Authentication Protection

CloudGuard WAF’s Authentication protection ensures that only authorized requests can access your protected web application. It validates incoming requests against the configured authentication type and can detect/block unauthenticated or improperly authenticated traffic.

⚠️ Beta Feature This feature is currently in beta and may be subject to changes. Functionality, configuration options, and behavior could change in future releases. We recommend testing in a non-production environment before deploying to live systems.

Configuration Options

Authentication Type Currently, only JWT (JSON Web Token) is supported.
Existence Verification Ensures that an authentication token is present.
Authentication Expiration Validates that the token has not expired.

A default tolerance period of 5 minutes is applied to the expiration time.

Signature Verification Verifies the JWT using the uploaded public key.

Signature Verification supports the following asymmetric algorithms: RS256, RS512, ES256, ES385, ES512.

Unauthenticated Endpoints

By default, this protection applies to the entire asset.

If you want to exclude specific URIs, you can define them here.

Response Code for Unauthorized Access

The default response status code is 403 when a request is blocked, which might cause unexpected behavior, the following section explains how to configure 401 response code to align with authentication best practices.

To return a 401 Unauthorized response for blocked requests follow the steps bellow:

create a dedicated Web User Response, with the following configurations:
- Mode: Response Code Only
- HTTP Response Code: 401

Assign the Web User Response to the practice.

Enforce Policy.

PreviousEnforce API Schema NextFile Security

Last updated 2 hours ago

Was this helpful?