input_validation

Property Manager name: Input Validation Cloudlet
Behavior version: The v2023-01-05 rule format supports the input_validation behavior v1.5.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: No (temporarily)

The Input Validation Cloudlet detects anomalous edge requests and helps mitigate repeated invalid requests. You can configure it using either the Cloudlets Policy Manager application, available within Control Center under Your services <> Edge logic Cloudlets, or the Cloudlets API.

Use this behavior to specify criteria that identifies each unique end user, and optionally supplement the Input Validation policy with additional criteria your origin uses to identify invalid requests. Specify the threshold number of invalid requests that triggers a penalty, and the subsequent response. Also specify an ordinary failure response for those who have not yet met the threshold, which should not conflict with any other behavior that defines a failure response.

Option	Type	Description	Requires
`enabled`	boolean	Applies the Input Validation Cloudlet behavior.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`cloudlet_policy`	object	Identifies the Cloudlet policy.		{"displayType":"object","tag":"input","todo":true} {"if":{"attribute":"enabled","op":"eq","value":true}}
`cloudlet_policy.id`	number	Identifies the Cloudlet.
`cloudlet_policy.name`	string	The Cloudlet's descriptive name.
`label`	string	Distinguishes this Input Validation policy from any others within the same property.		{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`user_identification_by_cookie`	boolean	When enabled, identifies users by the value of a cookie.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`user_identification_key_cookie`	string	This specifies the cookie name whose value needs to remain constant across requests to identify a user.	`user_identification_by_cookie` is `true`	{"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByCookie","op":"eq","value":true}]}}
`user_identification_by_ip`	boolean	When enabled, identifies users by specific IP address. Do not enable this if you are concerned about DDoS attacks from many different IP addresses.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`user_identification_by_headers`	boolean	When enabled, identifies users by specific HTTP headers on GET or POST requests.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`user_identification_key_headers`	string array	This specifies the HTTP headers whose combined set of values identify each end user.	`user_identification_by_headers` is `true`	{"displayType":"string array","tag":"input","todo":true} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByHeaders","op":"eq","value":true}]}}
`user_identification_by_params`	boolean	When enabled, identifies users by specific query parameters on GET or POST requests.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`user_identification_key_params`	string array	This specifies the query parameters whose combined set of values identify each end user.	`user_identification_by_params` is `true`	{"displayType":"string array","tag":"input","todo":true} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByParams","op":"eq","value":true}]}}
`allow_large_post_body`	boolean	Fails POST request bodies that exceed 16 KB when enabled, otherwise allows them to pass with no validation for policy compliance.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`reset_on_valid`	boolean	Upon receiving a valid request, enabling this resets the `penalty_threshold` counter to zero. Otherwise, even those series of invalid requests that are interrupted by valid requests may trigger the `penalty_action`.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`validate_on_origin_with`	enum	For any validation that edge servers can't perform alone, this specifies additional validation steps based on how the origin identifies an invalid request. If a request is invalid, the origin can indicate this to the edge server.		{"displayType":"enum","options":["DISABLED","RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"],"tag":"select"} {"if":{"attribute":"enabled","op":"eq","value":true}}
	`DISABLED`	Specify if no additional validation is necessary.
	`RESPONSE_CODE`	Use a response code.
	`RESPONSE_CODE_AND_HEADER`	Use a response code and header.
`validate_on_origin_header_name`	string	If `validate_on_origin_with` is set to `RESPONSE_CODE_AND_HEADER`, this specifies the header name for a request that the origin identifies as invalid.	`validate_on_origin_with` is `RESPONSE_CODE_AND_HEADER`	{"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
`validate_on_origin_header_value`	string	If `validate_on_origin_with` is set to `RESPONSE_CODE_AND_HEADER`, this specifies an invalid request's header value that corresponds to the `validate_on_origin_header_name`.	`validate_on_origin_with` is `RESPONSE_CODE_AND_HEADER`	{"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
`validate_on_origin_response_code`	number	Unless `validate_on_origin_with` is `DISABLED`, this identifies the integer response code for requests the origin identifies as invalid.	`validate_on_origin_with` is either: `RESPONSE_CODE`, `RESPONSE_CODE_AND_HEADER`	{"displayType":"number","tag":"input","type":"number"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"in","value":["RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"]}]}}
`failure302Uri`	string	Specifies the redirect link for invalid requests that have not yet triggered a penalty.		{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`penalty_threshold`	number	Specifies the number of invalid requests permitted before executing the `penalty_action`.		{"displayType":"number","tag":"input","type":"number"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`penalty_action`	enum	Once the `penalty_threshold` of invalid requests is met, this specifies the response.		{"displayType":"enum","options":["REDIRECT_302","BLANK_403","BRANDED_403"],"tag":"select"} {"if":{"attribute":"enabled","op":"eq","value":true}}
	`REDIRECT_302`	A 302 redirect response.
	`BLANK_403`	A 403 response with no body content.
	`BRANDED_403`	A custom 403 response.
`penalty302Uri`	string	Specifies the redirect link for end users who trigger the penalty.	`penalty_action` is `REDIRECT_302`	{"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"REDIRECT_302"}]}}
`penalty_net_storage`	object	Specifies the NetStorage account that serves out the penalty's static 403 response content. Details appear in an object featuring a `downloadDomainName` string member that identifies the NetStorage hostname, and an integer `cpCode` to track the traffic.	`penalty_action` is `BRANDED_403`	{"displayType":"object","tag":"input","todo":true} {"if":{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}}
`penalty_net_storage.cpCodeList`	array	A set of CP codes that apply to this storage group.
`penalty_net_storage.downloadDomainName`	string	Domain name from which content can be downloaded.
`penalty_net_storage.id`	number	Unique identifier for the storage group.
`penalty_net_storage.name`	string	Name of the storage group.
`penalty_net_storage.uploadDomainName`	string	Domain name used to upload content.
`penalty403net_storage_path`	string	Specifies the full path to the static 403 response content relative to the `downloadDomainName` in the `penalty_net_storage` object.	`penalty_action` is `BRANDED_403`	{"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}
`penalty_branded_deny_cache_ttl`	number (5-30)	Specifies the penalty response's time to live in the cache, `5` minutes by default.	`penalty_action` is `BRANDED_403`	{"displayType":"number","max":[30],"min":[5],"tag":"input","type":"range"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}