Q&A: Can you customize the WAF Violation Block Page, HTTP Response Code, and/or the HTTP Response Headers?

Question 

• Can you customize the WAF Violation Block Page?
  • HTTP Response HTTP header/Code

    • Q&A: What is the default WAF Violation Block Page and HTTP Response Code for Blocked Requests/Clients?

• For customers that have existing Block Page to handle blocked events, please review the article below:
  • Q&A: What if I have an Existing Block Page and I Want to Use It?

Environment

• Silverline WAF
• WAF Policy
  • Support ID
  • WAF Violation
  • WAF Block page and HTTP Response Headers

Answer

Yes, you can customize a WAF policy's Violation Block Page

• The WAF Violation Block page is customizable:
  • Allows the flexibility to configure a custom HTTP response page with corporate branding, helpdesk contact information, or other user-friendly information
  • Supports HTML code
  • Allows for customized HTTP Response code for Block page

• The default Response Header for a Block Page includes:

  • HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Connection: close

• The default HTML 

  • <html><head><title>Request Rejected</title></head><body>The requested URL was 
    rejected. Please consult with your administrator.<br><br>Your support ID is: 
    <%TS.request.ID()%></body></html>

Requirements for Custom WAF Violation Block Page HTML

• Only one custom WAF Violation Block Page per WAF policy
• Must include support ID by using the field <%TS.request.ID()%> -- This ensures that blocked requests can be identified
• Any external assets required for the page (e.g. css, images) must be either
  • (a) contained entirely in the HTML (e.g. as a base64 object), or
  • (b) externally hosted and made available through an href to the external source
• File size must be less than 51200 bytes
• Please specify the HTTP response code you want to be associated when the Block page occurs
  • The default is 200 OK 
  • Only one response code may be configured per WAF policy
• Please specify any specific HTTP response header requirements as well
  • Default

    • HTTP/1.1 200 OK
      Cache-Control: no-cache
      Pragma: no-cache
      Connection: close

• The option to redirect to another page is allowed/supported as well
  • Q&A: What if I have an Existing Block Page and I Want to Use It? 

Related Content

• Q&A: What is the default WAF Violation Block Page and HTTP Response Code for Blocked Requests/Clients?
• Q&A: What if I have an Existing Block Page and I Want to Use It?