input_validation

  • Property Manager name: Input Validation Cloudlet
  • Behavior version: The v2023-10-30 rule format supports the input_validation behavior v1.5.
  • Rule format status: GA, stable
  • Access: Read/Write
  • Allowed in includes: No (temporarily)

The Input Validation Cloudlet detects anomalous edge requests and helps mitigate repeated invalid requests. You can configure it using either the Cloudlets Policy Manager application, available within Control Center under Your services <> Edge logic Cloudlets, or the Cloudlets API.

Use this behavior to specify criteria that identifies each unique end user, and optionally supplement the Input Validation policy with additional criteria your origin uses to identify invalid requests. Specify the threshold number of invalid requests that triggers a penalty, and the subsequent response. Also specify an ordinary failure response for those who have not yet met the threshold, which should not conflict with any other behavior that defines a failure response.

OptionTypeDescriptionRequires
enabledboolean

Applies the Input Validation Cloudlet behavior.

{"displayType":"boolean","tag":"input","type":"checkbox"}
cloudlet_policyobject

Identifies the Cloudlet policy.

{"displayType":"object","tag":"input","todo":true}
{"if":{"attribute":"enabled","op":"eq","value":true}}
cloudlet_policy.idnumber

Identifies the Cloudlet.

cloudlet_policy.namestring

The Cloudlet's descriptive name.

labelstring

Distinguishes this Input Validation policy from any others within the same property.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user_identification_by_ipboolean

When enabled, identifies users by specific IP address. Do not enable this if you are concerned about DDoS attacks from many different IP addresses.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user_identification_by_headersboolean

When enabled, identifies users by specific HTTP headers on GET or POST requests.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user_identification_key_headersstring array

This specifies the HTTP headers whose combined set of values identify each end user.

user_identification_by_headers is true
{"displayType":"string array","tag":"input","todo":true}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByHeaders","op":"eq","value":true}]}}
user_identification_by_paramsboolean

When enabled, identifies users by specific query parameters on GET or POST requests.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
user_identification_key_paramsstring array

This specifies the query parameters whose combined set of values identify each end user.

user_identification_by_params is true
{"displayType":"string array","tag":"input","todo":true}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByParams","op":"eq","value":true}]}}
allow_large_post_bodyboolean

Fails POST request bodies that exceed 16 KB when enabled, otherwise allows them to pass with no validation for policy compliance.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
reset_on_validboolean

Upon receiving a valid request, enabling this resets the penalty_threshold counter to zero. Otherwise, even those series of invalid requests that are interrupted by valid requests may trigger the penalty_action.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
validate_on_origin_withenum

For any validation that edge servers can't perform alone, this specifies additional validation steps based on how the origin identifies an invalid request. If a request is invalid, the origin can indicate this to the edge server.

{"displayType":"enum","options":["DISABLED","RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"],"tag":"select"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
DISABLED

Specify if no additional validation is necessary.

RESPONSE_CODE

Use a response code.

RESPONSE_CODE_AND_HEADER

Use a response code and header.

validate_on_origin_header_namestring

If validate_on_origin_with is set to RESPONSE_CODE_AND_HEADER, this specifies the header name for a request that the origin identifies as invalid.

validate_on_origin_with is RESPONSE_CODE_AND_HEADER
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
validate_on_origin_header_valuestring

If validate_on_origin_with is set to RESPONSE_CODE_AND_HEADER, this specifies an invalid request's header value that corresponds to the validate_on_origin_header_name.

validate_on_origin_with is RESPONSE_CODE_AND_HEADER
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}}
validate_on_origin_response_codenumber

Unless validate_on_origin_with is DISABLED, this identifies the integer response code for requests the origin identifies as invalid.

validate_on_origin_with is either: RESPONSE_CODE, RESPONSE_CODE_AND_HEADER
{"displayType":"number","tag":"input","type":"number"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"in","value":["RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"]}]}}
failure302Uristring

Specifies the redirect link for invalid requests that have not yet triggered a penalty.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
penalty_thresholdnumber

Specifies the number of invalid requests permitted before executing the penalty_action.

{"displayType":"number","tag":"input","type":"number"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
penalty_actionenum

Once the penalty_threshold of invalid requests is met, this specifies the response.

{"displayType":"enum","options":["REDIRECT_302","BLANK_403","BRANDED_403"],"tag":"select"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
REDIRECT_302

A 302 redirect response.

BLANK_403

A 403 response with no body content.

BRANDED_403

A custom 403 response.

penalty302Uristring

Specifies the redirect link for end users who trigger the penalty.

penalty_action is REDIRECT_302
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"REDIRECT_302"}]}}
penalty_net_storageobject

Specifies the NetStorage account that serves out the penalty's static 403 response content. Details appear in an object featuring a downloadDomainName string member that identifies the NetStorage hostname, and an integer cpCode to track the traffic.

penalty_action is BRANDED_403
{"displayType":"object","tag":"input","todo":true}
{"if":{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}}
penalty_net_storage.cpCodeListarray

A set of CP codes that apply to this storage group.

penalty_net_storage.downloadDomainNamestring

Domain name from which content can be downloaded.

penalty_net_storage.idnumber

Unique identifier for the storage group.

penalty_net_storage.namestring

Name of the storage group.

penalty_net_storage.uploadDomainNamestring

Domain name used to upload content.

penalty403net_storage_pathstring

Specifies the full path to the static 403 response content relative to the downloadDomainName in the penalty_net_storage object.

penalty_action is BRANDED_403
{"displayType":"string","tag":"input","type":"text"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}
penalty_branded_deny_cache_ttlnumber (5-30)

Specifies the penalty response's time to live in the cache, 5 minutes by default.

penalty_action is BRANDED_403
{"displayType":"number","max":[30],"min":[5],"tag":"input","type":"range"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}}