Skip to main content

Application exclusions

Exclusions are used to suppress events. You might want to suppress events if you are using an external security control outside of the scope of Contrast's agent instrumentation. For example:

  • As an administrator, you need to change the HTML that shows up on your web page, even though this qualifies as a cross-site scripting (XSS) vulnerability. In this case, you can create an exclusion that prevents these changes from being reported.

  • You use an edge device to place the correct headers on outbound HTTP responses to stop clickjacking attacks. However, the issue might be appropriately reported because the application never provided the required protection.

  • When you test beta rules, you can use exclusions to suppress false positives.

If you are using Java, Node.js, .NET, Python, Go, or Ruby agents, you can add an application exclusion under policy management, or from the list of attack events.

To view a list of existing exclusions, go to Applications > Your application name > Policy > Exclusions or user menu > Policy management > Application exclusions.

To add application exclusions for a specific application, go to Applications > Your application name> Policy > Exclusions or Attacks > Attack Events.