Product guides

Credentials Intelligence: Enforcer Integration Guidelines

Suggest Edits

This section details all the required features that should be configured in the Enforcer (server-side integration) for Credential Intelligence to work.

Supported Enforcer Types
Required Configurations

Supported Enforcer Types

Akamai EdgeWorker Enforcer
Apache - C Module
AWS Lambda Edge
AWS API Gateway Lambda Authorizer
Cloudflare Worker
Fastly
GO
Salesforce Commerce Cloud Cartridge
Java
NGINX - C Module
NGINX - LUA Module
Node.JS Express
PHP

Required Configurations

Step 1: Enable the Credential Extraction Flag

This is a boolean flag on the enforcer configuration to enable the product.

Click here to review an example of Cloudflare configuration.

Step 2: Configure the Credential Extraction Paths

This is an array of extraction configurations that detail which requests have credentials on them and how to extract the credentials from these requests. Please note, that it is important to configure all authentication paths, including account login, new account creation, and password reset/change (for more information on the authentication path guidelines, click here to view top questions during onboarding). Click here to review an example of Cloudflare configuration.

Note: It may be necessary to configure sensitive routes to include all login paths for older enforcer versions.
Click here to review an example for Cloudflare configuration.

Step 3: Configure the Method to Retrieve the Response Status (Fail/Pass)

This is a series of configurations that determine how to report whether the login request was successful or not on the additional_s2s activity. Please note, that configuring the  additional_s2s activity allows us to quantify the number of compromised accounts that were observed active on the app.

Click here to review an example of Cloudflare configuration.

Step 4: Configure Multi-Step Logins if Applicable

This step is required only for multi-step authentication methods. Only in cases where usernames and passwords are sent in separate HTTP requests, the px_credentials_intelligence_version configuration value should be set to multistep_sso.

Note: Multiple authentication methods and paths are supported, even if some are multi-step and some are not.
Click here to review an example of Cloudflare configuration.

Updated 12 days ago