Multiple parameter decoding

Request parameters are decoded according to HTTP standards and filtered by deny rules when set to Request.MaxEncodingLevel “0”. For example, form parameters and query parameters (URL parameters) will be percent-decoded before being checked by deny rules.
However, our default strategy to prevent advanced encoding attacks is to perform multiple decoding passes with Request.MaxEncodingLevel “3” and check the resulting parameters of each pass.

Security Gate Expert Settings:

Our default (and recommended) configuration for consecutive passes is Request.MaxEncodingLevel “3”.
Setting the encoding level to Request.MaxEncodingLevel “0” deactivates our advanced encoding attack prevention but will not disable minimal required decoding according to HTTP standards.

Reducing false positives

Deny rule exceptions can only be created based on the parameter decoding according to the HTTP standards, as only these parameters are exposed and logged.

Policy learning can help you quickly find and create deny rule exceptions to reduce frequent false positives.
Reducing the number of consecutive decoding passes by selecting a lower Request.MaxEncodingLevel in the Security Gate Expert Settings is also possible. However, we do not recommend reducing the number of decoding passes because this weakens the protection against advanced encoding attacks.

Further information and links

Internal links: