open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Releases
  • Limitations

Was this helpful?

Release Notes

Releases

Release
Date
Notes

1.1.25

2025-04-24

1.1.24

2025-03-23

1.1.23

2025-03-30

1.1.22

2025-02-19

1.1.21

2025-01-21

1.1.20

2024-12-01

1.1.19

2024-11-10

1.1.18

2024-10-01

1.1.17

2024-09-24

1.1.16

2024-08-25

1.1.15

2024-08-01

1.1.14

2024-07-08

1.1.13

2024-07-02

1.1.12

2024-06-07

1.1.11

2024-06-03

1.1.10

2024-05-27

1.1.9

2024-04-18

1.1.8

2024-04-10

1.1.7

2024-03-11

1.1.6

2024-02-20

1.1.5

2024-02-12

1.1.4

2024-02-04

1.1.3

2023-12-28

1.1.2

2023-12-03

1.1.0

2023-09-10

1.0.1

2023-08-24

1.0.0

2023-07-25

0.9.1-rc

2023-06-02

0.9.0-rc

2023-05-06

0.8.0-rc

2023-05-02

1.2242.1-rc1

2022-10-25

initial open-source release

Limitations

We are constantly working on resolving the limitations listed here and adding enhanced functionality.

Declarative Management:

Kubernetes:

  • SOLVED For v1beta2: Kong Declarative configuration for open-appsec for Kong requires Ingress Resource which the open-appsec Annotation can be added to. Currently doesn't work if there are no ingress resources available and traffic is sent to Kong Gateway directly. (Workaround if there are no ingress resources: Use central management)

  • SOLVED For v1beta2: Only ingress resource rules that specify both keys are supported: host and path. Specifying just the path is not supported. In that case either add the host key as a temporary fix to your ingress rules if currently missing, or switch to WebUI (SaaS) management instead of local declarative management. This will be fixed soon. (Note: This does not impact the optional specific rules as defined in the open-appsec policy CRD.)

  • SOLVED For v1beta2: Only one exception can be added in a declarative mode in K8s

All environments:

  • SOLVED For v1beta2: Snort signature, API schema, and Anti Bot: defining Snort signatures and API schema is not supported yet (this is supported when using central Management via WebUI (SaaS))

  • SOLVED For v1beta2: Custom Response: "Redirect" action in CustomResponse CRD/config is not supported (use "block-page" or "response-code-only" options until this is available)

  • SOLVED For v1beta2: Custom Response: "Response code only" action is not supported for deployments intergrated with Envoy (use "block-page" until this is available) . This will be added later.

  • Exceptions: only the operator "=" is supported.

General:

  • Log Trigger Response body: In the log trigger setting "Response body" to true can affect traffic.

  • SELinux: open-appsec Linux servers: SELinux in “Enforced” mode is not supported. When SELinux is used in “Enforced” mode on the machine running the reverse proxy server and the agent, deployment of the agent might fail during registration. SELinux in “Enforced” mode, blocks the registration attempt.

  • Country-based Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the keys Country Name or Country Code cannot be defined with additional conditions based on other keys in the same exception.

    • There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using country code/name, and others using other keys.

  • Source Ip Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the key Source IP cannot be defined with additional conditions based on other keys in the same exception.

    • There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using Source IP and others using other keys.

  • Parameter Name / Value Exceptions rules: Drop Rules With Parameter Name and / or Parameter Value are not supported.

  • Country-based Exception rules: are only supported in managed tenants (Declarative / Management)

  • Containerized agents running version 1.1.9 or earlier cannot be upgraded directly to version 1.1.21 or newer

    • As a best practice, we recommend periodically upgrading the agent container to ensure you have the latest software updates.

SaaS Management (WebUI):

  • Creating a second tenant using the same email address is not supported (the user can be added to another tenant with another main email address as an additional user)

  • WildCard asset: you can only have a single asset using wildcard resource for each HTTP as well as HTTPS (e.g.: http://* and https://* ) per tenant. This will be resolved soon.

  • Social log-in: Adding Google or GitHub users as additional users to a tenant is not supported (use regular users with email addresses instead)

  • Different Log Trigger, user response and exceptions per Practice:

    Currently, this behavior is unsupported. The configuration the Web Attacks practice will apply to all other security practices.

Platform support:

  • Temporarily Fedora is not supported for Linux-embedded installations (consider using Docker-based deployment instead)

  • Ambassador support is not available yet

Previousopen-appsec Video TutorialsNextGetting Started

Last updated 1 month ago

Was this helpful?

first "stable" release "latest"

Let us know via the open-appsec or our Website if you identified a potential issue/limitation or via our Website as well if you have any ideas/requirements for additional features.

GitHub
Chat
Chat
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes
release notes