HCP Gateway Application
Introduction
This readme file provides important information about the HCC Gateway application and its current configuration with the inclusion of a Web Application Firewall (WAF). It addresses potential issues that clients may encounter related to blocked requests with HTTP status code 403 FORBIDDEN.
Application Overview
The HCC Gateway application serves as an interface between our customers and our services. Its primary purpose is to facilitate secure and efficient communication between the two parties.
Issue Description
To enhance security, the HCC Gateway now incorporates a Web Application Firewall (WAF). While this is a positive step towards protecting our infrastructure, it can lead to certain limitations that affect the application's functionality.
Two specific scenarios have been identified that may result in blocked requests:
1. Request Body containing URLS
Requests may be blocked if the URLs included in the request body are not properly encoded. It is crucial to ensure that any URLs within the request body are correctly encoded to ensure successful processing.
POST /sessions API:
- config.privacypolicyurl
- appearance.font.fontSources.cssSrc
- appearance.merchantlogo
Remidiation
When making any POST requests, ensure that any URLs included in the request body are properly encoded. Utilize URL encoding techniques such as percent-encoding to achieve this.
2. GET Requests with Transfer-Encoding header
GET requests can be blocked if they include the Transfer-Encoding header. The presence of this header triggers the WAF, leading to request blocking. To avoid this, it is important to exclude the Transfer-Encoding header from GET requests.
Remidiation
GET Requests: Do not include the Transfer-Encoding header in any GET requests. If the header is necessary for other purposes, consider alternative approaches.
3. Requests missing Accept header
Azure Web Application Firewall (WAF) blocks can occur when requests do not include the required Accept header. The Accept header is an HTTP request header field that specifies the types of content the client is willing to accept from the server. Its absence may trigger the WAF, leading to request blocking.
Few of the APIs that are affected by this issue are:
- /token/setup-payment-methods
- /sessions
- /payments/{payment_id}
- /customers/{customer_id}/payment-methods
- /payment-methods/search
Remediation
GET Requests: Ensure that all GET requests include the required Accept header. The Accept header should specify the types of content the client is willing to accept from the server. By including this header, you can avoid triggering the WAF and prevent request blocking.
4. Other common best practices to avoid WAF blocks
- GET OR HEAD requests should not have a body
- POST requests should have a valid json body
- Don't include any SQL characters in the request body
- Encode all URL's in the request body
Further Analysis
- HCP GATEWAY NON-PROD Splunk Query will show the Waf_RuleId caused the block, URI impacted, Message, Issue providing details of the property causing the block
- Azure WAF Rule Set