Product Documentation

Managing Content Types

Jun 27, 2017

Web servers usually add a Content-Type header that contains a MIME/type definition for the type of content in each file that the web server serves to users. Web servers serve many different types of content. For example, standard HTML is assigned the "text/html" MIME type. JPG images are assigned the "image/jpeg" or "image/jpg" content type. A normal web server can serve dozens or hundreds of different types of content, all defined in the Content Type header by an assigned MIME/type.

Many application firewall filtering rules are designed to filter specific types of content. Because filtering rules that apply to one type of content (such as HTML) are often inappropriate when filtering a different type of content (such as images), the application firewall attempts to determine the content type of requests and responses before it filters them. When a web server or browser does not add a Content-Type header to a request or response, the application firewall applies a default content type to the connection and filters the content accordingly.

The default content type is normally "application/octet-stream", the most generic MIME/type definition.This MIME/type is appropriate for any type of content that a web server is likely to serve, but also does not provide much information to the application firewall to allow it to choose appropriate filtering. If a protected web server on your network is configure to add accurate content type headers to the content it serves, or serves only one type of content, you can create a profile for that web server and assign a different default content type to it to improve both the speed and the accuracy of filtering.

You can also configure a list of allowed response content types for a specific profile. When this feature is configured, if the application firewall filters a response that does not match one of the allowed content types, it blocks the response.  After upgrade from release 10.5 to 11.0,  unknown content-types which are not in the default allowed content-type list do not bind.  You can add other content-types which you want to be allowed to the relaxed rules.

Requests must always be of either the "application/x-www-form-urlencoded",  "multipart/form-data", or "text/x-gwt-rpc" types. The application firewall blocks any request that has any other content type designated.

Note

You cannot include the "application/x-www-form-urlencoded" or "multipart/form-data" content types on the allowed response content types list.

To set the default request content type by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> -requestContentType <type>
  • save ns config

Example

The following example sets the "text/html" content type as the default for the specified profile:

set appfw profile profile1 -requestContentType "text/html" 
save ns config

To remove the user-defined default request content type by using the command line interface

At the command prompt, type the following commands:

  • unset appfw profile <name> -requestContentType <type>
  • save ns config

Example

The following example unsets the default content type of "text/html" for the specified profile, allowing the type to revert to "application/octet-stream":

unset appfw profile profile1 -requestContentType "text/html" 
save ns config

Note

Always use last content-type header for processing and remove remaining content-type headers if any that ensures that the backend server receives a request with only one content-type. 

To block requests that can be bypassed, add an Application Firewall policy with rule as HTTP.REQ.HEADER ("content-type").COUNT.GT(1)' and profile as appfw_block.

If a request is received without a Content-Type header or if the request has Content-Type header without any value, Application Firewall applies the configured RequestContentType value and processes the request accordingly.

To set the default response content type by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> -responseContentType <type>
  • save ns config

Example

The following example sets the "text/html" content type as the default for the specified profile:

set appfw profile profile1 -responseContentType "text/html" 
save ns config

To remove the user-defined default response content type by using the command line interface

At the command prompt, type the following commands:

  • unset appfw profile <name> -responseContentType <type>
  • save ns config

Example

The following example unsets the default content type of "text/html" for the specified profile, allowing the type to revert to "application/octet-stream":

unset appfw profile profile1 -responseContentType "text/html" 
save ns config

To add a content type to the allowed content types list by using the command line interface

At the command prompt, type the following commands:

  • bind appfw profile <name> -ContentType <contentTypeName>
  • save ns config

Example

The following example adds the "text/shtml" content type to the allowed content types list for the specified profile:

bind appfw profile profile1 -contentType "text/shtml" 
save ns config

To remove a content type from the allowed content types list by using the command line interface

At the command prompt, type the following commands:

  • unbind appfw profile <name> -ContentType <contentTypeName>
  • save ns config

Example

The following example removes the "text/shtml" content type from the allowed content types list for the specified profile:

unbind appfw profile profile1 -contentType "text/shtml" 
save ns config

To manage the default and allowed content types by using the configuration utility

  1. Navigate to Security > Application Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit. The Configure Application Firewall Profile dialog box is displayed.
  3. In the Configure Application Firewall Profile dialog box, click the Settings tab
  4. On the Settings tab, scroll down about halfway to the Content Type area.
  5. In the Content Type area, configure the default request or response content type:
    • To configure the default request content type, type the MIME/type definition of the content type you want to use in the Default Request text box.
    • To configure the default response content type, type the MIME/type definition of the content type you want to use in the Default Response text box.
    • To create a new allowed content type, click Add. The Add Allowed Content Type dialog box is displayed.
    • To edit an existing allowed content type, select that content type, and then click Open. The Modify Allowed Content Type dialog box is displayed.
  6. To manage the allowed content types, click Manage Allowed Content Types.
  7. To add a new content type or modify an existing content type, click Add or Open, and in the Add Allowed Content Type or Modify Allowed Content Type dialog box, do the following steps.
    1. Select/clear the Enabled check box to include the content type in, or exclude it from, the list of allowed content types.
    2. In the Content Type text box, type a regular expression that describes the content type that you want to add, or change the existing content type regular expression.

      Content types are formatted exactly as MIME type descriptions are.

      Note: You can include any valid MIME type on the allowed contents type list. Since many types of document can contain active content and therefore could potentially contain malicious content, you should exercise caution when adding MIME types to this list.
    3. In the Comments text box, add an optional comment that describes the reason for adding this particular MIME type to the allowed contents type list.
    4. Click Create or OK to save your changes.
  8. Click Close to close the Manage Allowed Content Types dialog box and return to the Settings tab.
  9. Click OK to save your changes.