Access Rules: An access rule identifies legitimate
traffic and threats through access control lists.
Rate Rules: A rate rule defines the rate of traffic
that may be directed to one or more web sites.
Bot Manager: A bot manager configuration identifies bot traffic.
Custom Rules: A custom rule identifies threats using
custom criteria that takes into account your site’s traffic
profile to avoid false positives.
Managed Rules: A managed rule identifies threats
through threat detection policies.
Identifies how the above rules are enforced on rate
limited requests or threats .
Each detected threat is logged regardless of enforcement action (i.e., block, custom response, redirect, or alert). View logged threats from the Threats, Bots, Rates, or Rate Enforcement tabs of the Security dashboard.
Standard security practices dictate that measures should be taken to
prevent sensitive data (e.g., credit card information or passwords)
from being passed as clear text from the client to your origin
server. Another incentive for encrypting sensitive data is that it
will be logged by our system when an alert is triggered as a result
of this data. If sensitive data cannot be encrypted or obfuscated,
then it is strongly recommended to contact our technical customer
support to disable logging for the Matched Value field.
Allows you to keep your applications secure with known
configurations and audit new access rules, custom rules, and managed
rules without impacting production traffic. Use the Threats tab of the Security dashboard to isolate and analyze threats detected as a result of an
audit of new access rules, custom rules, and managed rules.
The ability to secure and audit your production traffic using
separate configurations requires Security Premier, Business, or
Essentials. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.
By default, a Security Application configuration applies to all
hosts. However, you may limit a Security Application
configuration to one or more hosts. Security compares the entire
Host header value against the specified value.
Key information:
The Host header identifies either a hostname or IP
address using the following syntax:
<Host>
<Host>:<Port>
The CDN only accepts HTTP/HTTPS requests on standard ports (i.e., 80
and 443). Typically, a Host request header does not
include port information for standard ports. However, the requesting
user agent defines the Host request header submitted to
the CDN.
For the purpose of this comparison, the hostname defined by this
match condition will not be resolved to an IP address.
For the purpose of this comparison, a customer origin’s HTTP Host
Header option is irrelevant.
Security supports various comparison modes (i.e., exact match, wildcard,
and regular expression).
By default, a Security Application configuration applies to all
URL paths. However, you may limit a Security Application
configuration to one or more URL paths. Security compares the entire URL path
against the specified value.
Key information:
URL path comparisons start directly after the hostname.
/<Path>/<Asset>
Example:
/marketing/brochures/widget.htm
A partial match does not count towards the rate limit.
Example:
Given the above sample configuration, the following request would
not count towards the rate limit:
Your Security Application configuration determines how Security
compares a request’s host or URL path against the specified value. The
available modes are listed below.
Default: Security will not perform a comparison. It will apply
the current Security Application configuration to all hosts
or URL paths.
Wildcard match: Use this mode to specify a
wildcard pattern.
Regex match: Use this mode to specify a regular
expression.
Wildcard and regular expression match comparison modes require Security
Premier, Business, or Essentials. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.
Security compares the specified value(s) against the entire host or URL path.
It will only apply this Security Application configuration to a
request when one of the specified value(s) is an exact match. This
comparison is case-sensitive.
Security checks whether the entire host or URL path is a case-sensitive match
for the wildcard pattern. The supported set of wildcards are listed
below.
*: Matches zero or more characters.
Example:cat*
Matches:cat | category | muscat
Does not match:cAt | Category
?: Matches a single character.
Example:cat?
Matches:cats | muscats
Does not match:Cats | cat
[abc]: Matches a single character defined within the brackets.
Example:[cm]art
Matches:cart | mart
Does not match:tart | start
[a-z]: Matches a single character from the specified range.
Example:[a-z]art
Matches:cart | mart | tart
Does not match:Cart | marT | start
[!abc]: Matches a single character that is not defined within the brackets.
Example:[!cm]art
Matches:Cart | Mart | tart
Does not match:cart | mart | tArt
[!a-z]: Matches a single character that is excluded from the specified range.
Example:[!a-m]art
Matches:Cart | Mart | tart
Does not match:cart | mart | tArt
Example:
Setting the URL path(s) option to the following value allows
Security to apply this Security Application configuration to any
request whose URL path starts with /marketing/:
/marketing/*
The following sample request will match the above pattern:
Identify threats by adding the following rule(s) to your Security
Application configuration:
Access Rules: An access rule identifies
legitimate traffic and threats through access control lists.
Rate Rules: A rate rule identifies
malicious or unnecessary traffic through traffic patterns.
Requests that originate from rate limited clients
will not count towards the rate limit. Upon the expiration of the
time period defined in the Time period option, we will
resume counting these requests. If the client exceeds the rate limit
again, then this action will be reapplied to it for the duration
defined by this option.
A “client” is defined by each rule according to the rate rule’s
Apply rate limit to option. For example, configuring that
option to Any request will apply the selected action to
all requests regardless of the number of requests generated by each
device. Alternatively, identifying clients by IP
address will only apply the selected action to requests
that originate from each IP address that violates the specified rate
limit.
Bot Manager: A bot manager configuration determines how bot traffic will be detected and the enforcement action that will be applied to bot traffic.
Bot Manager Standard is restricted to serving browser challenges.
Custom Rules: A custom rule identifies
threats using custom criteria that takes into account your site’s
traffic profile to avoid false positives.
Managed Rules: A managed rule
identifies threats through threat detection policies.
You may apply an access, custom, or managed rule in
one of the following modes:
Production: This mode secures your application by allowing
you to choose from a variety of actions through which your security
policy will be enforced.
Audit: This mode allows you to test new security policies
without impacting production traffic. Requests that are identified
as threats are logged. Use the Threats tab of the Security dashboard to analyze detected
threats and check for false positives. You should apply this
security policy to production traffic once you are confident that it
will generate minimal false positives.
Rate rules and Bot Manager may only run in production mode. You cannot run
them in audit mode.
Auditing a profile that is already being applied to production traffic
will cause the same threat to be logged twice.
You may customize how rules that run in production
mode will be enforced. Enforcement is triggered when:
A threat is detected when the security policy defined within an
access rule, custom rule, or managed rule is violated.
A rate limit defined within a rate rule is exceeded.
Security will only generate alerts for rules that run in audit mode. This
enforcement action cannot be customized.
Rate rules and Bot Manager may only run in production mode. You cannot run them
in audit mode.
The available enforcement actions are described below.
Alert Only: Rate limited requests or detected threats will only generate an alert.
Our recommendation for testing new configurations is to use audit mode instead of applying the Alert Only enforcement action to a rule running in production mode.
Security applies a single enforcement action per mode (i.e., production or audit). Once enforcement is triggered for that mode, Security does not perform further evaluation of that request. If you are setting up a rule in production mode, we recommend that you limit your use of the Alert Only enforcement to the shortest amount of time necessary to validate changes to your configuration.
Block Request: Detected threats will be dropped and the client will receive a 403 Forbidden response.
Custom Response: Rate limited requests or detected threats will receive a custom response.
Response Body: Define the payload that will be delivered to the client in response to a detected threat.
This option supports the use of event variables to customize the response according to the detected threat.
Sample payload for a CSS file:
1body {
2
3 background-color: #ffffff;
4}
HTTP Status Code: Defines the HTTP status code that will be sent to the client.
Custom Response Headers: Defines one or more response headers that will be sent to the client. Define each custom response header on a separate line.
Syntax:
<Name>:<Value>
Example:
MyCustomHeader: True
This option supports the use of event variables to customize the response according to the detected threat.
All characters, including spaces, defined before or after the colon will be treated as a part of the specified header name or value, respectively.
Drop request: Rate rules only. Rate limited requests will be dropped and the client will receive the following response:
HTTP status code:503 Service Unavailable
Response header:Retry-After: 10 seconds
The Retry-After response header provides a hint to the client as to when service may resume.
Redirect (HTTP 302): Rate limited requests or detected threats will be redirected to the specified URL.
Key information:
The HTTP status code for this response will be a 302 Found.
Set the URL option to the full URL to which rate limited requests or detected threats will be redirected.
A custom response header value or a custom response body may include
variables that describe the event. These variables are described below.
Variable
Description
EVENT_ID
Represents the system-defined ID assigned to the request that was identified as a threat. Find out detailed information about the detected threat by passing this ID to the Get Event Log Entry endpoint (REST API).
CLIENT_IP
Represents the IP address of the device that submitted the detected threat.
TIMESTAMP
Represents the date and time at which the detected threat was submitted.
REQUEST_URL
Represents the URL for the request that was deemed a threat.
Add an event variable to a custom response header value or a custom
response body by enclosing it with double curly braces.
The recommended practice is to create a Security Application
configuration that is tuned for each of your applications. This allows
you to apply a restrictive security policy with minimal false positives.
Each Security Application configuration’s host and URL path
conditions determine the set of traffic to which it may be applied. If a
request is eligible to be screened by multiple Security Application
configurations, then Security will screen it using the first eligible
configuration in the list.
Reorder Security Application configurations by dragging the
desired configuration’s icon to the desired position.
You may create, modify, and delete Security Application
configurations.
Key information:
Administer Security Application configurations from the
Security Application page.
Identify the set of traffic (e.g., all requests or by customer
origin) to which your security policy will be applied by balancing
the need to secure as much traffic as possible with the level of
restrictive measures imposed by it.
The recommended approach is to apply the most restrictive policy to
as much traffic as possible while causing minimal impact to data
delivery.
Rules are administered independently from Security Application
configurations. This allows you to use the same rule within
multiple Security Application configurations. Leverage this
capability to tailor security screening by application or traffic
profile.
Use audit mode to verify that new access rules,
custom rules, and managed rules will not generate substantial false
positives.
It may take up to 2 minutes for an updated Security Application
configuration to be applied across our entire network.
To create a Security Application configuration
Navigate to the Security Application Manager page.
From the Edgio Console, select the desired team space.
From the Security section, click Security Apps.
Click Add New.
In the Name option, type the unique name by which this
Security Application configuration will be identified.
Optional. Identify the set of traffic to which this security policy
will be applied by defining a hostname and/or URL path through the
Hostname and URL path(s) options.
Select one of the following modes:
Default: Use this mode to apply this Security
Application configuration regardless of the request’s
host or URL path.
Exact match (multiple entries): Use this mode to apply
this Security Application configuration to the specified
hostname(s) or URL path(s).
Wildcard match: Use this mode to apply this Security
Application configuration to all hostnames or URL paths
that satisfy the specified wildcard pattern.
Regex match: Use this mode to apply this Security
Application configuration to all hostnames or URL paths
that satisfy the specified regular expression pattern.
Enable the Negative match option to configure a Security
Application configuration to look for requests that do not
match the specified value or pattern.
Optional. Select an access rule through which production traffic
will be screened and determine how threats identified by it are
handled.
If you have not already created the desired access rule, you can
save your Security Application configuration, create an
access rule, edit your
Security Application configuration, and then resume this
procedure.
From the Rules section, click Access Rule.
From the Production Access Rule option, select the
desired access rule.
Optional. From the Action name option, type a name
that describes the enforcement action configuration.
From the Action type option, determine how threats
identified by the access rule selected in step 5.2 will be
handled (i.e., block, alert, redirect, or send a custom
response).
From the Audit Access Rule option, select the desired
access rule.
Filter the Threats tab of the Security dashboard by the above access rule or the audit profile type to track detected threats.
Disable auditing by setting the Audit Managed Rule option
to No Audit Rule.
Optional. Select a rate rule through which production traffic will
be rate limited.
If you have not already created the desired rate rule, you can save
your Security Application configuration, create a rate
rule, edit your Security
Application configuration, and then resume this procedure.
From the Rules section, click Rate Rules.
From the Add Rate Rule option, select the desired
rate rule.
If the selected rate rule contains a condition group, then a
request must satisfy the Security Application
configuration’s host and URL path match conditions and all of
the conditions within at least one condition group in order to
be eligible for rate limiting.
Optional. From the Action name option, type a name
that describes the enforcement action configuration.
From the Action type option, determine how threats
identified by the managed rule selected in step 7.2 will be
handled (i.e., drop request, alert, redirect, or send a custom
response).
Security does not perform further evaluation of a
request once enforcement is
triggered. For this reason, we recommend that you limit your use
of the Alert Only enforcement to the shortest amount
of time necessary to validate changes to your configuration.
From the Time period option, select the time period
for which the action selected in the next step will be applied
to clients that exceed the rate limit defined in the rate rule
selected in step 7.2.
A “client” is defined by each rate rule according to the
Apply rate limit to option. For example, configuring
that option to Any request will apply the selected
action to all requests regardless of the number of requests
generated by each device. Alternatively, identifying clients by
IP Address will only apply the selected action to
requests that originate from each IP address that violates the
specified rate limit.
If you would like to apply an additional rate limit, then repeat
steps 7.2 - 7.5.
Use multiple rate rules to apply different rate limits to
various traffic profiles. Set up this type of configuration
using either a single or multiple Security Application
configurations. If you assign multiple rate rules to a single
Security Application configuration, then each rate rule
should contain one or more condition
group(s).
Optional. Select a bot manager configuration that identifies the set of production traffic that will be secured by Bot Manager.
If you have not already created the desired bot manager configuration, you can save
your Security Application configuration, create a bot manager configuration, edit your Security
Application configuration, and then resume this procedure.
From the Rules section, click Bot Manager.
From the Production Bot Rule option, select the desired bot manager configuration.
Perform the following steps if the selected bot manager configuration uses reCAPTCHA:
Toggle the reCAPTCHA off option to reCAPTCHA on.
If you have not already added Google reCAPTCHA v3 to your site, add it now.
Set the reCAPTCHA Site Key option to the site key provided by Google.
Set the reCAPTCHA Secret Key option to the secret key provided by Google.
Optional. Select a custom rule through which production traffic will
be screened and determine how threats identified by it are handled.
If you have not already created the desired custom rule, you can
save your Security Application configuration, create a
custom rule, edit your
Security Application configuration, and then resume this
procedure.
From the Rules section, click Custom Rule.
From the Production Custom Rule option, select the
desired custom rule.
Optional. From the Action name option, type a name
that describes the enforcement action configuration.
From the Action type option, determine how threats
identified by the custom rule selected in step 9.2 will be
handled (i.e., block, alert, redirect, or send a custom
response).
From the Audit Custom Rule option, select the desired
custom rule.
Filter the Threats tab of the Security dashboard by the above custom rule or the audit profile type to track detected threats.
Disable auditing by setting the Audit Custom Rule option
to No Audit Rule.
Optional. Select a managed rule through which production traffic
will be screened and determine how threats identified by it are
handled.
If you have not already created the desired manged rule, you can
save your Security Application configuration, create a
managed rule, edit
your Security Application configuration, and then resume
this procedure.
From the Rules section, click Managed
Rule.
From the Production Managed Rule option, select the
desired managed rule.
Optional. From the Action name option, type a name
that describes the enforcement action configuration.
From the Action type option, determine how threats
identified by the managed rule selected in step 11.2 will be
handled (i.e., block, alert, redirect, or send a custom
response).
From the Audit Managed Rule option, select the
desired managed rule.
Filter the Threats tab of the Security dashboard by the above managed rule or the audit profile type to track detected threats.
Disable auditing by setting the Audit Managed Rule option
to No Audit Rule.
Click Save.
Click Apply All Changes.
Click Save Changes.
To reorder Security Application configurations
Navigate to the Security Application Manager page.
From the Edgio Console, select the desired team space.
From the Security section, click Security Apps.
Drag the desired
configuration’s icon
to the desired position.
Click Apply All Changes.
Click Save Changes.
If multiple Security Application configurations are applicable
to the same request, then consider updating their host or URL path
conditions to a more restrictive pattern.
Traffic is always screened using the first eligible Security Application
configuration.
To modify a Security Application configuration
Navigate to the Security Application Manager page.
From the Edgio Console, select the desired team space.
From the Security section, click Security Apps.
Click on the desired Security Application configuration.
Make the desired changes.
Click Save.
Click Apply All Changes.
Click Save Changes.
To delete a Security Application configuration
Navigate to the Security Application Manager page.
From the Edgio Console, select the desired team space.
From the Security section, click Security Apps.
Click on the desired Security Application configuration.
