Version 5.4.0 of Cequence Defender was released February 25, 2025.

Release Highlights

The 5.4 release of Cequence Defender includes several new features and capabilities.

OAuth-secured communication with Cequence UAP

Cequence Defender can now use OAuth to secure all communications to and from the Cequence Unified API Protection (UAP) platform. You can now enable or disable SSL certificate validation.

Subdomain support

When you specify URLs for a token and edge server, you can specify a unique subdomain. Cequence defender then constructs the full URL based on that subdomain.

Upstream routing improvements

Before this release, Cequence Defender routed upstream traffic based on the HOST header of the HTTP request. Some client-side entities can consume the HOST header before the traffic arrives at the Cequence Defender.

Starting with the 5.4 release, Cequence Defender supports alternate methods to perform upstream routing.

Default upstream

The default upstream mode uses a single upstream per protocol, such as HTTP or HTTPS. There are two default upstream server configuration variables, HTTP_UPSTREAM_SERVER and HTTPS_UPSTREAM_SERVER, available for this purpose. In this mode, Cequence Defender always forward traffic to the default upstreams. When the USE_UPSTREAM_SERVER_AS_HOST_HDR environment variable is configured, the Cequence Defender sends the value of the HTTP_UPSTREAM_SERVER or HTTPS_UPSTREAM_SERVER variable as the host header when forwarding the traffic to the upstream.

Alternate host header

Alternate host header routing is based on the value of an alternate host header configured by the user. This routing method assumes that the user populates the proper value into this alternate host header when forwarding traffic to Cequence Defender. When using the alternate host header routing, Defender uses the value passed in the alternate host header as the host value and looks up the upstream to use based on that value. When the use of an alternate header is enabled and the header specified in the alternate header is not present in the request, the client receives a 400 status code error.

Alternate origin header

The alternate origin header feature complements the existing upstream routing feature or alternate host header feature. Instead of configuring upstreams and routing based on the incoming host header or the alternate host header, the alternate origin header feature routes traffic based on the value of the alternate origin header.

Support for partial transactions

Cequence Bridge can now stitch together request and response data when that data arrives in two separate message with the same transaction ID.

Story

DEF-1483 Enable OAuth for all Defender to UAP Communication

DEF-1555 Ability to overwrite the Host Header in Defender

DEF-1564 Send partial txns to UAP

DEF-1570 Add support to drop bodies in ceq-bridge

DEF-1575 Add sub-domain support in defender.

DEF-1577 Enable gzip in defender

DEF-1599 Add txn-depth to txn-id to make it unique

Bugs

Release 5.4.0

DEF-1526 Equals Header Filter in Mitigation Criteria not functioning correctly

DEF-1568 Sensor bridge OOM observed due to connector read queue not getting drained quickly when sdm is enabled

DEF-1588 App monitor does not log error in all cases where download fails.

DEF-1591 Mitigation is not happening based on alternate-host-header

DEF-1592 Sensor Bridge: Messages are getting dropped due to invalid timestamp \(future timestamp\)

DEF-1598 connector log not outputting to console when console logging enabled.

Image locations

Compatibility