Can I have URLs not on Allowed List trigger a 404 instead of a 200?
How can I 404 anything that's not on the Approved URL list instead of returning the Default Response page which is an HTTP 200?
I have a small web application which is encompassed by about a dozen Allowed URL entries. For violations on these URLs, of course, I want the standard Default Response to go out at an HTTP 200 with useful text:
Your support ID is: <%TS.request.ID()%>
For any other URL that hits the system - and I'm sure they'll be a lot of them when someone scans it - I don't care to give away information by sending what is clearly F5 ASM support ID, and I don't care to encourage the scanning tool with an HTTP 200 response when a 404 is appropriate.
I had been thinking I could just check the ASM violation in an ASM_REQUEST_BLOCKING event and modify the response, similarly to the way that ASM::payload allows me to adjust the text that the ASM is sending. But I don't see any method for changing the HTTP response code; even HTTP::response is read-only.
Is there a supported way to issue a different response page for VIOLATION_OBJ_DOESNT_EXIST? Alternately, is there a way to adjust in with an iRule?
Any help appreciated.