Authentication Enforcement

CloudGuard WAF’s Authentication Enforcement ensures that only authorized requests can access your protected web application. It validates incoming requests against the configured authentication type and can detect/block unauthenticated or improperly authenticated traffic.

⚠️ Beta Feature This feature is currently in beta and may be subject to changes. Functionality, configuration options, and behavior could change in future releases. We recommend testing in a non-production environment before deploying to live systems.

Configuration Options

  • Authentication Type Currently, only JWT (JSON Web Token) is supported.

  • Existence Verification Ensures that an authentication token is present.

  • Authentication Expiration Validates that the token has not expired.

A default tolerance period of 5 minutes is applied to the expiration time.

  • Signature Verification Verifies the JWT using the uploaded public key.

Signature Verification supports the following asymmetric algorithms: RS256, RS512, ES256, ES385, ES512.

Unauthenticated Endpoints

By default, this protection applies to the entire asset.

  • If you want to exclude specific URIs, you can define them here.

Response Code for Unauthorized Access

The default response status code is 403 when a request is blocked, which might cause unexpected behavior, the following section explains how to configure 401 response code to align with authentication best practices.

To return a 401 Unauthorized response for blocked requests follow the steps bellow:

  1. create a dedicated Web User Response, with the following configurations:

    • Mode: Response Code Only

    • HTTP Response Code: 401

  1. Assign the Web User Response to the practice.

  1. Enforce Policy.

Last updated

Was this helpful?