inputValidation


The Input Validation Cloudlet detects anomalous edge requests and helps mitigate repeated invalid requests. You can configure it using either the Cloudlets Policy Manager application, available within Control Center under Your services <> Edge logic Cloudlets, or the Cloudlets API.

Use this behavior to specify criteria that identifies each unique end user, and optionally supplement the Input Validation policy with additional criteria your origin uses to identify invalid requests. Specify the threshold number of invalid requests that triggers a penalty, and the subsequent response. Also specify an ordinary failure response for those who have not yet met the threshold, which should not conflict with any other behavior that defines a failure response.

OptionTypeDescriptionRequires
enabledboolean

Applies the Input Validation Cloudlet behavior.

{"displayType":"boolean","tag":"input","type":"checkbox"}
cloudlet‚ÄčPolicyobject

Identifies the Cloudlet policy.

{"displayType":"object","tag":"input","todo":true}
{"if":{"attribute":"enabled","op":"eq","value":true}}
cloudlet‚ÄčPolicy.idnumber

Identifies the Cloudlet.

cloudlet‚ÄčPolicy.namestring

The Cloudlet's descriptive name.

labelstring

Distinguishes this Input Validation policy from any others within the same property.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user‚ÄčIdentification‚ÄčBy‚ÄčIpboolean

When enabled, identifies users by specific IP address. Do not enable this if you are concerned about DDo‚ÄčS attacks from many different IP addresses.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user‚ÄčIdentification‚ÄčBy‚ÄčHeadersboolean

When enabled, identifies users by specific HTTP headers on GET or POST requests.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user‚ÄčIdentification‚ÄčKey‚ÄčHeadersstring array

This specifies the HTTP headers whose combined set of values identify each end user.

user‚ÄčIdentification‚ÄčBy‚ÄčHeaders is true
{"displayType":"string array","tag":"input","todo":true}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByHeaders","op":"eq","value":true}]}}
user‚ÄčIdentification‚ÄčBy‚ÄčParamsboolean

When enabled, identifies users by specific query parameters on GET or POST requests.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user‚ÄčIdentification‚ÄčKey‚ÄčParamsstring array

This specifies the query parameters whose combined set of values identify each end user.

user‚ÄčIdentification‚ÄčBy‚ÄčParams is true
{"displayType":"string array","tag":"input","todo":true}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByParams","op":"eq","value":true}]}}
allow‚ÄčLarge‚ÄčPost‚ÄčBodyboolean

Fails POST request bodies that exceed 16 KB when enabled, otherwise allows them to pass with no validation for policy compliance.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
reset‚ÄčOn‚ÄčValidboolean

Upon receiving a valid request, enabling this resets the penalty‚ÄčThreshold counter to zero. Otherwise, even those series of invalid requests that are interrupted by valid requests may trigger the penalty‚ÄčAction.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
validate‚ÄčOn‚ÄčOrigin‚ÄčWithenum

For any validation that edge servers can't perform alone, this specifies additional validation steps based on how the origin identifies an invalid request. If a request is invalid, the origin can indicate this to the edge server.

{"displayType":"enum","options":["DISABLED","RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"],"tag":"select"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
DISABLED

Specify if no additional validation is necessary.

RESPONSE_‚ÄčCODE

Use a response code.

RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER

Use a response code and header.

validate‚ÄčOn‚ÄčOrigin‚ÄčHeader‚ÄčNamestring

If validate‚ÄčOn‚ÄčOrigin‚ÄčWith is set to RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER, this specifies the header name for a request that the origin identifies as invalid.

validate‚ÄčOn‚ÄčOrigin‚ÄčWith is RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
validate‚ÄčOn‚ÄčOrigin‚ÄčHeader‚ÄčValuestring

If validate‚ÄčOn‚ÄčOrigin‚ÄčWith is set to RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER, this specifies an invalid request's header value that corresponds to the validate‚ÄčOn‚ÄčOrigin‚ÄčHeader‚ÄčName.

validate‚ÄčOn‚ÄčOrigin‚ÄčWith is RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
validate‚ÄčOn‚ÄčOrigin‚ÄčResponse‚ÄčCodenumber

Unless validate‚ÄčOn‚ÄčOrigin‚ÄčWith is DISABLED, this identifies the integer response code for requests the origin identifies as invalid.

validate‚ÄčOn‚ÄčOrigin‚ÄčWith is either: RESPONSE_‚ÄčCODE, RESPONSE_‚ÄčCODE_‚ÄčAND_‚ÄčHEADER
{"displayType":"number","tag":"input","type":"number"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"in","value":["RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"]}]}}
failure302Uristring

Specifies the redirect link for invalid requests that have not yet triggered a penalty.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
penalty‚ÄčThresholdnumber

Specifies the number of invalid requests permitted before executing the penalty‚ÄčAction.

{"displayType":"number","tag":"input","type":"number"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
penalty‚ÄčActionenum

Once the penalty‚ÄčThreshold of invalid requests is met, this specifies the response.

{"displayType":"enum","options":["REDIRECT_302","BLANK_403","BRANDED_403"],"tag":"select"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
REDIRECT_302

A 302 redirect response.

BLANK_403

A 403 response with no body content.

BRANDED_403

A custom 403 response.

penalty302Uristring

Specifies the redirect link for end users who trigger the penalty.

penalty‚ÄčAction is REDIRECT_302
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"REDIRECT_302"}]}}
penalty‚ÄčNet‚ÄčStorageobject

Specifies the Net‚ÄčStorage account that serves out the penalty's static 403 response content. Details appear in an object featuring a download‚ÄčDomain‚ÄčName string member that identifies the Net‚ÄčStorage hostname, and an integer cp‚ÄčCode to track the traffic.

penalty‚ÄčAction is BRANDED_403
{"displayType":"object","tag":"input","todo":true}
{"if":{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}}
penalty‚ÄčNet‚ÄčStorage.cp‚ÄčCode‚ÄčListarray

A set of CP codes that apply to this storage group.

penalty‚ÄčNet‚ÄčStorage.download‚ÄčDomain‚ÄčNamestring

Domain name from which content can be downloaded.

penalty‚ÄčNet‚ÄčStorage.idnumber

Unique identifier for the storage group.

penalty‚ÄčNet‚ÄčStorage.namestring

Name of the storage group.

penalty‚ÄčNet‚ÄčStorage.upload‚ÄčDomain‚ÄčNamestring

Domain name used to upload content.

penalty403Net‚ÄčStorage‚ÄčPathstring

Specifies the full path to the static 403 response content relative to the download‚ÄčDomain‚ÄčName in the penalty‚ÄčNet‚ÄčStorage object.

penalty‚ÄčAction is BRANDED_403
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}
penalty‚ÄčBranded‚ÄčDeny‚ÄčCache‚ÄčTtlnumber (5-30)

Specifies the penalty response's time to live in the cache, 5 minutes by default.

penalty‚ÄčAction is BRANDED_403
{"displayType":"number","max":[30],"min":[5],"tag":"input","type":"range"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}