Follow

Best Practices for Integrating with Shape Defense

Description

  • This article describes common best practices for integrating with Shape Defense solution.  
  • Additional information can be found in the Shape Defense FAQ section of the Knowledge Base.

Return to Integrating Shape Defense

 

Environment

  • Shape Defense

 

A. Common Best Practices

 

  • When configuring endpoints, use wildcards to terminate the match.

    Example:
    /login*
    This will prevent an attacker from adding a slash to the end of the request (e.g. /login/) when both variants reach the same application endpoint.
  • The mitigating response should try to mimic what the application responds with when the request is invalid, for example, when invalid credentials are used.
  • When migrating to Silverline, also migrate any WAF rules, geo blocking, or whitelisted IPs. This ensures consistency with the pre-Silverline security posture.
  • If your site is served from an apex domain, configure a redirect from the apex domain to the FQDN domain (e.g customer.com redirects to www.customer.com). This is required as your domain will need to point to a Silverline-provided CNAME.  Pointing a CNAME from an apex domain is not recommended as that prevents you from having SOA and all other DNS records at apex.
  • Whitelist known good automations, such as: search bots, good aggregators and performance tools. 
  • If you are using a CDN or your origin has any business logic which relies on a header to determine the client IP (e.g. X-Forwarded-For or True-Client-IP). Silverline can be configured to set or update such header. By default Silverline will use X-Forwarded-For to provide the client IP. Please follow Issue / Solution: L7 DDoS Profile or Shape Identifies CDN IP as Client IP instead of the X-Forwarded-For or Custom XFF Header
  • Do not use IP-based session persistence to load-balance internally. Silverline has a range of egress IPs and if you have IP-based load balancing at the origin, this may break your session persistence. Use cookie-persistence, if possible.
  • Lock down your infrastructure to Silverline egress IPs only. This will prevent attackers from bypassing Silverline altogether and hitting your origin directly. 
  • Validate that your internal tools (Logging tools, Fraud tools, etc.) are seeing the traffic accurately when going through Silverline.
  • If you have CDN such as CloudFront is implemented before Silverline ( Client -> Silverline -> Origin) please ensure : 
    • Shape JS file is excluded from the cached entities 
    • CDN is passing the origin User-Agent rather than injecting CDN User-Agent such as "Cloud Front"

 

B. Web Application Best Practices

  • Identify all URL paths that need to be protected by Shape Defense.
  • Validate if there are any CORS calls involved. CORS POST validation [Confirm Link]
  • Use wildcards cautiously. Avoid enabling Shape protection for more URLs than required by adding wildcards.

 

C. Mobile Application Best Practices

  • When decorating requests, it is best to add Shape telemetry only to those requests which are also configured in Silverline as protected URLs. This helps avoid filling up bandwidth unnecessarily.
  • Before onboarding the mobile app, identify all URLs which need to be configured.
  • Ideally, Shape SDK is integrated into apps with forced-upgrade capability. This will allow you to upgrade users to the protected app.
  • Shape recommends that you implement the integration as described in the SDK documentation. If you plan to deviate from those recommendations, please explore the knowledge base for other integration considerations.
  • Initialize the Shape SDK as early as possible in the app lifecycle to ensure the SDK is initialized and ready to add headers before a protected request is made.
  • Make sure an application version marker is included in the User-Agent header of the request.

    Example: 
    “User-Agent: sometext MyApp/3.3 sometext”
    This allows you to examine traffic filtered by a specific version of your app.
  • Make sure to execute parseResponse() for all responses returned to protected requests.
  • Do not send the same set of headers more than once.
  • If you use Push Notifications on Android, there are special integration considerations when push notifications are sent to many apps at once.
  • Shape SDK is obfuscated. If you use code obfuscation, exclude Shape SDK from being obfuscated again.
  • If the App is accessing endpoints via WebView and those endpoints need Shape protection, consider using Shape JavaScript (see Knowledge Base article on how to use JS with the WebView).
  • In the test environment, consider keeping your endpoints in Block mode. This way, SDK integration problems will be discovered early.

 

Related Content

Return to Integrating Shape Defense

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request