Management Portal
Runtime configuration of Codesealer Enterprise is possible through the Management Portal.
Access control is possible through Organizations and Users.
Organizations
An Organization is a set of configured Endpoints, and a list of users that are allowed to configure the Organization.
Administrators can create Organizations, add users to them, and define which domains (with wildcards) that the Organization is allowed to control.
Creating a new Organization
Log in as Administrator. If you do not yet have an account, refer to the Management Portal installation chapter for information on how to obtain the Maintenance Administrator credentials.
The first thing you will see is the Organizations page. This can also be reached by clicking Organizations in the side menu.
Click on New Organization, and enter an Organization name.
Allowed Domains
An Organization is only allowed to configure rules for the allowed domains. To specify allowed domains, click on the Organization as administrator.
An allowed domain can be direct, e.g. example.com, or a wildcard, *.example.com. The former gives access to only example.com, while the latter gives access only to direct subdomains of example.com such as sub.example.com.
Multiple domains can be listed, simply click the green plus button.
Users
A User is either an Administrator or belonging to an Organization.
Creating a user
Log in as Administrator. If you do not yet have an account, refer to the Management Portal installation chapter for information on how to get obtain the Maintenance Administrator credentials.
- Click Users in the sidebar.
- Click New User.
- Enter a username for login (e.g. johndoe), a display name (e.g. John Doe), and a password.
- Select the Organization the user should belong to in the drop-down, and select whether the user should be Administrator.
- Click Save Changes.
Changing a user
Log in as Administrator. If you do not yet have an account, refer to the Management Portal installation chapter for information on how to obtain the Maintenance Administrator credentials.
- Click Users in the sidebar.
- Click on the user you wish to change.
- Make the changes you wish to make, and click Save Changes.
Deleting a user
Log in as Administrator. If you do not yet have an account, refer to the Management Portal installation chapter for information on how to obtain the Maintenance Administrator credentials.
- Click Users in the sidebar.
- Click on the user you wish to delete.
- Click Delete User.
Changing password or display name
Administrators can change passwords use the "Changing a user" method above.
A user can change their password or display name by clicking on their name in the upper right corner, and selecting Profile.
Make the changes you wish to make, and click Save Changes.
Endpoints
Endpoints specify rules for routing traffic and applying protection.
If you are logged in as an Administrator, click Organizations in the sidebar and click on the Organization you wish to add Endpoints to. If you are logged in as a user belonging to an Organization, simply click Endpoints in the side menu.
Enter the "Incoming URL", e.g. "https://example.com". When a Codesealer Worker receives a request for this URL, it will apply the rules of this Endpoint. An incoming Endpoint prefix with an asterisk for the subdomain will serve as a subdomain fallback for unknown requests that match no existing Endpoint, i.e. https://a.b.com matches https://*.b.com. An absolute fallback matches everything else, i.e. http://nil.null.com matches http://* if http://*.null.com does not exist. The scheme of the incoming request and the Endpoint must be equal in all cases, i.e. http or https.
Enter the "Outgoing URL", e.g. https://1.2.3.4. When incoming requests are matched as described above, Codesealer Enterprise will forward the request to this target and proxy responses back to the client.
In order to enable protection, either enable "Automatically protect all scripts" or specify selected scripts in the "List of scripts to protect" field.
Click Save Changes. Codesealer Enterprise should now respond to the configured incoming URL.
For a description of all options for Endpoints, see the following section.
General Settings
This section describes the main settings you will need when setting up an endpoint.
Disable
Disables Codesealer protection for this endpoint. Traffic is still forwarded, but new requests will be unprotected.
Disable Mobile
Disable only mobile protection for this endpoint. Mobile clients will revert back to sending unprotected requests. Note that the 'disable' option overrides this option.
Incoming URL
This URL should match the hostname of the Codesealer instance. The reverse proxy will only process and protect requests that match the URL defined in this option - any other requests will result in a 404 Not Found response. Allowed values are URLs of the form
://[:port]
The scheme must be either http or https. The port is optional. A single leading * wildcard is allowed in the hostname. Some examples of wildcard usage is given below:
https://*will match any URL with the https scheme.https://*.example.comwill match any subdomain ofexample.com, but nothttps://example.comitself.https://*example.comwill matchexample.comand any subdomain.https://*:443will match any URL with the https scheme and port 443.https://*.example.com:443will match any subdomain of example.com on port 443.https://example.comwill match the standard porthttps://example.com:443, but nothttps://example.com:1234.
Note that usage of catch-all wildcards can cause issues. For example, setting the incoming URL to https://* will result in all requests being proxied to the outgoing URL. This includes ANP requests for external resources such as scripts hosted at a CDN. In most cases, such wildcard usage will cause problems.
Outgoing URL
This is the address where Codesealer will proxy requests to. Allowed values are URLs of the form
://[:port]
The scheme must be either http or https. The port is optional.
All requests matching the Incoming URL will be sent to this address instead. The request itself will not be altered - in particular, by default the Hostname header will not be modified.
List of scripts to protect
This comma separated list of scripts will select which scripts are protected. Only scripts that occur in HTML <script> tags will be protected this way. The entries need to match the src attribute in corresponding <script> tags exactly. When "Automatically protect all scripts" is enabled, entries in this list can be prefixed with optout: to remove protection from selected scripts.
Automatically protect all scripts
When checked, all scripts that occur in HTML <script> tags are protected by Codesealer Enterprise automatically. Note that scripts inserted dynamically after page load are not protected by this option - see instead the ANP section.
Ignore Remote TLS
When checked, Codesealer will ignore any TLS errors from the backend server. This is for example useful if self-signed or otherwise internal certificates are used.
Use Let's Encrypt for TLS certificate
This option will only appear if all Codesealer Workers support Let's Encrypt certificates. By enabling this option, you agree to the at any time applicable TOS for Let's Encrypt. Note: The DNS Record for the URL specified in "Incoming URL" must point to Codesealer.
TLS Certificate
The TLS certificate presented by Codesealer for this endpoint.
TLS Key
The corresponding TLS private key for the TLS certificate.
ANP Settings
Application Network Protection (ANP) provides a way to protect XmlHttpRequest and fetch requests, allowing for secure dynamic application content.
Scope of XmlHttpRequest Compatibility
It should be noted that ANP will not support all features of XmlHttpRequest and fetch. However, the subset of the functionality it supports should be complete, and allow for XmlHttpRequest and fetch to be replaced with ANP.
Enable ANP on XHR and fetch requests
Enabling this option, all XHR and fetch calls will be automatically replaced by corresponding ANP variants. Essentially, the following code is injected:
var XMLHttpRequest = CoreHttpRequest;
var fetch = CoreFetch;
Expose protected XHR and fetch on window object
This allows ANP XHR and fetch to be accessed on the window object. The "Enable ANP on XHR and fetch requests" option must be enabled. Essentially, the following code is injected:
window.XMLHttpRequest = CoreHttpRequest;
window.fetch = CoreFetch;
Enable ANP on dynamic content
When enabling this option, scripts inserted dynamically on head and body elements will be intercepted and independently transferred through ANP. Essentially, to protect scripts inserted with e.g. appendChild following code is injected:
document.head.appendChild = ANPAppendChildHead;
document.body.appendChild = ANPAppendChildBody;
Similarly, the functions Node.insertBefore, Node.replaceChild, Element.append, Element.prepend, Element.replaceChildren, Element.replaceWith, and Element.insertAdjacentElement are replaced with protected versions.
Enable ANP on WebSockets
Enabling this option, all WebSocket calls will be automatically replaced by corresponding ANP variants. Essentially, the following code is injected:
var WebSocket = ANPWebSocket;
Expose Application Network Protection on window object
This allows ANP WebSockets to be accessed on the window object. The "Enable ANP on WebSockets" option must be enabled. Essentially, the following code is injected:
window.WebSocket = ANPWebSocket;
List of allowed domains
A comma separated list of allowed endpoints to protect for ANP requests. If the list is empty, all domains are allowed.
List of domains that bypass ANP
A comma separated list of domains that will bypass ANP. Entries must take the exact form <scheme>://<hostname or IP>[:port].
Session Lifetime
Session lifetime for Application Network Protection. If set to 0, the default will be used.
Cache Settings
Codesealer offers a simple HTTP cache built into each worker. Enabling this cache can improve resource delivery speed. See the cache section of the Worker configuration for details on how to set up each worker to use a cache.
Enable HTTP Caching
When enabled Codesealer Workers will cache requested resources based on the defined rules.
Cache Rules
Each cache rule consists of four parts:
- Content-Type: The value of the Content-Type header to match on. Both 'contentType' and 'path' has to match for the resource to be cached. The special wildcard value '*' can be used to match all content types.
- Path: The path of the request to match on. Both 'contentType' and 'path' has to match for the resource to be cached. The special wildcard value '*' can be used to match all paths.
- Max-Age: If this value is not zero, the expiry of the cached resource will be overriden.
- Ignore no-store: When enabled, resources are cached despite 'no-store' directives.
- Ignore no-cache: When enabled, resources are cached despite 'no-cache' directives.
WAF Settings
Codesealer offers a simple Web Application Firewall (WAF) built into each worker. Enabling this WAF can provide an additional security layer on top of Codesealer's protection.
Enable Web Application Firewall
This option enabled the WAF for all Workers. Note that each worker must be configured with a set of rules. See the WAF Configuration section for more information.
Process response headers and body
When enabled the entire payload of requests will be passed through the WAF.
Enable Monitor Mode on Web Application Firewall
When enabled no requests will be blocked on basis of the WAF, but will instead be logged.
Advanced Settings
Codesealer Enterprise contains a number of advanced features which are described in this section.
SNI Overwrite
This will set the Server Name Indication (SNI) on proxied TLS requests to the provided value instead of the requested host. This can be useful if the installed TLS certificate on the remote server is issued to a different domain.
Hostname Overwrite
This will set the Hostname header on proxied requests to the provided value instead of the requested host. This can be useful if the backend server uses virtual hosting.
Invalid HTML compatibility mode
This option must be enabled if the backend serves HTML where <script> tags occur after the </body> or </html> tags.
Window scope compatibility mode
Codesealer will execute scripts in a local scope, which differs from the global scope javascript is normally executed in. In such a scope, variables will not automatically be set on the window object, which can make a website running through codesealer behave differently. This option will patch these scoping issues in scripts live.
document.write compatibility mode
When this option is enabled, Codesealer will modify document.write calls to simulate their original behavior of inserting data after the script tag of the caller without re-opening the document, until all scripts that were part of the document have been executed.
This compatibility mode does not support partial write calls, where a single HTML element is written through more than one document.write call.
publicPath compatibility mode
Some sites will have scripts that attempt detecting where they're running from. This option will inject a transient script tag while each script is executing, revealing the directory the script is running from.
Strict Session Mode
When in strict session mode, Codesealer will block HTTP requests methods other than GET, HEAD or OPTIONS from clients that do not have an active Codesealer session. This means that methods like POST and DELETE will fail.
If API calls made by clients not protected by Codesealer must work, leave this setting disabled.
Block User Agents Mode
When in block user agents mode, Codesealer will block HTTP requests from clients with user agents that are known to be malicious. The list of blocked user agents is managed by Codesealer and not currently configurable by users.
App Throttling Mode
When enabled requests will be redirected to a non-interactive validation page before being redirected to the requested URL. Once the session is validated, the validation page will not be shown again, unless the session hits a rate limit. This feature can reduce the effects of Layer 7 DDoS attacks.
App Throttling Rate Limit
When app throttling is enabled this value will determine the maximum sustained number of requests per second allowed for each client.
App Throttling Burst Limit
When app throttling is enabled this value will determine the maximum burst of requests allowed for each client.
App Throttling Iterations
When app throttling is enabled this value will determine the amount of iterations performed in the PoW challenge. The more iterations, the longer the validation page will take to complete for each client.
Omit X-Forwarded-For and X-Forwarded-Host headers
This option will stop Codesealer from setting the X-Forwarded-For and X-Forwarded-Host headers.
This option is meant for testing scenarios, where adding the headers may confuse existing infrastructure. This should not be used in production scenarios.
Strip Content-Security-Policy HTTP Header
This option will actively strip the Content-Security-Policy HTTP Header from all requests that have scripts protected. A better solution is to allow eval by setting the header
Content-Security-Policy: script-src 'unsafe-eval'
Location redirect compatibility mode
This option will ensure that absolute Location header redirects for the Outgoing URL are changed to relative URLs instead.
Disable Codesealer cookies support
When using Codesealer, requests that are sent to the Worker's domain (i.e. the value in "Incoming URL") may be redirected to another domain. This could either be the value in "Outgoing URL" or a third party domain, if using ANP. In order to attach the correct cookies to these requests, Codesealer will add some extra cookies to responses.
If this option is enabled, these extra cookies will not be attached to responses. This can cause some cookies to not be set on protected requests.
Kill Switch
This option will terminate all connections to this endpoint as early as possible. For TLS, this will happen during the TLS handshake, while for non-TLS it will happen right after the endpoint is registered.
The option can be used in certain scenarios to mitigate smaller DoS attacks on multi endpoint deployments.
Proxy path filter
If API endpoints are placed under a certain path, this can be added here to block regular proxy requests from reaching these endpoints. Rules are processed firewall style, in the sense that the first matching rule will take effect. The path matching is case insensitive.
Note: This blocking is not effective if endpoint is disabled or if accessing from an IP contained in the IP Bypass list.
Protection path filter
This option will allow selective bypassing of all protection. The main settings (e.g. protect all scripts by default) will take precedence, in the sense that these rules can only cause a bypass of a script that would otherwise be protected, or force the default behavior.
The rules are parsed firewall style, and they can be set to either "Bypass" or "Default". The first rule that matches will take effect. The path matching is case insensitive.
Retain attributes on protected scripts
Protected scripts are normally replaced with empty script tags with no attributes. When enabled, this option makes protected scripts retain most of their attributes. This can be useful if the application logic relies on reading attributes of certain scripts. Note that enabling this option may reveal some internals of the application logic.
IPs that bypass protection
The IP addresses listed in this field will bypass Codesealer protection. Please note that additional configuration is needed for Codesealer to see client IPs when using proxy servers or load balancing in front of Codesealer.
Note: If the "Invert IP bypass list" option is set, only IPs that match the entries in the list will be protected.
Invert IP bypass list
Invert the behavior of the "IPs that bypass protection" option.
IPs permitted access to this endpoint
If specified, only traffic originating from IP addresses listed in this field will be allowed to access the endpoint.
JavaScript symbols to expose to window object
A comma separated list of JavaScript symbols to expose on the window object. This option essentially injects the following code for each symbol:
try {
typeof window.symbol !== 'undefined' && (symbol = window.symbol);
} catch {}
...
try {
window.symbol = symbol;
} catch {}
Minify ES6 module bundles
ES6 modules are bundled into a single file when served by the proxy. Enable this option to also minify the bundle.
Script preamble
This field will inject the given JavaScript code into the beginning protected scripts. This can be used in debugging scenarios, where it is not feasible to modify certain aspects of a protected application.
Script postamble
This field will inject the given JavaScript code at the end of all protected scripts. This can be used in debugging scenarios, where it is not feasible to modify certain aspects of a protected application.
Script string replace
This option will instruct Codesealer to do a simple search/replace on all JavaScript that it protects.
Metrics
Metrics show you information about traffic flowing through configured endpoints.
If you are logged in as administrator, click Organizations in the sidebar and click on "Go to Metrics" for the organization you wish to see metrics for.
If you are logged in as a user belonging to an organization, simply click Metrics.
For traffic, you will see two primary metrics for each endpoint: Request rate and request time.
Understanding request rate
The request rate graph counts the number of incoming HTTP requests, in Requests per Second. This is useful to estimate the transactional performance of the system, rather than simply observing the network throughput.
Understanding response time
The request time graph shows two sub-graphs: Total and remote time.
Total time is the time it took us to read the request from the end-user, do any internal processing, and send a response to the end-user.
Remote time is the time it took us to write the request to the backend server, wait for any processing to complete, and receive the response.
If Total time is high, it may be indicative of poor network connectivity from users. If Remote time is high, it may be indicative of a slow or overloaded backend.