Current release: 5.6.2

Version 5.6 of Cequence Defender was released May 28, 2025.

Feature highlights

• Data masking now uses format-preserving encryption (FPE). Masked data appears in the same format as the original data. For example, the telephone number 011 4 302 8178 becomes masked as 913 2 841 1349.
• Updates the nginx version to 1.28.0. This update enables automatic resolution of upstream hostnames when the IP address of the host changes.

Notable changes in the 5.6.2 release

The 5.6.2 release of Defender addresses several notable issues. 

• Multi-UAP OAuth Connectivity (DEF-1751): Resolves a bug where Defender's dual-UAP high availability feature was unable to work with OAuth. The fix ensures proper communication channels are re-established with the new primary instance of the Cequence UAP platform during failover scenarios, restoring functionality for UAP deployments.
• Honeytrap Detection Enhancement (DEF-1738): Fixes a bug where Defender redirected traffic to Honeytrap servers only when the Host header matched the alternate-host-header configuration. Defender now properly detects properly configured alternate host headers and redirects traffic to Honeytrap based on the correct header values, improving the effectiveness of deceptive mitigation.
• Dynamic Routing Header Override Fix (DEF-1711): Dynamic routing overwrote custom proxy_headers configurations, causing problems generally but in particular with deployments using service meshes such as Istio. This fix introduces the USE_ALT_ORIGIN_AS_PROXY_NAME environment variable. The new environment variable provides flexibility in choosing between alternate host header or alternate origin header for a proxy SSL name configuration, improving compatibility with different upstream architectures.
• Alternate Origin Performance Optimization (DEF-1705): Eliminates performance degradation caused by DNS lookups in the alternate origin header feature. The redesign avoids unnecessary DNS resolution to maintain optimal performance even when this feature is not in use. In testing, response times show consistently at 35-40ms regardless of alternate header usage.

Changed behavior

Starting in the 5.5 release of Cequence defender, port 9145 is no longer used for metrics reporting. Metrics reporting uses port 9122.

Resolved Issues

5.6.2 release

DEF-1720 Add exportersJson and extensionsJson for otel helm-charts

DEF-1705 Update alternate origin header feature to reduce performance impact.

DEF-1711 Dynamic Routing overwrites proxy_headers

DEF-1738 Defender detects based on the configured alternate host header, and redirects to the honey trap only based on the host header

DEF-1751 Multi-UAP connectivity does not work with OAuth. 

5.6.1 release

DEF-1708 Remove otel configuration from nginx when OTEL_TRACES_EXPORTERS is empty

DEF-1729 Sensitive Data Masking not applied if multiple connectors in use

DEF-1730 Defender 5.6.0 throws error "ToFPEAlphabetic: Empty input" in the logs for SDM enabled traffic

DEF-1740 Default ports not overwritten

DEF-1746 API Endpoints page - Traffic Source is "Unknown" when "txn-source" is not present in the message received from topic "cq.api-transactions"

DEF-1743 Backup pipeline has no traffic management filters

5.6.0 release

DEF-1617 Mitigator data sent contains Host header info even though when the mitigation happens based on alternate-host-header

DEF-1618 Enables support for adding CORs headers to blocked requests

DEF-1691 Enabling DNS Service Discovery in NGINX

DEF-1692 Sensor Bridge - The metric "sensor_connector_received_total" is used for both pipeline and datasink

DEF-1698 Send request id to honeytrap

DEF-1699 Improves correlation of mitigated requests in sentinel

Bug and vulnerability fixes.

Upgrade considerations

Upgrading from any 5.3.x release of Cequence Defender to the 5.6.0 release is a standard Helm chart upgrade and requires no additional steps.

Backend services with dynamic IP addresses now autoresolve without manual intervention.

The 5.6 release of Cequence Defender no longer requires the CQ Resolver feature. Configure the Resolver variable in the helm override.

As a best practice, monitor the nginx logs for 24 hours after upgrading. Confirm that upstream DNS resolution is not producing any 502 errors.

About TLS

Starting with the 5.5.0 release of Cequence Defender, proxy connections to origins support TLS versions 1.2 and 1.3 by default.

Upstream applications that use TLS version 1.1 or earlier, or that require cipher suites associated with TLS version 1.1 or earlier, will no longer work by default. To enable proxy connections to origins using TLS version 1.1, update your nginx configuration file.

Updating your nginx configuration

The typical location of your nginx configuration file, nginx.conf, is in the /etc/nginx directory. To update the settings to support older security versions or cipher suites, edit nginx.conf to change the value of the proxy_ssl_protocols variable. After the edit, the line should look similar to the following example.

proxy_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

Bear in mind that older protocols and cipher suites are less secure than modern protocols or cipher suites, and relying on them may expose you to security risks.

Image locations for on-premises deployments

Your Cequence team provides you with Gitlab credentials for the Cequence image registry. Before downloading Docker images, establish credentials by running the following commands:

export GITLAB_USER = <user provided by cequence>
export GITLAB_PASS = <token provided by cequence>
docker login registry.gitlab.com -u $GITLAB_USER -p $GITLAB_PASS

To pull an image from the registry, run the following Docker command.

docker pull <image repository URL>

Compatibility