UI | Description |
Default request character set | Sets the defined charset that is used for HTTP requests without a content-type header from the client. Note that for content-type headers, Airlock Gateway uses the information from the header to decode the request.
|
Enforce UTF-8 for request path 1 | If enabled, UTF-8 is being enforced for the HTTP request path.
See also: Section – Basic Call Verification |
Enforce UTF-8 for request headers 1 | If enabled, UTF-8 is being enforced for the HTTP request headers. |
Enforce UTF-8 for request parameters 1 | If enabled, UTF-8 is being enforced for the HTTP request parameters. |
WebSocket handling | Enables support for WebSockets protocol as defined in RFC 6455.
|
Deliver error page by redirect | Specifies whether error and maintenance pages are delivered in place or if an HTTP redirect pointing to them is sent to the client. |
1 | With UTF-8 enforcing enabled, Airlock Gateway will block Overlong UTF-8. |
Blocked request character sets
Parameter values that are sent in HTTP requests from the client are encoded in a defined charset. Many attacks are based on injecting special characters in a different encoding or charset to the application server.
In rare cases, other charsets than those defined under Default request character set are used in a request, but should not be blocked by Airlock Gateway.
To allow other charsets, you can add the following line to the expert settings (Submenu – Security Gate / Apache):
parameterNormalization.blockUnsupportedCharset "FALSE"
- ●TRUE (default) – Airlock Gateway blocks any requests with unsupported values in the content-type header.
- ●FALSE – Airlock Gateway treats the request in the same way as if no content-type header was set.