Application exclusions

Exclusions are used to suppress events. You might want to suppress events if you are using an external security control outside of the scope of Contrast's agent instrumentation. For example:

  • As an administrator, you need to change the HTML that shows up on your web page, even though this qualifies as a cross-site scripting (XSS) vulnerability. In this case, you can create an exclusion that prevents these changes from being reported.

  • You use an edge device to place the correct headers on outbound HTTP responses to stop clickjacking attacks. However, the issue might be appropriately reported because the application never provided the required protection.

  • When you test beta rules, you can use exclusions to suppress false positives.

If you are using Java or .NET agents, you can add an application exclusion under policy management, or from the list of attack events.

You can view a list of existing exclusions either at Applications > Your application name > Policy > Exclusions or in the user menu > Policy management > Application exclusions.