Introducing Edgio Applications v7Find out what's new.
Edgio
Edgio

Security App

A Security App configuration:
  • Identifies the set of traffic to which it applies by hostname, a URL path, or both.
  • Defines how threats will be detected through:
    • Access Rules: An access rule identifies legitimate traffic and threats through access control lists.
    • API Security Ruleset: An API Security rule validates the payload for POST, PUT, and PATCH requests against a JSON schema.
    • Rate Rules: A rate rule defines the rate of traffic that may be directed to one or more web sites.
    • Bot Manager: A bot manager configuration identifies bot traffic.
    • Custom Rules: A custom rule identifies threats using custom criteria that takes into account your site’s traffic profile to avoid false positives.
    • Managed Rules: A managed rule identifies threats through threat detection policies.
  • Identifies how the above rules are enforced on rate limited requests or threats .
    Each detected threat is logged regardless of enforcement action (i.e., block, custom response, redirect, or alert). View logged threats from the Threats, Bots, Rates, or Rate Enforcement tabs of the Security dashboard.
    Standard security practices dictate that measures should be taken to prevent sensitive data (e.g., credit card information or passwords) from being passed as clear text from the client to your origin server. Another incentive for encrypting sensitive data is that it will be logged by our system when an alert is triggered as a result of this data. If sensitive data cannot be encrypted or obfuscated, then it is strongly recommended to contact our technical customer support to disable logging for the Matched Value field.
  • Allows you to keep your applications secure with known configurations and audit new access rules, API Security rules, custom rules, and managed rules without impacting production traffic. Use the Threats tab of the Security dashboard to isolate and analyze threats detected as a result of an audit of new access rules, API Security rules, custom rules, and managed rules.
    The ability to secure and audit your production traffic using eparate configurations requires Security Premier, Business, or Essentials. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.

Traffic Identification

Identify the set of traffic to which a Security App configuration’s rules will be applied by host, URL path, or both.

Host

By default, a Security App configuration applies to all hosts. However, you may limit a Security App configuration to one or more hosts. Security compares the entire Host header value against the specified value.
Key information:
  • The Host header identifies either a hostname or IP address using the following syntax:
    <Host>
    <Host>:<Port>
  • The CDN only accepts HTTP/HTTPS requests on standard ports (i.e., 80 and 443). Typically, a Host request header does not include port information for standard ports. However, the requesting user agent defines the Host request header submitted to the CDN.
  • For the purpose of this comparison, the hostname defined by this match condition will not be resolved to an IP address.
  • For the purpose of this comparison, a customer origin’s HTTP Host Header option is irrelevant.
  • Security supports various comparison modes (i.e., exact match, wildcard, and regular expression).
    Learn more.

URL Path

By default, a Security App configuration applies to all URL paths. However, you may limit a Security App configuration to one or more URL paths. Security compares the entire URL path against the specified value.
Key information:
  • URL path comparisons start directly after the hostname.
    /<Path>/<Asset>
    Example:
    /marketing/brochures/widget.htm
  • A partial match does not count towards the rate limit.
    Example:
    Given the above sample configuration, the following request would not count towards the rate limit:
    http://cdn.example.com/marketing/brochures/widget.html
  • Security supports various comparison modes (i.e., exact match, wildcard, and regular expression).
    Learn more.

Match Comparison Modes

Your Security App configuration determines how Security compares a request’s host or URL path against the specified value. The available modes are listed below.
  • Default: Security will not perform a comparison. It will apply the current Security App configuration to all hosts or URL paths.
  • Exact match (multiple entries): Use this mode to specify each desired value.
  • Wildcard match: Use this mode to specify a wildcard pattern.
  • Regex match: Use this mode to specify a regular expression.
Wildcard and regular expression match comparison modes require Security Premier, Business, or Essentials. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.

Exact Match (Multiple Entries)

Security compares the specified value(s) against the entire host or URL path. It will only apply this Security App configuration to a request when one of the specified value(s) is an exact match. This comparison is case-sensitive.
Sample Configuration:
cat
bat
Matches:
cat
bat
Does Not Match:
Cat
Bat
Category
Moscato
Batch

Wildcard Match

Edgio Security checks whether the entire host or URL path is a case-sensitive match for the wildcard pattern. The supported set of wildcards are listed below.
  • *: Matches zero or more characters.
    • Example: cat*
    • Matches: cat | category | muscat
    • Does not match: cAt | Category
  • ?: Matches a single character.
    • Example: cat?
    • Matches: cats | muscats
    • Does not match: Cats | cat
  • [abc]: Matches a single character defined within the brackets.
    • Example: [cm]art
    • Matches: cart | mart
    • Does not match: tart | start
  • [a-z]: Matches a single character from the specified range.
    • Example: [a-z]art
    • Matches: cart | mart | tart
    • Does not match: Cart | marT | start
  • [!abc]: Matches a single character that is not defined within the brackets.
    • Example: [!cm]art
    • Matches: Cart | Mart | tart
    • Does not match: cart | mart | tArt
  • [!a-z]: Matches a single character that is excluded from the specified range.
    • Example: [!a-m]art
    • Matches: Cart | Mart | tart
    • Does not match: cart | mart | tArt
Example:
Setting the URL path(s) option to the following value allows Edgio Security to apply this Security App configuration to any request whose URL path starts with /marketing/: /marketing/*
The following sample request will match the above pattern:
https://cdn.example.com/marketing/mycampaign/image.png

Regex Match

Security checks whether the entire host or URL path is a match for the pattern defined in a regular expression.
Regular expressions are case-sensitive.
Sample Configuration:
^[a-zA-Z0-9]*$
Matches:
cat
CAT7
Category
Does Not Match:
Category 7
Cat#7

Threat Detection

Identify threats by adding the following rule(s) to your Security App configuration:
  • Access Rules: An access rule identifies legitimate traffic and threats through access control lists.
  • API Security Ruleset: An API Security rule identifies threats by validating the payload of POST, PUT, and PATCH requests against a JSON schema.
  • Rate Rules: A rate rule identifies malicious or unnecessary traffic through traffic patterns.
    Requests that originate from rate limited clients will not count towards the rate limit. Upon the expiration of the time period defined in the Time period option, we will resume counting these requests. If the client exceeds the rate limit again, then this action will be reapplied to it for the duration defined by this option.
    A “client” is defined by each rule according to the rate rule’s Apply rate limit to option. For example, configuring that option to Any request will apply the selected action to all requests regardless of the number of requests generated by each device. Alternatively, identifying clients by IP address will only apply the selected action to requests that originate from each IP address that violates the specified rate limit.
  • Bot Manager: A bot manager configuration determines how bot traffic will be detected and the enforcement action that will be applied to bot traffic.
    Bot Manager Standard is restricted to serving browser challenges.
  • Custom Rules: A custom rule identifies threats using custom criteria that takes into account your site’s traffic profile to avoid false positives.
  • Managed Rules: A managed rule identifies threats through threat detection policies.
You may apply an access, custom, or managed rule in one of the following modes:
  • Production: This mode secures your application by allowing you to choose from a variety of actions through which your security policy will be enforced.
  • Audit: This mode allows you to test new security policies without impacting production traffic. Requests that are identified as threats are logged. Use the Threats tab of the Security dashboard to analyze detected threats and check for false positives. You should apply this security policy to production traffic once you are confident that it will generate minimal false positives.
    Rate rules and Bot Manager may only run in production mode. You cannot run them in audit mode.
Auditing a profile that is already being applied to production traffic will cause the same threat to be logged twice.

Enforcement

You may customize how rules that run in production mode will be enforced. Enforcement is triggered when:
  • A threat is detected when the security policy defined within an access rule, custom rule, or managed rule is violated.
  • A rate limit defined within a rate rule is exceeded.
Edgio Security will only generate alerts for rules that run in audit mode. This enforcement action cannot be customized.
Rate rules and Bot Manager may only run in production mode. You cannot run them in audit mode.
The available enforcement actions are described below.
  • Alert Only: Rate limited requests or detected threats will only generate an alert.
    Our recommendation for testing new configurations is to use audit mode instead of applying the Alert Only enforcement action to a rule running in production mode.
    Security applies a single enforcement action per mode (i.e., production or audit). Once enforcement is triggered for that mode, Security does not perform further evaluation of that request. If you are setting up a rule in production mode, we recommend that you limit your use of the Alert Only enforcement to the shortest amount of time necessary to validate changes to your configuration.
  • Block Request: Detected threats will be dropped and the client will receive a 403 Forbidden response.
  • Custom Response: Rate limited requests or detected threats will receive a custom response.
    • Response Body: Define the payload that will be delivered to the client in response to a detected threat.
      This option supports the use of event variables to customize the response according to the detected threat.
      Sample payload for a CSS file:
      1body {
      2
      3 background-color: #ffffff;
      4}
    • HTTP Status Code: Defines the HTTP status code that will be sent to the client.
    • Custom Response Headers: Defines one or more response headers that will be sent to the client. Add a custom response header by clicking + Add Response Header, setting the Name option to the name of the response header, and then setting the Value option to the response header value.
      This option supports the use of event variables to customize the response according to the detected threat.
      All characters, including spaces, will be treated as a part of the specified header name or value, respectively.
  • Drop request: Rate rules only. Rate limited requests will be dropped and the client will receive the following response:
    • HTTP status code: 503 Service Unavailable
    • Response header: Retry-After: 10 seconds
    The Retry-After response header provides a hint to the client as to when service may resume.
  • Redirect (HTTP 302): Rate limited requests or detected threats will be redirected to the specified URL.
    Key information:
    • The HTTP status code for this response will be a 302 Found.
    • Set the URL option to the full URL to which rate limited requests or detected threats will be redirected.
      Example: http://cdn.mydomain.com/marketing/busy.html

Event Variables

A custom response header value or a custom response body may include variables that describe the event. These variables are described below.
VariableDescription
EVENT_IDRepresents the system-defined ID assigned to the request that was identified as a threat. Find out detailed information about the detected threat by passing this ID to the Get Event Log Entry endpoint (REST API).
CLIENT_IPRepresents the IP address of the device that submitted the detected threat.
TIMESTAMPRepresents the date and time at which the detected threat was submitted.
REQUEST_URLRepresents the URL for the request that was deemed a threat.
Add an event variable to a custom response header value or a custom response body by enclosing it with double curly braces.
Example:
{{EVENT_ID}}

Order of Precedence

The recommended practice is to create a Security App configuration that is tuned for each of your applications. This allows you to apply a restrictive security policy with minimal false positives. Each Security App configuration’s host and URL path conditions determine the set of traffic to which it may be applied. If a request is eligible to be screened by multiple Security App configurations, then Security will screen it using the first eligible configuration in the list.
Reorder Security App configurations by dragging the desired configuration’s
icon to the desired position.

Security App Administration

You may create, modify, and delete Security App configurations.
Key information:
  • Administer Security App configurations from the Security App page.
  • Identify the set of traffic (e.g., all requests or by origin) to which your security policy will be applied by balancing the need to secure as much traffic as possible with the level of restrictive measures imposed by it.
    The recommended approach is to apply the most restrictive policy to as much traffic as possible while causing minimal impact to data delivery.
  • Apply access rules, API Security, rate rules, bot manager configurations, custom rules, and managed rules to production traffic by adding it to a Security App configuration and then determining how it will be enforced.
    Rules are administered independently from Security App configurations. This allows you to use the same rule within multiple Security App configurations. Leverage this capability to tailor security screening by application or traffic profile.
  • Use audit mode to verify that new access rules, API Security rules, custom rules, and managed rules will not generate substantial false positives.
  • It may take up to 2 minutes for an updated Security App configuration to be applied across our entire network.
To create a Security App configuration
  1. Navigate to the Security App page.
    1. From the Edgio Console, select the desired organization.
    2. From the Security section, click Security Apps.
  2. Click Add New.
  3. In the Name option, type the unique name by which this Security App configuration will be identified.
  4. Optional. Identify the set of traffic to which this security policy will be applied by defining a hostname and/or URL path through the Hostname and URL path(s) options.
    Select one of the following modes:
    • Default: Use this mode to apply this Security App configuration regardless of the request’s host or URL path.
    • Exact match (multiple entries): Use this mode to apply this Security App configuration to the specified hostname(s) or URL path(s).
      Learn more.
    • Wildcard match: Use this mode to apply this Security App configuration to all hostnames or URL paths that satisfy the specified wildcard pattern.
      Learn more.
    • Regex match: Use this mode to apply this Security App configuration to all hostnames or URL paths that satisfy the specified regular expression pattern.
      Learn more.
    Enable the Negative match option to configure a Security App configuration to look for requests that do not match the specified value or pattern.
  5. Optional. Select an access rule through which production traffic will be screened and determine how threats identified by it are handled.
    1. From the Rules section, click Access Rule.
    2. From the Production Access Rule option, select the desired access rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the access rule selected in step 5.2 will be handled (i.e., block, alert, redirect, or send a custom response).
      Learn more.
  6. Optional. Audit production traffic using a new access rule.
    1. From the Rules section, click Access Rule.
    2. From the Audit Access Rule option, select the desired access rule.
    Filter the Threats tab of the Security dashboard by the above access rule or the audit profile type to track detected threats.
    Disable auditing by setting the Audit Access Rule option to No Audit Rule.
  7. Optional. Select an API Security ruleset through which production traffic will be screened and determine how threats identified by it are handled.
    1. From the Rules section, click API Security Rule.
    2. From the Production API Security Rule option, select the desired API Security ruleset.
    3. From the Action type option, determine how threats identified by the API Security ruleset selected in step 7.2 will be handled (i.e., block, alert, redirect, or send a custom response).
      Learn more.
  8. Optional. Audit production traffic using a new API Security ruleset.
    1. From the Rules section, click API Security Rule.
    2. From the Audit API Security Rule option, select the desired API Security ruleset.
    Filter the Threats tab of the Security dashboard by the above API Security ruleset or the audit profile type to track detected threats.
    Disable auditing by setting the Audit API Security Rule option to No Audit Rule.
  9. Optional. Select a rate rule through which production traffic will be rate limited.
    1. From the Rules section, click Rate Rules.
    2. From the Add Rate Rule option, select the desired rate rule.
      If the selected rate rule contains a condition group, then a request must satisfy the Security App configuration’s host and URL path match conditions and all of the conditions within at least one condition group in order to be eligible for rate limiting.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the rate rule selected in step 9.2 will be handled (i.e., drop request, alert, redirect, or send a custom response).
      Learn more.
      Security does not perform further evaluation of a request once enforcement is triggered. For this reason, we recommend that you limit your use of the Alert Only enforcement to the shortest amount of time necessary to validate changes to your configuration.
    5. From the Time period option, select the time period for which the action selected in the next step will be applied to clients that exceed the rate limit defined in the rate rule selected in step 9.2.
      A “client” is defined by each rate rule according to the Apply rate limit to option. For example, configuring that option to Any request will apply the selectedaction to all requests regardless of the number of requests generated by each device. Alternatively, identifying clients by IP Address will only apply the selected action to requests that originate from each IP address that violates the specified rate limit.
    6. If you would like to apply an additional rate limit, then repeat steps 9.2 - 9.5.
      Use multiple rate rules to apply different rate limits to various traffic profiles. Set up this type of configuration using either a single or multiple Security App configurations. If you assign multiple rate rules to a single Security App configuration, then each rate rule should contain one or more condition group(s).
  10. Optional. Select a bot manager configuration that identifies the set of production traffic that will be secured by Bot Manager.
    1. From the Rules section, click Bot Manager.
    2. From the Production Bot Rule option, select the desired bot manager configuration.
    3. Perform the following steps if the selected bot manager configuration uses reCAPTCHA:
      1. Toggle the reCAPTCHA off option to reCAPTCHA on.
      2. If you have not already added Google reCAPTCHA v3 to your site, add it now.
      3. Set the reCAPTCHA Site Key option to the site key provided by Google.
      4. Set the reCAPTCHA Secret Key option to the secret key provided by Google.
  11. Optional. Select a custom rule through which production traffic will be screened and determine how threats identified by it are handled.
    1. From the Rules section, click Custom Rule.
    2. From the Production Custom Rule option, select the desired custom rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the custom rule selected in step 11.2 will be handled (i.e., block, alert, redirect, or send a custom response).
      Learn more.
  12. Optional. Audit production traffic using a new custom rule.
    1. From the Rules section, click Custom Rule.
    2. From the Audit Custom Rule option, select the desired custom rule.
    Filter the Threats tab of the Security dashboard by the above custom rule or the audit profile type to track detected threats.
    Disable auditing by setting the Audit Custom Rule option to No Audit Rule.
  13. Optional. Select a managed rule through which production traffic will be screened and determine how threats identified by it are handled.
    1. From the Rules section, click Managed Rule.
    2. From the Production Managed Rule option, select the desired managed rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the managed rule selected in step 13.2 will be handled (i.e., block, alert, redirect, or send a custom response).
      Learn more.
  14. Optional. Audit production traffic using a new managed rule.
    1. From the Rules section, click Managed Rule.
    2. From the Audit Managed Rule option, select the desired managed rule.
    Filter the Threats tab of the Security dashboard by the above managed rule or the audit profile type to track detected threats.
    Disable auditing by setting the Audit Managed Rule option to No Audit Rule.
  15. Click Save.
  16. Click Accept All Changes.
  17. Click Save Changes.
To reorder Security App configurations
  1. Navigate to the Security App page.
    1. From the Edgio Console, select the desired organization.
    2. From the Security section, click Security Apps.
  2. Drag the desired configuration’s
    icon to the desired position.
  3. Click Accept All Changes.
  4. Click Save Changes.
If multiple Security App configurations are applicable to the same request, then consider updating their host or URL path conditions to a more restrictive pattern.
Traffic is always screened using the first eligible Security App configuration.
To modify a Security App configuration
  1. Navigate to the Security App page.
    1. From the Edgio Console, select the desired organization.
    2. From the Security section, click Security Apps.
  2. Click on the desired Security App configuration.
  3. Make the desired changes.
  4. Click Save.
  5. Click Accept All Changes.
  6. Click Save Changes.
To delete a Security App configuration
  1. Navigate to the Security App page.
    1. From the Edgio Console, select the desired organization.
    2. From the Security section, click Security Apps.
  2. Click on the desired Security App configuration.
  3. Click Delete.
  4. When prompted, confirm the deletion by clicking Confirm.
  5. Click Accept All Changes.
  6. Click Save Changes.