/

Block Action

Action Type: Block

Blocks the specific operation and returns HTTP 403 Forbidden. Web applications only.

Available for: ASP.NET Core, ASP.NET Framework, Azure Functions (HTTP triggers)

How It Works

The Block action prevents the attack from executing and returns a 403 response.

Behavior:

  • Returns 403 Forbidden status code
  • Prevents operation from executing (query, file access, etc.)
  • Application continues running normally
  • Other requests unaffected
  • Optionally includes threat details in response

When to Use

Recommended for:

  • SQL Injection - Block malicious database queries
  • NoSQL Injection - Block MongoDB/Redis attacks
  • Cross-Site Scripting (XSS) - Block script injection attempts
  • Path Traversal - Block unauthorized file access
  • Command Injection - Block OS command execution
  • SSRF - Block unauthorized HTTP requests
  • LDAP Injection - Block directory attacks
  • XXE - Block XML external entity attacks
  • LLM Prompt Injection - Block AI prompt manipulation

Not for:

  • Desktop applications (use close instead)
  • Mobile applications (use close instead)
  • Non-HTTP contexts

Configuration

JSON Configuration

JSON
{
  "protections": {
    "SqlInjection": {
      "enabled": true,
      "action": "block"
    },
    "CrossSiteScripting": {
      "enabled": true,
      "action": "block"
    },
    "PathTraversal": {
      "enabled": true,
      "action": "block"
    }
  }
}

ASP.NET Core Configuration

C#
builder.Services.AddByteHideMonitor(monitor =>
{
    monitor.WithProtection(ProtectionModuleType.SqlInjection, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.PathTraversal, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.CommandInjection, ActionType.Block);
});

Default Response

Standard 403 Response

HTTP
HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "Forbidden",
  "message": "Security violation detected"
}

With Threat Details (Optional)

HTTP
HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "Security violation detected",
  "incidentId": "SQL-2025-12-28-5678",
  "timestamp": "2025-12-28T23:00:00Z"
}

Custom Block Response

JSON Response

C#
builder.Services.AddByteHideMonitor(monitor =>
{
    monitor.OnThreatBlocked = async (context, threat) =>
    {
        context.Response.StatusCode = 403;
        context.Response.Headers["X-Security-Incident"] = threat.ThreatId;

        await context.Response.WriteAsJsonAsync(new
        {
            error = "Security violation detected",
            incidentId = threat.ThreatId,
            type = threat.ModuleType.ToString(),
            timestamp = DateTime.UtcNow
        });
    };
});

HTML Response

C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    context.Response.StatusCode = 403;
    context.Response.ContentType = "text/html";

    await context.Response.WriteAsync(@$"
        <!DOCTYPE html>
        <html>
        <head><title>Access Denied</title></head>
        <body>
            <h1>Security Violation Detected</h1>
            <p>Your request has been blocked due to a security policy.</p>
            <p>Incident ID: {threat.ThreatId}</p>
        </body>
        </html>
    ");
};

Redirect Response

C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    // Redirect to custom error page
    context.Response.Redirect("/security-error?incident=" + threat.ThreatId);
};

Code Examples

SQL Injection Protection

C#
builder.Services.AddByteHideMonitor(monitor =>
{
    monitor.WithProtection(ProtectionModuleType.SqlInjection, ActionType.Block);

    monitor.OnThreatBlocked = async (context, threat) =>
    {
        // Log to security team
        await securityLogger.LogCriticalAsync(
            "SQL injection blocked",
            threat.Metadata
        );

        // Return 403
        context.Response.StatusCode = 403;
        await context.Response.WriteAsJsonAsync(new
        {
            error = "Invalid request",
            incidentId = threat.ThreatId
        });
    };
});

XSS Protection with Logging

C#
builder.Services.AddByteHideMonitor(monitor =>
{
    monitor.WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block);

    monitor.OnThreatBlocked = async (context, threat) =>
    {
        // Log attack details
        await File.AppendAllTextAsync("logs/xss-attacks.log",
            $"[{DateTime.UtcNow}] XSS blocked: {threat.Description}\n"
        );

        // Block request
        context.Response.StatusCode = 403;
        await context.Response.WriteAsync("Request blocked");
    };
});

Multiple Protection Types

C#
builder.Services.AddByteHideMonitor(monitor =>
{
    // Block all web attacks
    monitor.WithProtection(ProtectionModuleType.SqlInjection, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.PathTraversal, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.CommandInjection, ActionType.Block);
    monitor.WithProtection(ProtectionModuleType.ServerSideRequestForgery, ActionType.Block);

    // Custom response for all
    monitor.OnThreatBlocked = async (context, threat) =>
    {
        context.Response.StatusCode = 403;

        await context.Response.WriteAsJsonAsync(new
        {
            error = "Security violation",
            type = threat.ModuleType.ToString(),
            incidentId = threat.ThreatId,
            support = "contact@company.com"
        });
    };
});

Integration Examples

With Application Insights

C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    // Track in Application Insights
    telemetryClient.TrackEvent("SecurityViolation", new Dictionary<string, string>
    {
        ["ThreatType"] = threat.ModuleType.ToString(),
        ["IncidentId"] = threat.ThreatId,
        ["UserAgent"] = context.Request.Headers["User-Agent"],
        ["IpAddress"] = context.Connection.RemoteIpAddress?.ToString()
    });

    context.Response.StatusCode = 403;
    await context.Response.WriteAsync("Forbidden");
};

With SIEM Integration

C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    // Send to SIEM
    await siemClient.SendEventAsync(new
    {
        EventType = "WebAttackBlocked",
        Severity = "High",
        ThreatType = threat.ModuleType.ToString(),
        SourceIP = context.Connection.RemoteIpAddress?.ToString(),
        RequestPath = context.Request.Path,
        Timestamp = DateTime.UtcNow
    });

    context.Response.StatusCode = 403;
};

Rate Limiting on Attacks

C#
private static readonly Dictionary<string, int> _attackCounts = new();

monitor.OnThreatBlocked = async (context, threat) =>
{
    var ip = context.Connection.RemoteIpAddress?.ToString();

    lock (_attackCounts)
    {
        _attackCounts.TryGetValue(ip, out int count);
        _attackCounts[ip] = count + 1;

        // Ban after 5 attacks
        if (count >= 5)
        {
            await ipBanService.BanAsync(ip, TimeSpan.FromHours(24));
        }
    }

    context.Response.StatusCode = 403;
};

Response Headers

Security Headers

C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    context.Response.StatusCode = 403;
    context.Response.Headers["X-Content-Type-Options"] = "nosniff";
    context.Response.Headers["X-Frame-Options"] = "DENY";
    context.Response.Headers["X-Security-Incident"] = threat.ThreatId;

    await context.Response.WriteAsync("Forbidden");
};

Best Practices

  1. Use Block for All Web Attacks
C#
// Block is the right choice for web protections
monitor.WithProtection(ProtectionModuleType.SqlInjection, ActionType.Block);
monitor.WithProtection(ProtectionModuleType.CrossSiteScripting, ActionType.Block);
  1. Log All Blocked Attacks
C#
monitor.OnThreatBlocked = async (context, threat) =>
{
    await logger.LogWarningAsync($"Blocked {threat.ModuleType}: {threat.Description}");
    context.Response.StatusCode = 403;
};
  1. Don't Reveal Too Much Information
C#
// Good: Generic message
await context.Response.WriteAsync("Forbidden");

// Bad: Reveals detection details
await context.Response.WriteAsync($"SQL injection detected: {threat.Description}");
  1. Implement Rate Limiting
C#
// Track attack attempts and ban repeat offenders
if (await IsRepeatAttacker(ipAddress))
{
    await BanIpAddressAsync(ipAddress);
}
  • Log - Log attack without blocking
  • Custom - Custom block logic
  • Close - Terminate (desktop/mobile)

All Actions

View all action types

Custom Actions

Advanced responses

Previous
Log
Next
Erase