Create a rate policy

post https://{hostname}/appsec/v1/configs/{configId}/versions/{versionNumber}/rate-policies

All products Create a new rate policy for a specific configuration version. Now you can match on defined or undefined resources. If you're setting a match for either resource type, both definedResources and undefinedResources must be present in the request object or the request is considered incomplete. When true, match on any defined resources without passing a resourceId. When false, you'll need to pass a resourceId. If you pass definedResources and undefinedResources with empty values, they default to false. You can omit both resources and use this operation without these new match criteria. Contact your account team if you'd like to match on definedResources or undefinedResources.

Path Params

configId

int64

required

A unique identifier for each configuration.

versionNumber

integer

required

A unique identifier for each version of a configuration.

Query Params

accountSwitchKey

string

For customers who manage more than one account, this runs the operation from another account. The Identity and Access Management API provides a list of available account switch keys.

Body Params

additionalMatchOptions

array of objects

The list of additional match conditions.

additionalMatchOptions

apiSelectors

array of objects

The API endpoints to match in incoming requests. This only applies to the api matchType.

apiSelectors

averageThreshold

integer

required

≥ 1

The allowed hits per second during any two-minute interval.

bodyParameters

array of objects

The list of body parameters to match on.

bodyParameters

burstThreshold

integer

required

≥ 1

The allowed hits per second during any five-second interval.

burstWindow

integer

1 to 5

The time span for the burstThreshold interval. For existing rate policies, analyze your traffic in Alert mode before you reduce the measure window from 5 seconds. Learn more about thresholds here.

clientIdentifier

string

required

length ≥ 0

Deprecated The client identifier you want to use to identify and track request senders. The value is required only for WAF type, and api-key is supported only for API match criteria. Using ip-useragent is typically more specific than using ip alone when trying to identify a client. Tracking by cookie:value applies to requests per individual session, even if the IP address changes. This field will be removed in future releases. Use clientIdentifiers instead.

clientIdentifiers

array of strings

length ≥ 0

Client identifiers to track request senders. The value is required only for WAF type, and api-key is supported only for API match criteria. Using ip-useragent is typically more specific than using ip alone when trying to identify a client. Tracking by cookie:value applies to requests per individual session, even if the IP address changes.

clientIdentifiers

condition

object

Contains information about the criteria that trigger the rate policy.

counterType

string

Defaults to per_edge

The rate policy counter type. Either per_edge for rate limiting to work per edge node, or region_aggregated for rate limiting to work using aggregated rate accounting across multiple edge nodes.

description

string

Descriptive text you provide about a policy.

evaluation

object

Contains details about rate policy evaluation.

fileExtensions

object

Contains the file extension match criteria.

hostnames

array of strings

Deprecated. The hostnames to match. This array member is deprecated. Use the hosts object instead.

hostnames

hosts

object

The hostnames to match, and whether to trigger on a match or absence of match.

matchType

string

required

The match type in a rate policy. Either path to match website paths or api to match API paths.

name

string

required

The name you assign to a rate policy.

path

object

Contains details about the path match criteria.

pathMatchType

string

required

The type of paths to match in incoming requests. Either AllRequests to match an empty path or any path that ends in a trailing slash (/), TopLevel to match top-level hostnames only, or Custom to match a specific path or path component. This applies only when the corresponding matchType member is path.

pathUriPositiveMatch

boolean

Whether the condition should trigger on a match (true) or a lack of match (false).

queryParameters

array of objects

The list of query parameter objects to match on.

queryParameters

requestType

string

required

The type of requests to count towards the rate policy's thresholds. Either ClientRequest to count client requests to edge servers, ClientResponse to count edge responses to the client, ForwardResponse to count origin responses to the client, or ForwardRequest to count edge requests to your origin.

sameActionOnIpv6

boolean

required

Whether to apply the same action to the IPv6 traffic as to the IPv4 traffic.

type

string

required

The rate policy type. Either WAF for Web Application Firewall, or BOTMAN for Bot Manager.

useXForwardForHeaders

boolean

Whether to check the contents of the X-Forwarded-For header in incoming requests.

Responses

Response body

object

additionalMatchOptions

array of objects

The list of additional match conditions.

additionalMatchOptions

object

positiveMatch

boolean

required

Whether the condition should trigger on a match (true) or a lack of match (false).

type

string

required

The match condition type. The RequestHeaderCondition listed here is deprecated. Specify RequestHeaderCondition as an atomicCondition to match on request headers. See Export match condition type values.

IpAddressCondition NetworkListCondition RequestHeaderCondition RequestMethodCondition ResponseHeaderCondition ResponseStatusCondition UserAgentCondition AsNumberCondition

values

array of strings

required

The list of values that trigger the condition on match.

values*

apiSelectors

array of objects

The API endpoints to match in incoming requests. This only applies to the api matchType.

apiSelectors

object

apiDefinitionId

integer

required

Uniquely identifies each API endpoint.

definedResources

boolean

When true, match on any resource explicitly added to your API definition without including a resourceId. When false, you'll need to pass a resourceId.

resourceIds

array of integers

The unique identifiers of the endpoint's resources.

resourceIds

undefinedResources

boolean

When true, match on any resource you have not explicitly added to your API definition without including a resourceId. When false, you'll need to pass a resourceId.

averageThreshold

integer

required

≥ 1

The allowed hits per second during any two-minute interval.

bodyParameters

array of objects

The list of body parameters to match on.

bodyParameters

object

name

string

required

The name you assign to a body parameter.

positiveMatch

boolean

required

Whether the condition should trigger on a match (true) or a lack of match (false).

valueInRange

boolean

Whether to match a value inside or outside a range. The range format is min:max — for example, 2:4.

values

array of strings

required

The body parameter values.

values*

burstThreshold

integer

required

≥ 1

The allowed hits per second during any five-second interval.

burstWindow

integer

1 to 5

The time span for the burstThreshold interval. For existing rate policies, analyze your traffic in Alert mode before you reduce the measure window from 5 seconds. Learn more about thresholds here.

clientIdentifier

string

required

length ≥ 0

api-key ip-useragent ip cookie:value

clientIdentifiers

array of strings

length ≥ 0

clientIdentifiers

condition

object

Contains information about the criteria that trigger the rate policy.

atomicConditions

array

length ≥ 1

The conditions that trigger the rate policy. Specify one or more request headers, TLS fingerprints, or client reputation categories.

atomicConditions

positiveMatch

boolean

Whether the condition should trigger on a match (true) or a lack of match (false).

counterType

string

Defaults to per_edge

The rate policy counter type. Either per_edge for rate limiting to work per edge node, or region_aggregated for rate limiting to work using aggregated rate accounting across multiple edge nodes.

per_edge region_aggregated

createDate

date-time

Read-only The time stamp when you created the rate policy.

description

string

Descriptive text you provide about a policy.

evaluation

object

Contains details about rate policy evaluation.

averageThreshold

integer

required

≥ 1

The allowed hits per second during any two-minute interval during evaluation.

burstThreshold

integer

required

≥ 1

The allowed hits per second during any five-second interval during evaluation.

burstWindow

integer

Read-only The time span for the burstThreshold interval used during evaluation. This value is always set to the burstWindow specified by the main rate policy.

counterType

string

Defaults to region_aggregated

The evaluation rate policy counter type. Either per_edge for rate limiting to work per edge node, or region_aggregated for rate limiting to work using aggregated rate accounting across multiple edge nodes.

per_edge region_aggregated

endDate

date-time

Read-only The time stamp when evaluation ends.

evaluationId

integer

Read-only Uniquely identifies an evaluation.

evaluationStatus

string

Read-only Reflects evaluation status, either in_progress, pending_activation, or completed.

in_progress pending_activation completed

startDate

date-time

Read-only The time stamp when evaluation starts.

version

integer

Read-only Evaluation version.

fileExtensions

object

Contains the file extension match criteria.

positiveMatch

boolean

required

Whether the condition should trigger on a match (true) or a lack of match (false).

values

array of strings

required

The file extensions to match on.

values*

hostnames

array of strings

Deprecated. The hostnames to match. This array member is deprecated. Use the hosts object instead.

hostnames

hosts

object

The hostnames to match, and whether to trigger on a match or absence of match.

positiveMatch

boolean

required

Defaults to true

When true, triggers on hostnames that match any hostnames in this array. When false, triggers on hostnames that don't match any in this array.

values

array of strings

required

The hostnames you choose to match, or specifically not match.

values*

integer

Read-only Uniquely identifies each rate policy.

matchType

string

required

The match type in a rate policy. Either path to match website paths or api to match API paths.

path api

name

string

required

The name you assign to a rate policy.

path

object

Contains details about the path match criteria.

positiveMatch

boolean

required

Whether the condition should trigger on a match (true) or a lack of match (false).

values

array of strings

required

The list of paths to match on.

values*

pathMatchType

string

required

AllRequests TopLevel Custom

pathUriPositiveMatch

boolean

Whether the condition should trigger on a match (true) or a lack of match (false).

queryParameters

array of objects

The list of query parameter objects to match on.

queryParameters

object

name

string

required

The query parameter name.

positiveMatch

boolean

required

Whether the condition should trigger on a match (true) or a lack of match (false).

valueInRange

boolean

Whether to match a value inside or outside a range. The range format is min:max — for example, 2:4.

values

array of strings

required

The list of query parameter values.

values*

requestType

string

required

ClientRequest ClientResponse ForwardResponse ForwardRequest

sameActionOnIpv6

boolean

required

Whether to apply the same action to the IPv6 traffic as to the IPv4 traffic.

type

string

required

The rate policy type. Either WAF for Web Application Firewall, or BOTMAN for Bot Manager.

WAF BOTMAN

updateDate

date-time

Read-only The ISO 8601 timestamp when you last updated the rate policy.

useXForwardForHeaders

boolean

Whether to check the contents of the X-Forwarded-For header in incoming requests.

used

boolean

Read-only Whether you're currently using the rate policy.

Language

Authentication

Remember to add your authentication credentials to run this code.

URL


xxxxxxxxxx
14
1
curl --request POST \
2
     --url https://hostname/appsec/v1/configs/configId/versions/versionNumber/rate-policies \
3
     --header 'accept: application/json' \
4
     --header 'content-type: application/json' \
5
     --data '
6
{
7
  "clientIdentifier": "api-key",
8
  "matchType": "path",
9
  "pathMatchType": "AllRequests",
10
  "requestType": "ClientRequest",
11
  "sameActionOnIpv6": true,
12
  "type": "WAF"
13
}
14
'


xxxxxxxxxx
126
}
1
{
2
  "additionalMatchOptions": [
3
    {
4
      "positiveMatch": true,
5
      "type": "IpAddressCondition",
6
      "values": [
7
        "192.0.2.13"
8
      ]
9
    },
10
    {
11
      "positiveMatch": true,
12
      "type": "RequestMethodCondition",
13
      "values": [
14
        "GET"
15
      ]
16
    }
17
  ],
18
  "averageThreshold": 5,
19
  "burstThreshold": 10,
20
  "burstWindow": 3,
21
  "clientIdentifier": "ip",
22
  "clientIdentifiers": [
23
    "ip"
24
  ],
25
  "condition": {

201Successfully created a rate policy.

400Bad request. Invalid request body or URL parameter input.

403Forbidden. You don't have access to rate policies in this security configuration.

404Not found. Security configuration version wasn't found.