Backends do not always produce ideal responses. Legacy applications can return identity numbers, card numbers, email addresses, internal host names, old links or unnecessary technical information. Because these values appear inside the response body rather than in headers, they cannot be corrected with a standard header rule.
Fixing the problem in application code is often slow. The service may be owned by a different team, the release schedule may be months away, or the source code may be difficult to change because of ageing technology. Yet the security and compliance team needs the leak closed immediately.
Intervening in the response body without care can itself create new risks. A badly written regex can corrupt an entire page, HTML injection can land in the wrong place, and processing very large responses can affect performance. Body modification rules must therefore be applied with controlled parameters and a well-defined scope.
The right approach is to manage mask, replace and HTML tag operations on the response body as centralised traffic rules. A rule should know which path, content-type or condition it applies to; match behaviour and body size limits should be explicitly defined.
TR7 Response Body Modification masks, replaces or injects HTML into response content without changing backend code — resolving data leaks and legacy correction needs at the ADC/WAAP layer.
TR7 handles response body modification through three core modes: masking, replacement and HTML tag injection.
Mask mode replaces a portion of a string or regex-matched value with a mask character. Offset and minimum match settings reduce the risk of false positives.
Replace mode swaps a specific string or regex match for a new value. It is used for fixing legacy links, hiding internal host names or normalising small response issues.
htmlTag mode can insert scripts, banners, meta tags or similar HTML fragments into a response — without touching the application template.
Body modification rules can be scoped to a specific vService, path, content-type or traffic condition. The default body limit is kept low and can be raised deliberately when needed.
Response Body Modification makes controlled changes to response bodies for security, compliance and legacy modernisation purposes.
TR7 turns content changes into centralised rules through the modifyResponse action, which operates on the response body. The rule runs during the response phase and processes the body that arrives from the backend before it is forwarded to the client. This structure allows quick fixes without depending on application code, templates or the backend release process — and is especially valuable for closing critical security gaps in legacy applications.
Mask mode replaces a captured value with a chosen mask character. The mask character is defined as a single character and defaults to `*`. An offset setting allows a specified number of characters at the start or end to remain visible. This protects sensitive data in fields such as card numbers, identity numbers, patient IDs or email addresses while preserving partial visibility.
Replace mode swaps a specific string or regex match for a new value. Internal host names, old domains, incorrect links, deprecated endpoints or technical detail in a response can all be corrected. The operation normalises the backend output at the final exit point. The client receives correct and safe content without any change to application code.
htmlTag mode inserts specific tags or content into an HTML response. It is useful for maintenance notices, security banners, compliance text or small client-side corrections. The approach adds content at the response level without modifying the application template. Rules can be scoped to a specific path or host condition for controlled application.
A string matcher is available for simple literal matching. A regex matcher can be selected for more complex patterns. Regex helps capture variable values such as identity numbers, card formats, email addresses or custom organisation patterns. Operators can choose fast literal matching or flexible pattern-based matching according to their needs.
Case sensitivity may be critical in some response content. TR7 can control matcher behaviour with a case sensitivity setting. Options such as omitted characters allow specific characters to be preserved during masking. This produces more readable masking output for phone numbers, IBANs, card numbers or values with custom formatting.
Full masking is not always desirable. For audit or user experience purposes, the last four digits, the first few characters or a specific format section can be left visible. Mask offset turns this behaviour into a rule parameter. A partial masking standard is applied without any application code.
Some patterns may produce single accidental matches. A minimum match count setting means a rule only applies when a specified number of matches is found. This helps prevent overly aggressive masking from corrupting a page. Sensitive data patterns are applied in a safer and more predictable way.
Processing the response body is more costly than header rules. TR7 operates with a limited body size by default; this value can be raised when needed. Performance and memory impact must be considered for very large responses. Operators should run body modification rules only on the services and content-types where they are required.
Body modification can be applied to JSON API responses, HTML pages or plain-text output. Sensitive field masking in JSON, banner injection in HTML and internal information hiding in plain text are all supported. Rules can be constrained by content-type and path conditions. This flexibility allows different application types to be managed with the same action.
Response body modification is one of the enforcement mechanisms on the response side of a sensitive data masking strategy. When log IP masking, cookie encryption and response body masking are used together, broader data leakage control is achieved. Even if the backend returns more data than intended, TR7 can intervene at the final exit point. This gives compliance teams a strong additional security layer.
A body modification rule does not have to run on every response. It can be triggered by host, path, status code, content-type, user, source IP or other FX conditions. This ensures modification is applied only on sensitive endpoints or for specific user groups. Unnecessary performance cost and the risk of unintended substitution are both reduced.
Response body modification must be designed together with matcher type, body size, content-type scope, compression, streaming behaviour and audit visibility.
A string matcher is suited to fast, deterministic matches. A regex matcher is more flexible but can match too broadly if written incorrectly. Testing in a narrow-scoped condition is recommended for critical rules.
The default body limit is kept small and can be raised when needed. Processing large responses creates memory and latency overhead. If the limit needs to be raised to hundreds of MB, endpoint scope should be constrained carefully.
Rules should be restricted to JSON, HTML or text responses only. Body modification should not be applied to binary files, archives or media responses. A content-type filter is important for safe operation.
If a response is compressed, the content must be in a processable state before body modification can run. The sequence of compression and modification must be planned correctly. Otherwise the matcher will not see the expected text.
Body modification on streaming responses requires more careful handling. Match boundaries and buffer behaviour matter for chunked content. Rule scope should be kept narrow for large or continuous streams.
Which rule ran against which response can be logged. Instead of logging the sensitive value itself, metadata such as rule name, endpoint and match count should be retained. This produces a safer audit record for compliance and security review.
A financial application may return card numbers in its response. TR7 masks everything except the last four digits, reducing the risk of sensitive data exposure.
A legacy healthcare application may return patient IDs or identity information in its response. TR7 hides these fields with regex-based masking before they reach the user.
An HTML response may contain old domain or internal host name references. Replace mode substitutes these links with the new public domain, easing the migration process.
When the application template cannot be changed, TR7 can use htmlTag mode to add a banner or informational fragment to the page. This provides a practical solution for temporary maintenance and compliance notices.
A backend may return internal IP addresses, hostnames or technical version information in its response. TR7 removes this information before it reaches the client using a replace or mask rule.
Sensitive data masking, legacy link rewriting and banner injection through mask, replace and htmlTag modes. Let us walk you through a live setup on your own services.