# Nginx WAF rules for FIXATION
location / {
    set $attack_detected 0;

    if ($request_uri ~* "!@endsWith %{request_headers.host}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^(?:ht|f)tps?://(.*?)/") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@eq 0") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}