ADC

Managing content types

Web servers add a Content-Type header with a MIME/type definition for each content type. Web servers serve many different types of content. For example, standard HTML is assigned the “text/html” MIME type. JPG images are assigned the “image/jpeg” or “image/jpg” content type. A normal web server can serve different types of content, all defined in the Content Type header by the assigned MIME/type.

Many Web App Firewall filtering rules are designed to filter a specific content type. The filtering rules apply to one type of content such as HTML and are often inappropriate when filtering a different type of content (such as images). As a result, the Web App Firewall attempts to determine the content type of requests and responses before it filters them. If a web server or browser does not add a Content-Type header to a request or response, the Web App Firewall applies a default content type and filters content accordingly.

The default content type is usually “application/octet-stream” with the most generic MIME/type definition. The MIME/type is appropriate for any content type a web server is likely to serve. But does not provide much information to the Web App Firewall to allow it to choose appropriate filtering. If a protected web server is configured to add accurate content type headers, you can then create a profile for the web server and assign a default content type to it. This is done to improve both the speed and the accuracy of filtering.

You can also configure a list of allowed request content types for a specific profile. When this feature is configured, if the Web App Firewall filters a request that does not match one of the allowed content types, it blocks the request.

Requests must always be of either the “application/x-www-form-urlencoded”, “multipart/form-data,” or “text/x-gwt-rpc” types. The Web App Firewall blocks any request that has any other content type designated.

Note

You cannot include the “application/x-www-form-urlencoded” or “multipart/form-data” content types on the allowed response content types list.

To set the default request content type by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> -requestContentType <type>
  • save ns config

Example

The following example sets the “text/html” content type as the default for the specified profile:

set appfw profile profile1 -requestContentType "text/html"
save ns config
<!--NeedCopy-->

To remove the user-defined default request content type by using the command line interface

At the command prompt, type the following commands:

  • unset appfw profile <name> -requestContentType <type>
  • save ns config

Example

The following example unsets the default content type of “text/html” for the specified profile, allowing the type to revert to “application/octet-stream”:

unset appfw profile profile1 -requestContentType "text/html"
save ns config
<!--NeedCopy-->

Note

Always use last content-type header for processing and remove remaining content-type headers if any that ensures that the back-end server receives a request with only one content-type.

To block requests that can be bypassed, add a Web App Firewall policy with rule as HTTP.REQ.HEADER (“content-type”).COUNT.GT(1)’ and profile as appfw_block.

If a request is received without a Content-Type header or if the request has Content-Type header without any value, Web App Firewall applies the configured RequestContentType value and processes the request accordingly.

To set the default response content type by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> -responseContentType <type>
  • save ns config

Example

The following example sets the “text/html” content type as the default for the specified profile:

set appfw profile profile1 -responseContentType "text/html"
save ns config
<!--NeedCopy-->

To remove the user-defined default response content type by using the command line interface

At the command prompt, type the following commands:

  • unset appfw profile <name> -responseContentType <type>
  • save ns config

Example

The following example unsets the default content type of “text/html” for the specified profile, allowing the type to revert to “application/octet-stream”:

unset appfw profile profile1 -responseContentType "text/html"
save ns config
<!--NeedCopy-->

To add a content type to the allowed content types list by using the command line interface

At the command prompt, type the following commands:

  • bind appfw profile <name> -ContentType <contentTypeName>
  • save ns config

Example

The following example adds the “text/shtml” content type to the allowed content types list for the specified profile:

bind appfw profile profile1 -contentType "text/shtml"
save ns config
<!--NeedCopy-->

To remove a content type from the allowed content types list by using the command line interface

At the command prompt, type the following commands:

  • unbind appfw profile <name> -ContentType <contentTypeName>
  • save ns config

Example

The following example removes the “text/shtml” content type from the allowed content types list for the specified profile:

unbind appfw profile profile1 -contentType "text/shtml"
save ns config
<!--NeedCopy-->

Manage urlencoded and multipart-form content types

The NetScaler Web App Firewall now enables you to configure Urlencoded and Multipart-Form content types for forms. The content type configuration is similar to XML and JSON list. Based on the configuration, Web App Firewall classifies the requests and inspects for urlencoded or multipart-form content type.

To configure Web App Firewall profile with Urlencoded and Multipart-Form content types At the command prompt, type:

bind appfw profile p2 -contentType <string>

Example:

bind appfw profile p2 -contentType UrlencodedFormContentType

bind appfw profile p2 -ContentType appfwmultipartform

To manage the default and allowed content types by using the GUI

  1. Navigate to Security > Web App Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit. The Configure Web App Firewall Profile dialog box is displayed.
  3. The Configure Web App Firewall Profile dialog box, click the Settings tab.
  4. On the Settings tab, scroll down about halfway to the Content Type area.
  5. In the Content Type area, configure the default request or response content type:
    • To configure the default request content type, type the MIME/type definition of the content type you want to use in the Default Request text box.
    • To configure the default response content type, type the MIME/type definition of the content type you want to use in the Default Response text box.
    • To create a new allowed content type, click Add. The Add Allowed Content Type dialog box is displayed.
    • To edit an existing allowed content type, select that content type, and then click Open. The Modify Allowed Content Type dialog box is displayed.
  6. To manage the allowed content types, click Manage Allowed Content Types.
  7. To add a new content type or modify an existing content type, click Add or Open, and in the Add Allowed Content Type or Modify Allowed Content Type dialog box, do the following steps.
    1. Select/clear the Enabled check box to include the content type in, or exclude it from, the list of allowed content types.

    2. In the Content Type text box, type a regular expression that describes the content type that you want to add, or change the existing content type regular expression.

      Content types are formatted exactly as MIME type descriptions are.

      Note:

      You can include any valid MIME type on the allowed contents type list. Since many types of document can contain active content and therefore can potentially contain malicious content, you must exercise caution when adding MIME types to this list.

    3. Provide a short description that explains the reason for adding this particular MIME type to the allowed contents type list.

    4. Click Create or OK to save your changes.

  8. Click Close to close the Manage Allowed Content Types dialog box and return to the Settings tab.
  9. Click OK to save your changes.

To manage Urlencoded and Multipart-form content types by using the NetScaler GUI

  1. Navigate to Security > Web App Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit.
  3. In the Configure Web App Firewall Profile page, select the Profile Settings in the Advanced Settings section.
  4. Under Inspected Content Type section, set the following parameters:

    1. application/x-www-form-urlencoded. Select the checkbox to inspect Urlencoded content type.
    2. multipart/form-data. Select the check to inspect Multipart-form content type.
  5. Click OK.

Managing content