NetScaler® ingress controller

Configure OWASP Top 10 protection policies with the OWASP CRD

May 26, 2026

Contributed by:

The OWASP Top 10:2025 represents the most critical security risks to web applications. Using the OWASP CRD (owasppolicy), you can configure comprehensive WAF and Bot management protections aligned with the OWASP Top 10 categories in a single Kubernetes Custom Resource.

The OWASP Top 10:2025 categories are:

A01:2025 - Broken Access Control
A02:2025 - Security Misconfiguration
A03:2025 - Software Supply Chain Failures
A04:2025 - Cryptographic Failures
A05:2025 - Injection
A06:2025 - Insecure Design
A07:2025 - Authentication Failures
A08:2025 - Software or Data Integrity Failures
A09:2025 - Security Logging and Alerting Failures
A10:2025 - Mishandling of Exceptional Conditions

As per the OWASP Top 10, the following rules are supported by the owasppolicy CRD. The CRD is composed of two main sections:

Bot protection
WAF (Web Application Firewall) protection.

Note:

In case you want to use existing Bot and Waf CRDs, ensure not to enable the same fields in Owasppolicy CRD.

OWASP CRD definition

The OWASP CRD definition is available at owasp-crd.yaml. Deploy it by running the following command:

kubectl create -f owasp-crd.yaml
<!--NeedCopy-->

The CRD uses apiVersion: citrix.com/v1 and kind: owasppolicy.

OWASP CRD structure

The top-level spec contains:

CRD attribute	Description
`ingressclass`	Ingress class to scope which ingress controller processes this resource.
`servicenames`	List of services to which the OWASP policies are applied.
`bot`	Bot management protection configuration.
`waf`	Web Application Firewall protection configuration.

NetScaler Top-Level Entity Mapping:

CRD Section	NetScaler Entity	NetScaler Attributes
`bot`	`botprofile`	Profile containing all bot protection settings
`bot`	`botpolicy`	`rule`, `profilename` — policy bound to LB virtual server
`bot`	`lbvserver_botpolicy_binding`	`policyname`, `bindpoint=REQUEST`
`waf`	`appfwprofile`	Profile containing all WAF protection settings
`waf`	`appfwpolicy`	`rule`, `profilename` — policy bound to LB virtual server
`waf`	`lbvserver_appfwpolicy_binding`	`policyname`, `bindpoint=REQUEST`

Bot protection

Allow and block list

Add rule expressions to allow or block traffic.

Attribute	Description
`action`	`allow` or `block`
`expression`	ADC policy expression to match traffic.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`action: allow`	`botprofile`	`bot_enable_white_list`	`ON`
`action: allow`, `expression`	`botprofile_whitelist_binding`	`bot_whitelist_type`, `bot_whitelist_value`, `bot_whitelist_enabled`	`EXPRESSION`, `HTTP.REQ.URL.PATH.EQ("apache.com")`, `ON`
`action: block`	`botprofile`	`bot_enable_black_list`	`ON`
`action: block`, `expression`	`botprofile_blacklist_binding`	`bot_blacklist_type`, `bot_blacklist_value`, `bot_blacklist_action`, `bot_blacklist_enabled`	`EXPRESSION`, `HTTP.REQ.URL.PATH.EQ("nginx.com")`, `[LOG, DROP]`, `ON`

Geo blocking

Add a list of countries to block by using ISO 3166-1 alpha-2 country codes.

Attribute	Description
`blocked-countries`	List of country codes (for example, `CN`, `RU`).

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`blocked-countries`	`policypatset`	`name`	`<profile_name>`
`blocked-countries[*]`	`policypatset_pattern_binding`	`String`, `index`	`CN`, `1`
`blocked-countries`	`botprofile_blacklist_binding`	`bot_blacklist_type`, `bot_blacklist_value`, `bot_blacklist_action`	`EXPRESSION`, `CLIENT.IP.SRC.MATCHES_LOCATION("<patset_name>")`, `[LOG, DROP]`

IP reputation

Select from the following categories (default: all enabled):

Spam Sources
Windows Exploits
Web Exploits
Botnets Ransomware C&Cs
Scanners
Phishing
Anonymous or Suspicious Proxies
Mobile Threats
Tor Proxies
DoS
Cloud
Cloud (AWS)
Cloud (Azure)
Cloud (IBM)
Cloud (Oracle)
Cloud (Salesforce)
IP
Network
Reputation

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`ip-reputation`	`botprofile`	`bot_enable_ip_reputation`	`ON`
`spam-sources`	`botprofile_ipreputation_binding`	`category`, `bot_iprep_enabled`, `bot_iprep_action`	`SPAM_SOURCES`, `ON`, `[LOG, DROP]`
`windows-exploits`	`botprofile_ipreputation_binding`	`category`	`WINDOWS_EXPLOITS`
`web-exploits`	`botprofile_ipreputation_binding`	`category`	`WEB_ATTACKS`
`botnets-ransomware-ccs`	`botprofile_ipreputation_binding`	`category`	`BOTNETS`
`scanners`	`botprofile_ipreputation_binding`	`category`	`SCANNERS`
`phishing`	`botprofile_ipreputation_binding`	`category`	`PHISHING`
`anonymous-or-suspicious-proxies`	`botprofile_ipreputation_binding`	`category`	`PROXY`
`tor-proxies`	`botprofile_ipreputation_binding`	`category`	`TOR_PROXY`
`dos`	`botprofile_ipreputation_binding`	`category`	`DOS`
`cloud`	`botprofile_ipreputation_binding`	`category`	`CLOUD`
`cloud-aws`	`botprofile_ipreputation_binding`	`category`	`CLOUD_AWS`
`cloud-azure`	`botprofile_ipreputation_binding`	`category`	`CLOUD_AZURE`
`cloud-ibm`	`botprofile_ipreputation_binding`	`category`	`CLOUD_IBM`
`cloud-oracle`	`botprofile_ipreputation_binding`	`category`	`CLOUD_ORACLE`
`cloud-salesforce`	`botprofile_ipreputation_binding`	`category`	`CLOUD_SALESFORCE`
`ip`	`botprofile_ipreputation_binding`	`category`	`IP`
`network`	`botprofile_ipreputation_binding`	`category`	`NETWORK`
`reputation`	`botprofile_ipreputation_binding`	`category`	`REPUTATION`

Rate Limit

Add rate limit policies per URL, session cookie, or source IP address.

Attribute	Description
`url-pattern`	URL pattern to rate limit.
`session-cookie`	Session cookie name to rate limit.
`sourceip`	Set to `true` to rate limit by source IP.
`requests-per-second`	Maximum requests per second.
`action`	Action to take: `drop`, `log`, `reset`.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`rate-limit`	`botprofile`	`bot_enable_rate_limit`	`ON`
`url-pattern`	`botprofile_ratelimit_binding`	`bot_rate_limit_type`, `bot_rate_limit_url`	`URL`, `/api/v1/*`
`session-cookie`	`botprofile_ratelimit_binding`	`bot_rate_limit_type`, `bot_rate_limit_url`	`SESSION`, `JSESSIONID`
`sourceip`	`botprofile_ratelimit_binding`	`bot_rate_limit_type`	`SOURCE_IP`
`requests-per-second`	`botprofile_ratelimit_binding`	`rate`, `bot_rate_limit_time_slice`	`100`, `1000`
`action`	`botprofile_ratelimit_binding`	`bot_rate_limit_action`, `bot_rate_limit_enabled`	`[LOG, DROP]`, `ON`

Bot signatures

Enable or disable bot signature detection by providing a URL to the signature file.

Attribute	Description
`bot-signature`	URL to the external bot signature JSON file.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`bot-signature`	`botprofile`	`signature`	`<signature_object_name>`

Bot trap

Add enforcement URLs that act as hidden trap URLs to detect automated bots.

Attribute	Description
`enforcement-url`	URL to insert as a trap.
`action`	Action: `block`, `log`, `redirect`.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`enforcement-url`	`botprofile_trapinsertionurl_binding`	`bot_trap_url`, `bot_trap_url_insertion_enabled`	`apache.com`, `ON`

Bot TPS

Enforce rate-based bot detection using Transactions Per Second (TPS) thresholds. Requests exceeding the configured TPS limits are treated as bot traffic.

Attribute	Description
`action`	Action to take: `drop`, `reset`, `none`. Default: `drop`.
`enforcement-type`	TPS-based enforcement type: `ClientIP`, `GeoLocation`, `Host`, `SourceUrl`. Default: `ClientIP`.
`minimum-tps`	Minimum bot TPS threshold for enforcement.
`maximum-tps-percentage`	Maximum TPS increase percentage (per 30-minute interval).

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`bot-tps`	`botprofile`	`bot_enable_tps`	`ON`
`action`	`botprofile_tps_binding`	`bot_tps_action`	`[LOG, DROP]`
`enforcement-type`	`botprofile_tps_binding`	`bot_tps_type`	`SOURCE_IP`
`minimum-tps`	`botprofile_tps_binding`	`threshold`	`4`
`maximum-tps-percentage`	`botprofile_tps_binding`	`percentage`	`10000`

Device fingerprint

Enable or disable device fingerprinting to distinguish bots from humans by collecting browser and device attributes.

Attribute	Description
`action`	Action: `log`, `drop`, `redirect`, `reset`.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`device-fingerprint`	`botprofile`	`devicefingerprint`	`ON`
`action`	`botprofile`	`devicefingerprintaction`	`[LOG]`

WAF protection

SQL injection

Protects against SQL injection attacks (OWASP A05: Injection) and provides an option to add exceptions.

Attribute	Description
`action`	Action: `block`.
`exceptions`	List of exceptions.
`type`	Exception content type: `JSON` or `HTML`.
`url-pattern`	URL pattern to exempt.
`form-field-name`	Form field name to exempt.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`sql-injection`	`appfwprofile`	`SQLInjectionAction`	`[block, log, stats]`
`exceptions`	`appfwprofile_sqlinjection_binding`	`sqlinjection`, `formactionurl_sql`, `isregex_sql`	`.`, `.`, `REGEX`

Buffer overflow

Protects against buffer overflow attacks by enforcing size limits.

Attribute	Description
`action`	Action: `block`.
`max-url-length`	Maximum URL length.
`max-cookie-length`	Maximum cookie length.
`max-header-length`	Maximum header length.

JSON Protection:

Attribute	Description
`max-container-depth`	Maximum container depth for JSON.
`max-document-length`	Maximum document length for JSON.
`max-object-key-count`	Maximum object key count for JSON.
`max-object-key-length`	Maximum object key length for JSON.
`max-array-length`	Maximum array length for JSON.
`max-string-length`	Maximum string length for JSON.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`buffer-overflow`	`appfwprofile`	`bufferOverflowAction`	`[block, log, stats]`
`max-url-length`	`appfwprofile`	`bufferOverflowMaxURLLength`	`1024`
`max-cookie-length`	`appfwprofile`	`bufferOverflowMaxCookieLength`	`4096`
`max-header-length`	`appfwprofile`	`bufferOverflowMaxHeaderLength`	`4096`
`max-container-depth`	`appfwprofile`	`JSONMaxContainerDepth`	`1`
`max-document-length`	`appfwprofile`	`JSONMaxDocumentLength`	`200000000`
`max-object-key-count`	`appfwprofile`	`JSONMaxObjectKeyCount`	`10000`
`max-object-key-length`	`appfwprofile`	`JSONMaxObjectKeyLength`	`10000`
`max-array-length`	`appfwprofile`	`JSONMaxArrayLength`	`10000`
`max-string-length`	`appfwprofile`	`JSONMaxStringLength`	`10000000`

Enable or disable cookie consistency enforcement.

Attribute	Description
`action`	Action: `block`.
`exceptions`	List of cookie names to exempt.
`cookie-name`	New cookie name to add as exception.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`cookie-consistency`	`appfwprofile`	`cookieConsistencyAction`	`[block, log, stats]`
`exceptions[*].cookie-name`	`appfwprofile_cookieconsistency_binding`	`cookieconsistency`	`session_tracker`

Cross-site scripting

Protects against cross-site scripting attacks (OWASP A05: Injection).

Attribute	Description
`action`	Action: `block`.
`content-type`	`HTML`, `JSON`, or `all`.
`exceptions`	List of exceptions.
`type`	Exception content type: `JSON` or `HTML`.
`url-pattern`	URL pattern to exempt.
`form-field-name`	Form field name to exempt.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`cross-site-scripting`	`appfwprofile`	`crossSiteScriptingAction`	`[block, log, stats]`
`exceptions`	`appfwprofile_crosssitescripting_binding`	`crosssitescripting`, `formactionurl_xss`, `isregex_xss`	`.*`, `/admin/editor`, `REGEX`

Command injection

Protects against OS command injection attacks (OWASP A05: Injection).

Attribute	Description
`action`	Action: `block`.
`content-type`	`HTML`, `JSON`, or `all`.
`exceptions`	List of exceptions.
`type`	Exception content type: `JSON` or `HTML`.
`url-pattern`	URL pattern to exempt.
`form-field-name`	Form field name to exempt.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`command-injection`	`appfwprofile`	`cmdInjectionAction`	`[block, log, stats]`
`exceptions`	`appfwprofile_cmdinjection_binding`	`cmdInjection`, `formactionurl_cmd`, `isregex_cmd`	`.*`, `/admin/cmd-tool`, `REGEX`

CSRF

Protects against Cross-Site Request Forgery (OWASP A01: Broken Access Control).

Attribute	Description
`action`	Action: `block`.
`content-type`	`HTML`.
`exceptions`	List of URL patterns to exempt.
`url-pattern`	URL pattern to exempt.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`csrf`	`appfwprofile`	`CSRFtagAction`	`[block, log, stats]`
`exceptions[*].url-pattern`	`appfwprofile_csrftag_binding`	`csrftag`, `csrfformactionurl`	`.*`, `apache.com`

Field format

Enable field format validation to enforce input constraints.

Attribute	Description
`action`	Action: `block`.
`field-name`	Name of the field.
`format`	Format type: `Integer`, `Alphabets`, `Alphanumeric`, `No HTML`, `Any`, `SSN`, `Credit Card`, `Custom`.
`customregex`	Custom regex when format is `Custom`.
`min-length`	Minimum field length.
`max-length`	Maximum field length.
`url-pattern`	URL pattern scope for enforcement.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`field-format`	`appfwprofile`	`fieldFormatAction`	`[block, log, stats]`
`enforcements[*]`	`appfwprofile_fieldformat_binding`	`fieldformat`, `formactionurl_ff`, `fieldtype`	`age`, `.*`, `integer`
`min-length`, `max-length`	`appfwprofile_fieldformat_binding`	`fieldformatminlength`, `fieldformatmaxlength`	`1`, `3`
`customregex`	`appfwfieldtype`	`name`, `regex`, `priority`	`<fieldtype_name>`, `<regex>`, `2`

Field consistency

Protects against form field tampering.

Attribute	Description
`action`	Action: `block`.
`content-type`	`HTML`.
`exceptions`	List of exceptions.
`url-pattern`	URL pattern to exempt.
`field-name`	Field name to exempt.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`field-consistency`	`appfwprofile`	`fieldConsistencyAction`	`[block, log, stats]`
`exceptions[*]`	`appfwprofile_fieldconsistency_binding`	`fieldconsistency`, `formactionurl_ffc`	`.*`, `/form/dynamic`

WAF signatures

Provide a URL to the WAF signature file to enable signature-based detection.

Attribute	Description
`waf-signature`	URL of the WAF signature XML file.

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`waf-signature`	`appfwprofile`	`signatures`	`<signature_object_name>`

Data leak prevention

Configure SAFE objects to prevent sensitive data leakage in responses.

Pre-existing SAFE object types: SSN, CreditCard

Custom SAFE objects:

Attribute	Description
`type`	`SSN`, `CreditCard`, or `Custom`.
`action`	Action: `mask`, `block`, `log`.
`max-match-length`	Maximum match length for the pattern.
`regex`	Custom regex pattern (when type is `Custom`).

NetScaler Entity Mapping:

CRD Field	NetScaler Entity	NetScaler Attribute	Example Value
`type: SSN`	`appfwprofile_safeobject_binding`	`safeobject`, `as_expression`, `maxmatchlength`, `action`, `state`	`ssn`, `SSN`, `15`, `[log]`, `ENABLED`
`type: CreditCard`	`appfwprofile_safeobject_binding`	`safeobject`, `as_expression`, `maxmatchlength`, `action`	`creditcard`, `CreditCard`, `255`, `[block]`
`type: Custom`	`appfwprofile_safeobject_binding`	`safeobject`, `as_expression`, `maxmatchlength`, `action`	`custom`, `\b[A-Z]{2}\d{6}\b`, `8`, `[log]`

Deploy the OWASP CRD

Deploy the CRD definition:

kubectl create -f owasp-crd.yaml
<!--NeedCopy-->

Deploy your OWASP policy:

kubectl apply -f owasp_waf_bot.yaml
<!--NeedCopy-->

Full Example: Combined WAF and Bot Policy

The following is a complete example (owasp_waf_bot.yaml) demonstrating all supported protections:

apiVersion: citrix.com/v1
kind: owasppolicy
metadata:
  name: test-bm-owasp-policy
  namespace: default
spec:
  bot:
    bot-signature: "http://1.1.1.1/crd/bot_sig.json"
    allow-and-block-list:
      rules:
      - action: allow
        expression: HTTP.REQ.URL.PATH.EQ("apache.com")
      - action: block
        expression: HTTP.REQ.URL.PATH.EQ("nginx.com")
    bot-trap:
      enforcements:
      - action: block
        enforcement-url: apache.com
      - action: log
        enforcement-url: example.com
      - action: redirect
        enforcement-url: redirect.example.com
    bot-tps:
      enforcement-type: ClientIP
      minimum-tps: 4
      maximum-tps-percentage: 10000
      action: drop
    device-fingerprint:
      action: log
    geo-blocking:
      blocked-countries:
      - CN
      - RU
    ip-reputation:
      categories:
        anonymous-or-suspicious-proxies: true
        botnets-ransomware-ccs: true
        mobile-threats: true
        phishing: true
        scanners: true
        spam-sources: true
        tor-proxies: true
        web-exploits: true
        windows-exploits: true
    rate-limit:
      policies:
      - action: drop
        requests-per-second: 100
        url-pattern: /api/v1/*
      - action: drop
        requests-per-second: 5
        url-pattern: /login
      - action: drop
        requests-per-second: 50
        url-pattern: /search
      - action: log
        requests-per-second: 20
        session-cookie: JSESSIONID
      - action: reset
        requests-per-second: 200
        sourceip: true
  ingressclass: cic-vpx
  servicenames:
  - frontend
  waf:
    buffer-overflow:
      action: block
      json-protection:
        max-array-length: 10000
        max-container-depth: 1
        max-document-length: 200000000
        max-object-key-count: 10000
        max-object-key-length: 10000
        max-string-length: 10000000
      max-cookie-length: 4096
      max-header-length: 4096
      max-url-length: 1024
    command-injection:
      action: block
      content-type: all
      exceptions:
      - type: HTML
        url-pattern: /admin/cmd-tool
      - type: JSON
        url-pattern: /api/script-runner
    cookie-consistency:
      action: block
      exceptions:
      - cookie-name: session_tracker
    cross-site-scripting:
      action: block
      content-type: all
      exceptions:
      - type: HTML
        url-pattern: /admin/editor
      - type: JSON
        url-pattern: /api/render
    csrf:
      action: block
      content-type: HTML
      exceptions:
      - url-pattern: apache.com
    data-leak-prevention:
      safe-objects:
      - action: mask
        type: SSN
        max-match-length: 15
      - action: block
        type: CreditCard
      - action: log
        type: Custom
        regex: "\\b[A-Z]{2}\\d{6}\\b"
        max-match-length: 8
    field-consistency:
      action: block
      content-type: HTML
      exceptions:
      - url-pattern: /form/dynamic
    field-format:
      enforcements:
      - action: block
        format: Any
      - action: block
        field-name: "email"
        format: Custom
        customregex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"
        max-length: 254
        min-length: 5
        url-pattern: /register
      - action: log
        field-name: "age"
        format: Integer
        max-length: 3
        min-length: 1
    sql-injection:
      action: block
      exceptions:
      - type: HTML
        url-pattern: .*
    waf-signature: "http://1.1.1.1/crd/sig.xml"
<!--NeedCopy-->

The official version of this product documentation is in English. Any non-English version is solely provided for your convenience and may include machine-translated content. For more information, please refer to the Machine Translation Disclaimer on Cloud Software Group home.

Was this helpful

NetScaler Secure Deployment Guide

Configure OWASP Top 10 protection policies with the OWASP CRD

May 26, 2026

Contributed by:

May 26, 2026

Contributed by:

Configure OWASP Top 10 protection policies with the OWASP CRD

OWASP CRD definition

OWASP CRD structure

Bot protection

Allow and block list

Geo blocking

IP reputation

Rate Limit

Bot signatures

Bot trap

Bot TPS

Device fingerprint

WAF protection

SQL injection

Buffer overflow

Cookie consistency

Cross-site scripting

Command injection

CSRF

Field format

Field consistency

WAF signatures

Data leak prevention

Deploy the OWASP CRD

Full Example: Combined WAF and Bot Policy

In this article