Section – HTTP Parameter Pollution Detection - Mixed Types

This feature prevents HTTP parameter pollution attempts using duplicate parameters with the same name but different types. Parameter names are treated case-insensitively. The following parameter types are distinguished:

  • Query parameters
  • Path parameters.
    • A path segment is interpreted as a parameter if it matches the pattern name=value;.
  • Additional query parameters for encrypted URLs.
  • POST parameter

GUI

Description

Block duplicate parameters

If enabled, requests are blocked when the same parameter name is used across different parameter types — e.g., a request is blocked if the parameter id is present both as a POST parameter and as a query parameter.

Log only

If enabled, threat handling for duplicate parameters is set to log only instead of blocking.

Parameter name exception pattern

Use the exception pattern to exclude parameters from the parameter pollution detection.