Protecting your web application by using a firewall

IBM Content Navigator is deployed with the ESAPI Web Application Firewall.

The ESAPI Web Application Firewall is configured as a servlet filter in front of all IBM Content Navigator web services. An XML policy file contains the rules for the firewall to enforce. These rules can range from simple virtual patching to complex authorization enforcement with BeanShell scripts. The policy file for the firewall is stored in the IBM Content Navigator web application.

The file name of the policy file is install_dir/WEB-INF/ESAPIWafPolicy.xml.default. For releases earlier than V3.0.8, the file name of the policy file is install_dir/WEB-INF/ESAPIWafPolicy.xml.

To protect the web application from known security vulnerabilities, you can modify the policy file to add rules and block services. For more information about the structure of the policy file, the individual rules and how they work, and examples, see Web Application Firewall Policy File Specification.

Important: The default policy does not allow loading external resources unless HTTPS is used. It also does not allow IBM Content Navigator to be embedded in external hosts even when HTTPS is used which will prevent the IBM Content Navigator Web Parts from being loaded. For information about using a custom policy file to remove these restrictions, see How to configure the Content Security Policy header in IBM Content Navigator.