New in Web Agent 2025.x

When the agent is configured to validate the JWT signature locally, it now returns a 403 response if validation fails. Previously, the agent would clear the cookie and redirect the user to the login page.

Trailing forward slashes (/) are now ignored when evaluating Not-Enforced rules with one level wildcards (-*-). This change ensures that requests to resources with a trailing forward slash are correctly matched by Not-Enforced rules that use one-level wildcards.

A new AmAuthErrorDocument Apache directive lets you switch authorization on or off for ErrorDocument internal file or CGI redirects.

Switch this on when you have ErrorDocuments that use CGI scripts and require authorization.

Learn more in AmAuthErrorDocument directive to authorize ErrorDocument internal redirects.

We’ve made changes to the policy decision cache metrics to make it clearer which cache is being used.

The existing cache_decision_total metric is now updated when the AM_POLICY_CACHE_MODE environment variable is set to on and a new url_cache_decision_total metric is updated when this environment variable is set to off.

Learn more in policy decision metrics.

We’ve made changes to the Apache Web Agent to make it compatible with mod_headers. This allows you to set security headers, including CORS responses, in the Apache configuration using mod_headers.

Learn more in Apache Module mod_headers in the Apache documentation.

We’ve made changes to Web Agent to provide FIPS 140 compliance.

Learn more in FIPS 140 compliance.

A new Public Client Certificate Friendly Name property lets you set the friendly name used to look up the client certificate in the Windows certificate store for agents using Schannel.

Use this new property instead of the Public Client Certificate File Name property to set the certificate friendly name.

The Public Client Certificate File Name property should now be used only for the name of the file that contains the client certificate chain.

The TLS 1.3 security protocol can now be disabled for Windows Secure Channel API (Schannel) if required by adding -TLSv1.3 to the Security Protocol List.

We’ve added a new authenticated_return_total metric to the policy decision metrics returned by the Prometheus endpoint. This metric provides a count of the requests returned after authentication.

It’s useful to monitor this metric with the not_authenticated_total metric as a possible indicator of a Denial of Service (DoS) attack.

Web Agent 2025.3.1 is a maintenance release. It contains no new features.

Web Agent 2025.3 is a major release that introduces new features, functional enhancements, and fixes.