- Property Manager name: Input Validation Cloudlet
- Behavior version: The
v2024-01-09
rule format supports theinput_validation
behavior v1.5. - Rule format status: GA, stable
- Access: Read/Write
- Allowed in includes: No (temporarily)
The Input Validation Cloudlet detects anomalous edge requests and helps mitigate repeated invalid requests. You can configure it using either the Cloudlets Policy Manager application, available within Control Center under Your services <> Edge logic Cloudlets, or the Cloudlets API.
Use this behavior to specify criteria that identifies each unique end user, and optionally supplement the Input Validation policy with additional criteria your origin uses to identify invalid requests. Specify the threshold number of invalid requests that triggers a penalty, and the subsequent response. Also specify an ordinary failure response for those who have not yet met the threshold, which should not conflict with any other behavior that defines a failure response.
Option | Type | Description | Requires | |
---|---|---|---|---|
enabled | boolean | Applies the Input Validation Cloudlet behavior. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
cloudlet_policy | object | Identifies the Cloudlet policy. | {"displayType":"object","tag":"input","todo":true} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
cloudlet_policy.id | number | Identifies the Cloudlet. | ||
cloudlet_policy.name | string | The Cloudlet's descriptive name. | ||
label | string | Distinguishes this Input Validation policy from any others within the same property. | {"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
user_identification_by_cookie | boolean | When enabled, identifies users by the value of a cookie. | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
user_identification_key_cookie | string | This specifies the cookie name whose value needs to remain constant across requests to identify a user. | user_identification_by_cookie is true | {"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByCookie","op":"eq","value":true}]}} |
user_identification_by_ip | boolean | When enabled, identifies users by specific IP address. Do not enable this if you are concerned about DDoS attacks from many different IP addresses. | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
user_identification_by_headers | boolean | When enabled, identifies users by specific HTTP headers on GET or POST requests. | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
user_identification_key_headers | string array | This specifies the HTTP headers whose combined set of values identify each end user. | user_identification_by_headers is true | {"displayType":"string array","tag":"input","todo":true} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByHeaders","op":"eq","value":true}]}} |
user_identification_by_params | boolean | When enabled, identifies users by specific query parameters on GET or POST requests. | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
user_identification_key_params | string array | This specifies the query parameters whose combined set of values identify each end user. | user_identification_by_params is true | {"displayType":"string array","tag":"input","todo":true} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"userIdentificationByParams","op":"eq","value":true}]}} |
allow_large_post_body | boolean | Fails POST request bodies that exceed 16 KB when enabled, otherwise allows them to pass with no validation for policy compliance. | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
reset_on_valid | boolean | Upon receiving a valid request, enabling this resets the | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
validate_on_origin_with | enum | For any validation that edge servers can't perform alone, this specifies additional validation steps based on how the origin identifies an invalid request. If a request is invalid, the origin can indicate this to the edge server. | {"displayType":"enum","options":["DISABLED","RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"],"tag":"select"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
DISABLED | Specify if no additional validation is necessary. | |||
RESPONSE_CODE | Use a response code. | |||
RESPONSE_CODE_AND_HEADER | Use a response code and header. | |||
validate_on_origin_header_name | string | If | validate_on_origin_with is RESPONSE_CODE_AND_HEADER | {"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}} |
validate_on_origin_header_value | string | If | validate_on_origin_with is RESPONSE_CODE_AND_HEADER | {"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"eq","value":"RESPONSE_CODE_AND_HEADER"}]}} |
validate_on_origin_response_code | number | Unless | validate_on_origin_with is either: RESPONSE_CODE , RESPONSE_CODE_AND_HEADER | {"displayType":"number","tag":"input","type":"number"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"validateOnOriginWith","op":"in","value":["RESPONSE_CODE","RESPONSE_CODE_AND_HEADER"]}]}} |
failure302Uri | string | Specifies the redirect link for invalid requests that have not yet triggered a penalty. | {"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
penalty_threshold | number | Specifies the number of invalid requests permitted before executing the | {"displayType":"number","tag":"input","type":"number"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
penalty_action | enum | Once the | {"displayType":"enum","options":["REDIRECT_302","BLANK_403","BRANDED_403"],"tag":"select"} {"if":{"attribute":"enabled","op":"eq","value":true}} | |
REDIRECT_302 | A 302 redirect response. | |||
BLANK_403 | A 403 response with no body content. | |||
BRANDED_403 | A custom 403 response. | |||
penalty302Uri | string | Specifies the redirect link for end users who trigger the penalty. | penalty_action is REDIRECT_302 | {"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"REDIRECT_302"}]}} |
penalty_net_storage | object | Specifies the NetStorage account that serves out the penalty's static 403 response content. Details appear in an object featuring a | penalty_action is BRANDED_403 | {"displayType":"object","tag":"input","todo":true} {"if":{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}} |
penalty_net_storage.cpCodeList | array | A set of CP codes that apply to this storage group. | ||
penalty_net_storage.downloadDomainName | string | Domain name from which content can be downloaded. | ||
penalty_net_storage.id | number | Unique identifier for the storage group. | ||
penalty_net_storage.name | string | Name of the storage group. | ||
penalty_net_storage.uploadDomainName | string | Domain name used to upload content. | ||
penalty403net_storage_path | string | Specifies the full path to the static 403 response content relative to the | penalty_action is BRANDED_403 | {"displayType":"string","tag":"input","type":"text"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}} |
penalty_branded_deny_cache_ttl | number (5-30) | Specifies the penalty response's time to live in the cache, | penalty_action is BRANDED_403 | {"displayType":"number","max":[30],"min":[5],"tag":"input","type":"range"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"penaltyAction","op":"eq","value":"BRANDED_403"}]}} |