Additional Information on Static URL Hardening and Form Hardening

It would be best practice to always enable both URL hardening and form hardening because those two functions are complementary, especially in the way that they prevent issues you may have when enabling just one of them:
  • Only form hardening is activated: When a webpage contains hyperlinks with appended queries (which is the case with certain CMSs), e.g., such page requests are blocked by form hardening because it expects a signature, which is missing.
  • Only URL hardening is activated: When a web browser appends form data to the action URL of the form tag of a web form (which is the case with GET requests), the form data becomes part of the request URL sent to the webserver, by that rendering the URL signature invalid.

The reason why activating both functions solves those issues is that in case either form hardening or URL hardening find that a request is valid, the WAF accepts the request.