The 6.3 release of Cequence Defender strengthens API discovery and parameterization with specification-based rules, extends dynamic fingerprinting with improved algorithm handling, adds granular control over parameterization scope, and enhances deployment observability and content handling.

New features

Specification-driven API discovery

API specifications are now the authoritative source for endpoint parameterization. Specification-defined patterns take precedence over system and custom parameterization rules, ensuring your documented API contract is the source of truth. Custom discovery patterns with prefix matching are now fully supported.

Advanced parameterization rules

Custom parameterization rules now support per-pattern host inclusion and exclusion filtering, giving you fine-grained control over where rules apply. New exclusion capabilities allow you to specify exact string or regex patterns that should not be parameterized. Discovery metadata now includes specification and custom pattern identifiers for improved traceability. Discovery metadata is improved to omit empty path segments and consistently report rule names and identifiers.

Extended Lua policy functions

Lua-based policies now support base64 encoding and decoding, URL encoding and decoding, and JWT token operations (parsing and validation), expanding the scope of transformations available in policy logic.

Dynamic fingerprinting correctness

Dynamic fingerprint algorithms now generate consistent results across different content types, handle empty algorithm slots correctly, and resolve header ID collisions that were causing fingerprint mismatches.

Automatic content-encoding detection

Defender now automatically detects content encoding (gzip, deflate, and others) to correctly decompress payloads, removing dependency on potentially inaccurate or spoofed content-encoding headers.

Enhanced health checks

Defender health checks now accurately reflect configuration state and readiness before accepting traffic. 

Fixed issues

• DEF-2094: Defender health checks now accurately reflect configuration state and readiness before accepting traffic.
• DEF-2125: Defender now automatically detects content encoding (gzip, deflate, etc.) to correctly decompress payloads regardless of header accuracy.
• Authentication endpoints for authenticity challenge policies are no longer incorrectly sent to the cq.api-transactions topic.
• Empty path segments are no longer included in discovery metadata, and rule names are now consistently reported for all discovery results.
• Fixed duplicate header ID assignment in fingerprint algorithm that was causing mismatched fingerprints for distinct headers.
• Empty dynamic fingerprint algorithm slots now correctly return zero-values instead of invalid fingerprints.
• Dynamic fingerprint body analysis now generates consistent fingerprints across different content types.
• Prefix-based API specification rules now correctly match and parameterize endpoints.
• Partial date and UUID parameterization rules now correctly match patterns within path segments, not just complete segments.