Version 5.3.2 of Cequence Defender was released January 14, 2025.

Release Highlights

Advanced filtering support: Cequence Defender now supports advanced filters. Using advanced filtering, you can configure query parameters, request headers, or response headers to decide whether to send traffic to Cequence UAP. Filtering configuration is now based on application tags instead of host and path values.

Configurable traffic sampling: Cequence Defender now supports traffic sampling configuration to send just a portion of the total application traffic to Cequence UAP instead of all traffic. This is particularly useful for API discovery and inventory use cases for which all API traffic need not be analyzed in order to discover, classify and inventory APIs. Sampling configuration includes a percentage value of traffic, which can be changed at any time by a Cequence administrator. Sampling is enforced at the API endpoint level.

Sensitive data masking: Cequence Defender now supports masking sensitive data before transmitting to the Cequence UAP platform for analysis. This is particularly useful for SaaS deployments where customers may want to configure masking of sensitive data values in API request or response payloads before sending traffic to Cequence for analysis. This configuration is also part of the filtering configuration and can be configured per application tag.

Epic

DEF-875 Data Masking support at the edge

DEF-1155 Sampling, Discovery and Rate-limiting in Data Plane

DEF-1209 Implement Sensitive Data Detection and Masking in Data Plane

Bugs

Release 5.3.2

DEF-1568 Sensor bridge OOM observed due to connector read queue not getting drained quickly when sdm is enabled

DEF-1555 Ability to overwrite the Host Header in Defender

DEF-1570 Add support to drop bodies in ceq-bridge

DEF-1555: Overwriting the host header

Defender now supports two modes to route traffic when the host header is absent.

The default upstream mode provides a single upstream for a given server. In default upstream mode, Cequence Defnder forwards traffic to the default upstream servers defined in the HTTP_UPSTREAM SERVER and HTTPS_UPSTREAM_SERVER environment variables. When the USE_UPSTREAM-SERVER_AS_HOST_HDR environment variable is configured, Defender sends the upstream server name as the host header when forwarding traffic to the upstream.

The alternate host header mode routes upstream traffic based on a user-configured alternate host header. Configure an HTTP directive in nginx to enable an alternate host header. Example JSON:

{
  "version" : "1.0",
  ...
  "http": {
    "directives" : {
      ...
      "alternate_host_header" : "X-Forwarded-Host"
    },
    "servers": [
      {
        ...
      }
  }
}

This configuration produces the following changes.

• Upstream route lookups use the alternate host header value instead of the host header.
• The value of the proxy_set_header directive is set to the alternate host header value, overriding the value of the $host variable.
• The value of the proxy_ssl_name directive is set to http_<alternate_host_header>, overriding the value of the $host variable.
• Sensor transactions replace the host field with the alternate host header value.
• When the request headers include a host header, that host header is replaced with the alternate host header to maintain consistency with the upstream host.

When alternate host header mode is enabled but the request does not contain the configured alternate header, the client receives an error 400 status code.

Release 5.3.1

DEF-1489 Real IP Extraction in sensor-bridge is not correct in some scenario when xff with index is present

DEF-1492 Advanced Option (ignore content type) are not working and sentinel pipeline is processing request.

DEF-1500 Email user portion is getting masked with asterisk "*"

DEF-1503 Excessive Logging for SDM & NLP

DEF-1513 Traffic drops in sensor-bridge sensor-pipeline with send-all traffic filter

DEF-1518 Sensor bridge crashes in processResourceData when applying SDP

DEF-1521 Crash in ipfp lib when large XFF header is received

Release 5.3.0

DEF-927 Investigate Data Masking Schemes

DEF-932 Add support for HTTP reader in Defender connector

DEF-946 Add data-masking support at the edge

DEF-947 Component Config support for Data Masking at the edge

DEF-1147 Auto-detection of the content type

DEF-1156 Nginx Changes for Sampling

DEF-1157 URI Discovery in data-plane

DEF-1158 Implement new filtering and rate-limiting

DEF-1159 Configuration update and management for discovery, sampling and data-masking

DEF-1169 Add support for content-type detection and handling

DEF-1170 Sensitive data expressions design

DEF-1171 Add support for NLP and SDEs

DEF-1172 Read, storing, updating SDE rules data set in the connector

DEF-1173 Custom SDE \(NLP\) functions

DEF-1174 Implement SDE execution engine

DEF-1175 SDE caching design and implementation

DEF-1176 SDE metrics

DEF-1210 Read sensitive data expressions and NLP context configuration

DEF-1211 SDD detection framework and execution

DEF-1212 Implement NLP Functions

DEF-1213 Implement NLP execution engine

DEF-1214 Metrics for SDD

DEF-1215 Masking support for SDD locations/Fields

DEF-1216 Implement SDD caching

DEF-1285 Add metrics for number of IPs and FPs in data sets.

DEF-1288 Case-sensitive evaluation and implementation

DEF-1305 Send SDPInfo to sentinel stream in sensor-bridge.

DEF-1315 Add Ignore Config Support

DEF-1339 Add 'executed' field to SDP meta data.

DEF-1384 Update masking type for different sensitive data types.

DEF-1406 Expose metrics using Prometheus.

DEF-1430 Add support for rate-limit per response code.

DEF-1433 Add metrics for ignore filters.

DEF-1455 Legacy defenders talking to 7.5 UAP do not enforce ignore config at defender or at sensor bridge.

Compatibility