Section – HTTP Parameter Pollution Detection - Same Type
This feature prevents HTTP parameter pollution attempts using duplicate parameters with the same type. Parameter names are treated case-insensitively. For instance, this is the case if the same parameter is added multiple times as a POST parameter. The following parameter types are distinguished:
- Query parameters
- Path parameters. A path segment is interpreted as a parameter if it is of the form “name=value;”.
- Additional query parameters for encrypted URLs.
- POST parameters
Join values of duplicate parameters
If enabled, all the different values for a parameter are joined by commas in order of appearance. The aggregate value is then checked against deny rules as if it had been submitted as an original value by the client.