enforceMtlsSettings

Property Manager name: Enforce mTLS settings
Behavior version: The v2026-01-09 rule format supports the enforceMtlsSettings behavior v1.0.
Rule format status: Deprecated, outdated rule format
Access: Read/Write
Allowed in includes: Yes

This behavior repeats mTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or clientCertificate criteria to the same rule.

Option	Type	Description	Requires
`enableAuthSet`	boolean	Enables the Enforce mTLS Settings checks for this request.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`certificateAuthoritySet`	string	Specifies at least one of the CA sets defined in the mTLS Edge Truststore. If a client certificate isn't present or it doesn't match any of the specified CA sets, an error occurs.	`enableAuthSet` is `true`	{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`enableOcspStatus`	boolean	Whether to validate if the client certificate successfully passed OCSP revocation checks.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`enableDenyRequest`	boolean	Specifies the action to take if `enableOcspStatus` or `enableAuthSet` fails. Set this to `true` to deny the request and send a generic HTTP 403 Forbidden response to the client. Set it to `false` to allow the property to process the request.	`enableAuthSet` is `true` OR `enableOcspStatus` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"or","params":[{"attribute":"enableAuthSet","op":"eq","value":true},{"attribute":"enableOcspStatus","op":"eq","value":true}]}}