We are exposing forgot-password to internet. We have configured several rules in Akamai(WAF) to allow/block certain url's however the Akamai team came back saying they cannot block /sigma/public/index#/login as the browser doesn't see anything beyond index. We have Akamai and iSAM before hitting and web servers before hitting our application servers.

Looks like anything after # is not being sent to origin.

Attached har file for /sigma/public/index#/login and /sigma/public/index#/forgot-password

We even tried blocking at web server level and couldn't get it to work.

Requirement: We want to block /sigma/public/index#/login but allow /sigma/public/index#/forgot-password

Release : 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

This was confirmed with our engineering team that this type of configuration would need to be submitted to the communities page as and enhancement.