Forum Discussion

Mohamed_Lrhazi's avatar
Mohamed_Lrhazi
Icon for Altocumulus rankAltocumulus
Aug 10, 2019

Brute force protection for an API endpoint (no login page)?

Hello,

Configuring Brute force protection entails declaring the login page(s).. Is it possible to use this protection on a site where every page is a login page, in a sense? It's an API endpoint and each request includes http authentication header, and can succeed or fail based on the provided credentials.

 

Can the ASM track failures on such site? Any documentation or clues on how to go about it highly appreciated.

 

Thanks a lot.

ASM Advanced WAF
security

3 Replies

Sort By
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Aug 10, 2019

    Hello Mohamed.

     

    Actually, you have a default "Brute Force Attack Prevention" profile which applies to all the URLs not manually defined.

     

    "You can add default brute force protection when creating a security policy using the Deployment wizard. If you do, the policy simply needs to know for which login pages to enforce brute force protection. The system creates a default brute force configuration that applies to all defined login URLs that are not associated with any other brute force configuration."

    REF - https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/6.html

     

    See this path ->

    Security > Application Security > Anomaly Detection > Brute Force Attack Prevention

     

    KR,

    Dario.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Aug 15, 2019

      Glad to hear this!

      Please, if my answer was helpful, don't forget to mark it as "the best" or give me some upvotes.

       

      KR,

      Dario.