Most engineers think…
"My WAF blocks the OWASP attacks, so we're covered."
Wrong — and this blind spot leaks data in plain sight. A WAF policy has two directions. The request side (signatures, positive security, evasion normalization) stops the attack getting in. But the most expensive breaches often leak data on the way out: an app prints full card numbers in an error page, or a stack trace exposes your database schema. Attack signatures never look at that — they inspect requests. DataGuard is the other half: it scans responses and masks card numbers, SSNs and your own custom formats before they reach the browser. Real WAF coverage guards both the door and the exit.
① OWASP coverage — what the policy actually maps to
The OWASP Top 10 is the auditor's checklist of the most critical web-app risks. A WAF's job is to address as many as it can — and to prove it. BIG-IP Advanced WAF (formerly ASM) maps the controls in your policy to each OWASP category, so you can show coverage instead of claiming it.
Different policy controls cover different OWASP risks. Attack signatures and meta-character/parameter checks address Injection (A03) and parts of insecure design. Positive security (allow-listed URLs and parameters) constrains the attack surface. Evasion-technique handling stops attackers smuggling injections past signatures with odd encoding. And the response side — DataGuard plus response cloaking — addresses information leakage / sensitive-data exposure, the part most WAFs forget. ASM gives you an OWASP Compliance view that lists each Top 10 category and shows which policy controls cover it.
Sneha at Infosys faces this
An auditor asks Sneha to prove the app's WAF covers the OWASP Top 10. She's confident the signatures are on, but has no single place to show coverage per category.
She's looking at signature sets, not the coverage map. ASM has a dedicated OWASP view that maps each Top 10 category to the policy controls addressing it.
Open the OWASP Compliance dashboard, screenshot the covered/not-covered grid, and enable any control flagged as missing (e.g. DataGuard for the data-exposure row).
The dashboard now shows each OWASP category mapped to its controls — exactly the evidence the auditor wanted.
▶ Watch a request get blocked, then a response get masked
Rahul at TCS sends an injection; the app later leaks a card. Press Play for both halves of the policy, then Break it to see the response-side gap.
?id=1 OR 1=1 — a SQL-injection attempt41111111111111114111********1111 before the browser sees itWhich OWASP Top 10 category does enabling SQL-Injection and Command-Injection signature sets most directly address?
Pause & Predict
Your signatures block every injection on the way in. But a buggy app still renders full card numbers in an error page on the way out. Signatures only inspect requests — so what kind of control do you need to catch data leaving in a response? Type your guess.
② Request vs response — two directions, two jobs
This is the mental model that makes everything click: a WAF policy works in two directions, and most engineers only think about one.
The request side is the door coming in. Attack signatures, positive security, parameter and meta-character checks, and evasion normalization all inspect what the client sends — they stop the attack getting through. This is the half everyone configures.
The response side is the exit going out. DataGuard inspects what the server returns — it masks sensitive data and (with response cloaking) hides verbose errors and server headers. This is the half that prevents the breach you'd actually have to report.
Analogy: airport security checks people and bags coming in (request side). But customs also checks what leaves the country — you can't walk out with someone else's passport (response side). A WAF that only checks the entrance lets your data walk out the exit.
Attackers hide injections behind odd encoding (double-URL-encoding, mixed case, null bytes) to slip past a signature. ASM normalizes/decodes the request first and raises evasion-technique violations on the tricks themselves. Keep evasion handling on — turning it off re-opens the gap where a signature "looks" clean because the payload is disguised. This is a request-side control that quietly makes every signature stronger.
Priya at Flipkart faces this
Priya's pen-test report says SQL injection is fully blocked, yet the same report flags "credit-card numbers exposed in an error response". She's confused — the WAF is on.
Only the request side is configured. Signatures blocked the injection, but nothing inspects the response, so the app's verbose error page leaked full cards untouched.
Enable DataGuard with credit-card masking, add response cloaking to suppress the verbose error, and confirm the policy is in Blocking mode so the mask actually applies.
Re-run the pen test. The card now appears masked (4111********1111) and the verbose error is suppressed.
Attack signatures and DataGuard both run in a policy. Which direction does each primarily protect?
Pause & Predict
DataGuard ships with built-in masking for credit cards and SSNs. But your app leaks an internal employee-ID format like ECN-4827193 that no built-in pattern knows. How would you make DataGuard mask that too? Type your guess.
ECN-[0-9]{7}. DataGuard then masks that format in responses alongside the built-in credit-card and SSN options. Custom patterns are how you protect formats unique to your business. That's Path 3.③ DataGuard masking — cards, SSNs, and your own patterns
DataGuard is response-side data masking. When the server returns content, DataGuard scans it for sensitive data and masks the matched characters (e.g. 4111********1111) so the browser — and any attacker — never sees the full value.
It covers three kinds of pattern:
- Credit-card numbers — a built-in option. Turn it on and DataGuard masks card-number patterns in responses.
- U.S. SSN — another built-in option for the classic 3-2-4 social-security format.
- Custom patterns — your own regex for formats DataGuard doesn't know: an internal employee ID (
ECN-7-digits), an account number, an Aadhaar-style ID. Add the pattern and DataGuard masks it too.
You can also scope DataGuard to specific URLs (e.g. only the account pages), and pair it with response cloaking to hide verbose errors and server headers that help an attacker fingerprint the app.
Analogy: DataGuard is the bank teller who blacks out all but the last 4 digits on a printed statement. The full number exists in the system, but what leaves the counter is masked — even if someone grabs the paper.
Build it — the configuration
Map the policy's OWASP controls on the request side, then enable DataGuard on the response side with the built-ins plus your custom pattern.
Security ▸ Application Security ▸ Data Guard (policy: app_pol)
Data Guard: Enabled
Credit Card Numbers: Mask
U.S. Social Security: Mask
Custom Patterns: ECN-[0-9]{7} # internal employee ID format
Enforced URLs: * (or scope to /account/*, /statement/*)
Response Cloaking: Enabled (suppress server headers + verbose errors)
Apply PolicyPolicy "app_pol" applied. Data Guard active (response side).
mask: credit-card ON · us-ssn ON · custom [ECN-[0-9]{7}] ON
response-cloaking ON
# Reminder: masking only APPLIES when the policy is in Blocking (enforced) mode, not Transparent.tmsh list asm policy app_pol data-guard tmsh list asm policy app_pol enforcement-mode
data-guard {
enabled yes
mask-credit-card-numbers yes
mask-us-social-security-numbers yes
custom-patterns { ECN-[0-9]{7} }
}
enforcement-mode blocking
# enforcement-mode transparent here = detects but does NOT mask. Switch to blocking.▶ Watch DataGuard mask a card — then watch it leak in Transparent mode
Karthik at Wipro's account page returns a full card. Play the enforced-masking path, then Break it to see the Transparent-mode trap.
...card: 4111111111111111... in the page body4111********1111; the leak is loggedThe four response-side mechanics — tap each card
Each card front names the mechanic; the back gives you the "so what" — when to reach for it.
Built-in masking for credit-card and SSN formats in responses. So what: one toggle stops the classic "cards in the error page" leak.
Your own regex (employee ID, account number, Aadhaar-style). So what: protect formats unique to your business that no built-in knows.
An allow-list so a safe look-alike (a 16-digit order ID) isn't masked. So what: keeps card masking ON without breaking a page full of safe numbers.
Suppresses verbose errors, stack traces and server/version headers. So what: stops attackers fingerprinting the app from the response.
You need DataGuard to mask an internal employee-ID format ECN-7-digits that no built-in pattern covers. What do you configure?
ECN-[0-9]{7}) so DataGuard masks that format in responses, alongside the built-in credit-card and SSN options.Pause & Predict
DataGuard's card masking starts masking a legitimate 16-digit order ID that happens to look like a card number — breaking the orders page. You can't just turn card masking off (real cards must stay masked). What ASM mechanism lets you exempt the safe value? Type your guess.
④ Tune & validate — exceptions, cloaking, and the proof
DataGuard's flexibility is also its noise source: a pattern that matches cards will also match anything shaped like a card. Two tuning levers fix that without weakening real protection.
- Exceptions / scoping — when a safe look-alike (a 16-digit order ID, an invoice number) gets masked and breaks a page, add an exception for that value, or scope DataGuard to the URLs that actually carry sensitive data. You keep masking ON; you just stop it firing on the wrong thing.
- Response cloaking — turn on cloaking so verbose error pages, stack traces and server/version headers are suppressed. These don't leak customer data, but they leak your data — the app's internals — and help an attacker target you.
And then the rule that ends every argument: validate. Never claim DataGuard works from the config screen. Request a page that genuinely contains a test card (in a lab), and look at the delivered response — is the value masked? Then open the event log and confirm a DataGuard/data-leakage violation was recorded. If the response shows the full card, the most common cause is that the policy is in Transparent mode (logs but doesn't enforce) — masking only applies in Blocking mode.
Don't trust the toggle. The #1 DataGuard surprise is enabling it while the policy stays in Transparent mode — it detects the sensitive data and logs it, but never masks the delivered response, so production still leaks cards. The #2 surprise is masking a safe look-alike (an order ID) and breaking a page, then panicking and disabling card masking globally. Fix it the right way: switch the policy to Blocking for masking to apply, and add an exception for the safe value instead of turning protection off.
▶ Watch the validation — response body + event log
Aditya at HCL proves DataGuard works. Play the validation, then Break it to see the Transparent-mode false sense of safety.
41111111111111114111********1111 — the mask appliedAditya at HCL faces this
Aditya enabled DataGuard with card masking weeks ago. A new pen test still finds full cards in a response. He's sure DataGuard is on.
The policy is in Transparent mode. DataGuard detects and logs the card, but Transparent mode doesn't enforce — so the delivered response is never actually masked.
Switch the policy to Blocking so masking actually applies, then re-test.
Re-run the test. The delivered response now shows 4111********1111 and the event log shows the violation as mitigated.
The only proof DataGuard works is the delivered response plus the event log. Curl or browse the page that returns the sensitive value (use lab/test data), and confirm the body shows the mask, not the full number. Then open Security ▸ Event Logs ▸ Application ▸ Requests, filter on the URL, and confirm a Data Guard / data-leakage violation was raised. Full value in the body = the policy is Transparent or DataGuard isn't scoped to that URL/content-type. Config screen "Enabled" proves nothing on its own.
curl -ks https://10.10.20.5/account/statement -H "Cookie: $SESSION" | grep -i card # look at what the CLIENT actually receives, not the config screen
<div class="pan">Card on file: 4111********1111</div> # Masked → DataGuard is enforcing. # If you see 4111111111111111 → policy is Transparent, or DataGuard isn't scoped to this URL/content-type.
DataGuard is masking a legitimate 16-digit order ID that looks like a card number, breaking a page. Best fix that keeps card masking on?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from F5 BIG-IP Advanced WAF docs + community Q&A, scoped to OWASP coverage & DataGuard. For a live prod issue, paste your Event Logs export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why can a WAF block every injection and still leak credit cards? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- OWASP Top 10
- The industry list of the most critical web-app security risks (Injection, Broken Access Control, etc.). Auditors expect WAFs to address them.
- OWASP Compliance view
- The ASM dashboard that maps each OWASP Top 10 category to the policy controls covering it — covered vs not-covered. Your proof of coverage.
- Request side
- The inbound direction — attack signatures, positive security, parameter/meta-character checks, evasion normalization. Stops the attack getting in.
- Response side
- The outbound direction — DataGuard masking and response cloaking. Stops sensitive data leaking out.
- DataGuard
- The ASM feature that scans HTTP responses and masks/blocks sensitive data (credit cards, SSNs, custom patterns) before it reaches the client.
- Custom pattern
- Your own regex (e.g.
ECN-[0-9]{7}) so DataGuard masks a business-specific format the built-ins don't know. - Exception
- An allow-list entry so a safe look-alike value or URL isn't masked by DataGuard, while real sensitive data elsewhere still is.
- Response cloaking
- Suppressing verbose error pages, stack traces and server/version headers so an attacker can't fingerprint the app from the response.
- Evasion technique
- Unusual encoding an attacker uses to hide an injection from signatures. ASM normalizes/decodes first and raises evasion-technique violations.
- Transparent vs Blocking
- Enforcement modes. Transparent logs violations but doesn't enforce; Blocking enforces — DataGuard masking only applies in Blocking mode.
📚 Sources
- F5 — BIG-IP Advanced WAF / ASM: Configuring Data Guard · Masking Sensitive Data (credit card, U.S. SSN, custom patterns) · Data Guard exceptions and scoping. techdocs.f5.com / clouddocs.f5.com
- F5 — OWASP Top 10 Compliance Dashboard · Mapping a Security Policy to the OWASP Top 10 · Reviewing OWASP coverage. techdocs.f5.com
- F5 — Response cloaking / Information Leakage protection · Configuring Evasion Technique handling · Enforcement modes (Transparent vs Blocking). techdocs.f5.com
- F5 DevCentral community — "DataGuard not masking" / "DataGuard masks a non-card number" / "Transparent mode no masking" / "custom DataGuard pattern" threads (Transparent-mode trap, exceptions for look-alikes, content-type scoping). community.f5.com
- OWASP — OWASP Top 10 (2021) · Sensitive Data Exposure / Cryptographic Failures · Injection · Security Misconfiguration · Information Leakage guidance (why response-side masking + cloaking matter). owasp.org
- F5 Certified 303 — BIG-IP ASM Specialist blueprint: data masking, OWASP mapping, evasion handling, information-leakage protection (exam objectives). f5.com/education
- Practitioner reference — "F5 ASM DataGuard: masking PII in responses" walk-throughs + PCI-DSS pan-masking requirements (mask all but first6/last4). f5.com/labs and community write-ups
What's next?
You can now map a policy to the OWASP Top 10, mask cards, SSNs and custom formats leaking in responses, tune exceptions, and prove the mask applied. Next, see how ASM logs every one of these events and how iRules let you act on ASM events in real time.