Authentication Enforcement

Overview

CloudGuard WAF’s Authentication Enforcement ensures that only authorized requests can access your protected web application. It validates incoming requests against the configured authentication type and can detect/block unauthenticated or improperly authenticated traffic.

How to set up Authentication Enforcement

Configuration Options

Authentication Type Currently, only JWT (JSON Web Token) is supported.
Existence Verification Ensures that an authentication token is present.
Authentication Expiration Validates that the token has not expired.

A default tolerance period of 5 minutes is applied to the expiration time.

Signature Verification Verifies the JWT using the uploaded public key.

Signature Verification supports the following asymmetric algorithms: RS256, RS512, ES256, ES385, ES512.

Unauthenticated Endpoints

By default, this protection applies to the entire asset.

If you want to exclude specific URIs, you can define them here.

Response Code for Unauthorized Access

The default response status code is 403 when a request is blocked, which might cause unexpected behavior, the following section explains how to configure 401 response code to align with authentication best practices.

To return a 401 Unauthorized response for blocked requests follow the steps bellow:

create a dedicated Web User Response, with the following configurations:
- Mode: Response Code Only
- HTTP Response Code: 401

Assign the Web User Response to the practice.

Enforce Policy.

PreviousEnforce API Schema NextAPI Security Testing (Coming Soon)

Last updated 2 months ago

Was this helpful?