How to Access the Credential Intelligence Flag

Overview

This guide demonstrates a couple of ways to access the Credential Intelligence flag and to identify requests containing compromised credentials.
The first is through a request header, and the second is through the additional activity handler custom function in the enforcer itself.

Accessing the Credential Intelligence Flag

Option 1 - Compromised Credentials Header

If credentials are flagged as compromised, a header will be added to the request. This way, inline flow operation in your app can implement the desired business logic. This will be done by checking this header and performing operations based on the result of the flag - compromised or not.
Please note that if the Bot Defender product is enabled and on block mode, if this request is determined as a request coming from a bot, it will be blocked by the enforcer.

The name of the header is determined by the px_compromised_credentials_header. By default, the header name is px-compromised-credentials. If the credentials are compromised, the value of this header will be 1; otherwise, the header will not be present on the request.

📘

Note

The header name can be modified in all enforcers with the exception of the Fastly VCL Enforcer.

See the pseudocode example below. The HUMAN middleware is added before the request to /login. The handleLogin function checks the px-compromised-credentials header to decide which business logic to apply to the request.

router.addMiddleware(px.middleware);
router.post('/login', handleLogin);

function handleLogin(req, res) {
    const areCredentialsCompromised = req.headers['px-compromised-credentials'] == '1';
    if (areCredentialsCompromised) {
        // some logic
    } else {
        // some other logic
    }
}

Option 2 - Additional Activity Handler and PXDE Object

It's possible to identify compromised credentials from within the HUMAN Enforcer as well. This can be done using the Additional Activity Handler, a customizable function that executes additional logic within the enforcer. This is useful if you need to perform additional operations during enforcement, or if headers are not a viable option for your backend architecture. 

See the pseudocode example below. The pxCtx may contain the property pxde, a HUMAN data enrichment object. If this PXDE object exists and the breached_account property on it also exists, then the credentials have been flagged as compromised.

px.init({
    px_app_id: "PX_APP_ID",
    // ...
    px_additional_activity_handler: additionalActivityHandler
});

function additionalActivityHandler(pxCtx, pxConfig) {
    const areCredentialsCompromised = pxCtx.pxde && pxCtx.pxde['breached_account'];
    if (areCredentialsCompromised) {
        // some logic
    } else {
        // some other logic
    }
}

📘

Note

The Additional Activity Handler is called for every request, not only those that trigger the Credentials Intelligence flow.