# Nginx WAF rules for FIXATION
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_fixation {
    default 0;
    "~*^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" 1;
    "~*^(?:ht|f)tps?://(.*?)/" 1;
    "~*@eq 0" 1;
    "~*!@endsWith %{request_headers.host}" 1;
    "~*(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" 1;
}

if ($waf_block_fixation) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}