Url Encryption Handler

Purpose

The Url Encryption Handler only has an effect when the Session Handler is also active. In detection mode, the Url Encryption Handler is ignored.

The Url Encryption Handler implements session-specific encrypted URLs. If the first request within a session is onto a page that isn’t included in a defined entry point list the Url Encryption Handler redirects the request to a defined main page. The handler dynamically encrypts all links to pages that are located below this main page in the directory structure.

As a result, users are only able to access the entry point pages or the main page directly. Other pages can only be accessed via a link within your web application. This link is encrypted. The encrypted URL depends on the individual session, so two users never see the same encrypted URL and the encrypted URL becomes invalid when the session ends.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Use the Url Encryption Handler to prevent users from accessing certain pages of your web application directly and from guessing and tampering URLs. As the encrypted URLs change with each session it’s also impossible to bookmark a specific page or to quote URLs in an article of a magazine, for example. If you only want to prevent deep linking but not to encrypt URLs, use the Entry Point Handler instead.

Attributes

Attribute Meaning

content types

In order to achieve maximum performance, the handler only analyzes requests of the content types that are stated here.

mainpage

Main page to which the user is redirected if the first request in a session is onto a page that isn't included in the entrypoints list. It's sufficient to specify the subdirectory here.

Example: /

entrypoints

List of permissible entry points to your web application. Here you must specify all files that typically aren't referred to via a link, such as a favicon or the robots.txt file, for example. (For details on the syntax, see Regular Expressions.)

Examples:

/favicon\.ico

/robots\.txt

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.