WAF-as-a-Service can provided an SSL certificate or a custom certificate can be used.
Client-Side Protection – We have shipped a new UI for this feature which provides protection against attacks on a web application's supply chain by use of the browsers:
- Content Security Policy – These are HTTP Response headers that contains directives for various file types and references used by a web application to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. A report-uri directive is provided by default and is used by browsers to report violations of the policy back to WAF-as-a-Service to provide insights on the CSP Dashboard.
- Sub-Resource Integrity – Directs the creation of a cryptographic hash of the resource that modern browsers then compare against a locally generated hash. Matching hashes verify that the resource has not been compromised. If they do not match, the resource is discarded and reported back to WAF-as-a-Service to provide insights on the CSP Dashboard.
Fixes made in Version 12.0
- Addressed issues related to reCAPTCHA which might result in a possible challenge loop.
- Addressed rare but possible outages that could happen during the Finger Print risk score and tarpit enforcement.
- CAPTCHA challenges will not be enforced for blocked IPs or Finger Prints, if the service is in passive mode.
- JSON Firewall : Addressed an issue where the key name was truncated in the Web Firewall Logs during the JSON Profile checks.
- JSON Firewall : Fixed a bug in the max siblings check in JSON firewall enforcement.
- JSON Firewall : Fixed an Issue where JSON max array elements were not getting validated.
- Made enhancements to the troubleshooting mechanisms to better profile potential outages.