Supporting First Party HUMAN calls on a CDN

In some cases, you may choose to handle First-Party requests outside of the HUMAN Enforcer. While this document is focused on generic CDN configurations, you can apply these same rules within a load balancer, reverse proxy, web server, etc., that sit in front of the HUMAN Enforcer.

Supporting First-Party mode requires three separate reverse proxy routes or rules to be configured.

📘

Note:

[app_id] is your HUMAN Application ID and [app_id without PX] is the appID without "PX". For example, if your HUMAN Application ID is PX1234567, [app_id] is PX1234567 and [app_id without PX] is 1234567.

📘

Points to Consider

  • If required, the proper corresponding cert pinning should be setup on the CDN.
  • You can define specific rules to tell the CDN to expire cached content on their servers or your origin server can add headers to the content that contains expire information and the CDN can be configured to honor that instead. The cache TTL should be set to 10 mins or to honor the origin cache header as received from the origin.
  • If caching at the CDN (recommended) the cache key should be set to the incoming host name instead of origin to avoid HUMAN domain name in cache key

Rule 1 - Sensor Call: Delivering HUMAN Sensor

Request to the HUMAN Sensor.

  • In Third-Party mode, the request is sent to https://client.perimeterx.net/[app_id]/main.min.js.
  • In First-Party mode, the request is sent to https://www.customerdomain/[app_id without PX]/init.js.

To support this request, you need a rule that handles incoming requests for https://www.customerdomain/[app_id without PX]/init.js and that makes an origin call to https://client.perimeterx.net/[app_id]/main.min.js.

Rule 2 - Handling First-Party Captcha.js Call

This is the request that helps facilitate HUMAN Captchas.
In Third-Party mode, the request is sent to https://captcha.px-cdn.net/[app_id]/captcha.js?XXX. In First-Party mode, the request is sent to https://www.customerdomain/[app_id without PX]/captcha/*.

In order to support this request, you need a rule to handle incoming requests for https://www.customerdomain/[app_id without PX]/captcha/* that makes an origin call to https://captcha.px-cdn.net/[app_id]/captcha.js?XXX

Rule 3 - Handling XHR calls at the CDN:

This is the request that facilitates HUMAN feedback from the client.
In Third-Party mode, the request will be to https://collector-[app_id].px-cloud.net/api/v[*]/collector. In First-Party mode, this same request will be to https://www.customerdomain.com/[app_id without PX]/xhr/[$1]. $1 is used as a variable that contains the rest of the path after https://www.customerdomain.com/[app_id without PX]/xhr/.
For example, requests will be on the path https://www.customerdomain.com/of8vanwA/xhr/api/v1/collector. The requested rule on CDN should route it to https://collector-pxof8vanwA.px-cloud.net/api/v1/collector.

In order to support this request, you need a rule that handles incoming requests for https://www.customerdomain.com/[app_id without PX]/xhr/[$1] that make an origin call to collector-[app_id].perimeterx.net/[$1].

📘

Points to Consider

  • If required, the proper corresponding cert pinning should be setup on CDN.
  • These calls should NOT be cached

First Party Calls

There are 3 main calls that need to be configured for first-party.

Third PartyFirst Party (incoming)Origin Call
https://client.perimeterx.net/[app_id]/main.min.jshttps://www.customerdomain/[app_id without PX]/init.jshttps://client.perimeterx.net/[app_id]/main.min.js
https://captcha.px-cdn.net/[app_id]/captcha.js?XXXhttps://www.customerdomain/[app_id without PX]/captcha/*https://captcha.px-cdn.net/[app_id]/captcha.js?XXX
https://collector-[app_id].px-cloud.net/api/v[*]/collectorhttps://www.customerdomain.com/[app_id without PX]/xhr/[$1] *see note abovehttps://collector-[app_id].perimeterx.net/[$1]

Next Steps

After configuring the CDN to handle First-Party requests, complete the steps listed on the Integrate 1st-Party JS Snippet to make sure your snippet is setup to serve the Javascript Sensor via First Party.