- This article describes common best practices for integrating with Shape Defense solution.
- Additional information can be found in the Shape Defense FAQ section of the Knowledge Base.
Return to Integrating Shape Defense
- Shape Defense
A. Common Best Practices
- When configuring endpoints, use wildcards to terminate the match.
/login*This will prevent an attacker from adding a slash to the end of the request (e.g. /login/) when both variants reach the same application endpoint.
- The mitigating response should try to mimic what the application responds with when the request is invalid, for example, when invalid credentials are used.
- When migrating to Silverline, also migrate any WAF rules, geo blocking, or whitelisted IPs. This ensures consistency with the pre-Silverline security posture.
- If your site is served from an apex domain, configure a redirect from the apex domain to the FQDN domain (e.g customer.com redirects to www.customer.com). This is required as your domain will need to point to a Silverline-provided CNAME. Pointing a CNAME from an apex domain is not recommended as that prevents you from having SOA and all other DNS records at apex.
- Whitelist known good automations, such as: search bots, good aggregators and performance tools.
- If you are using a CDN or your origin has any business logic which relies on a header to determine the client IP (e.g. X-Forwarded-For or True-Client-IP). Silverline can be configured to set or update such header. By default Silverline will use X-Forwarded-For to provide the client IP. Please follow Issue / Solution: L7 DDoS Profile or Shape Identifies CDN IP as Client IP instead of the X-Forwarded-For or Custom XFF Header
- Do not use IP-based session persistence to load-balance internally. Silverline has a range of egress IPs and if you have IP-based load balancing at the origin, this may break your session persistence. Use cookie-persistence, if possible.
- Lock down your infrastructure to Silverline egress IPs only. This will prevent attackers from bypassing Silverline altogether and hitting your origin directly.
- Validate that your internal tools (Logging tools, Fraud tools, etc.) are seeing the traffic accurately when going through Silverline.
- If you have CDN such as CloudFront is implemented before Silverline ( Client -> Silverline -> Origin) please ensure :
- Shape JS file is excluded from the cached entities
- CDN is passing the origin User-Agent rather than injecting CDN User-Agent such as "Cloud Front"
B. Web Application Best Practices
- Identify all URL paths that need to be protected by Shape Defense.
- Validate if there are any CORS calls involved. CORS POST validation [Confirm Link]
- Use wildcards cautiously. Avoid enabling Shape protection for more URLs than required by adding wildcards.
C. Mobile Application Best Practices
- When decorating requests, it is best to add Shape telemetry only to those requests which are also configured in Silverline as protected URLs. This helps avoid filling up bandwidth unnecessarily.
- Before onboarding the mobile app, identify all URLs which need to be configured.
- Ideally, Shape SDK is integrated into apps with forced-upgrade capability. This will allow you to upgrade users to the protected app.
- Shape recommends that you implement the integration as described in the SDK documentation. If you plan to deviate from those recommendations, please explore the knowledge base for other integration considerations.
- Initialize the Shape SDK as early as possible in the app lifecycle to ensure the SDK is initialized and ready to add headers before a protected request is made.
- Make sure an application version marker is included in the User-Agent header of the request.
“User-Agent: sometext MyApp/3.3 sometext”This allows you to examine traffic filtered by a specific version of your app.
- Make sure to execute parseResponse() for all responses returned to protected requests.
- Do not send the same set of headers more than once.
- If you use Push Notifications on Android, there are special integration considerations when push notifications are sent to many apps at once.
- Shape SDK is obfuscated. If you use code obfuscation, exclude Shape SDK from being obfuscated again.
- In the test environment, consider keeping your endpoints in Block mode. This way, SDK integration problems will be discovered early.
Return to Integrating Shape Defense