Product guides

What's New

Suggest Edits

Version 12.0.0

Released 2024-11-24

Added

  • Added default values for px_sensitive_headers and removed px_sensitive_headers_enabled header.

Changed

  • We have considerably reduced workspace usage in this version following several modifications of our memory usage and subroutine practices.
  • Moved the sending of async activities to vcl_log subroutine instead of vcl_deliver subroutine.
  • Removed filter on cache hit feature.
  • Moved the call to the custom additional activity handler from vcl_deliver subroutine to vcl_recv subroutine.

Fixed

  • Fixed an issue with the used cookie secret where it reported *** even when no cookie secret was used.
  • Fixed a couple of bugs in the extracted cookies feature.

Version 11.1.5

Released 2024-10-14

  • Fixed inaccurate simulated_block field when enforced routes are configured
  • Changed async activity and telemetry HTTPS logging endpoints to use collector-<app_id>.perimeterx.net instead of fastly-async.perimeterx.com
  • Changed async activity HTTPS logging endpoint to set max bytes at 500,000

Version 11.1.4

Released 2024-09-25

  • Removed b param from block page to prevent header / workspace overflow caused by excessively long URLs

Version 11.1.3

Released 2024-09-08

  • Reduced HUMAN workspace footprint (in terms of headers count and workspace free bytes)
  • Set complex headers once, instead of multiple times during the enforcer flow
  • Remove potential large size headers from px-ctx
  • Adjust px-cfg header so it won't be modified after initialization

Version 11.1.2

Released 2024-08-20

  • Reduced workspace footprint by moving request cookie names from px-ctx header to separate px-req-cookie-names header

Version 11.1.1

Released 2024-08-13

  • Added legacy and next-gen WAF bypass for first party requests
  • Support cookie secret rotation
  • Fix block-result-header not reaching to the origin bug

Version 11.1.0

Released 2024-07-01

Changed

  • Moved px_fastly_api_token from px_configs table to new private dictionary px_private

Version 11.0.1

Released 2024-06-24

Added

  • Added access cookie on async activities

Version 11.0.0

Released 2024-06-06

Added

  • Added the px_advanced_blocking_response_enabled configuration option, which allows you to turn off ABR feature functionality.
  • Added support for custom first party endpoints

Fixed

  • Unsetting all HUMAN headers on enforcer initialization

Changed

  • The px_enable_error_logs configuration option has been removed. Rather, we now check the logger severity configuration
  • The px_enable_redirect_xhr configuration option has been removed. Instead, we now check only the first party configuration option
  • The px_send_page_activities configuration option has been removed, so that the async activities always be sent
  • The px_custom_access_control_header, px_enable_access_control_header configuration options have been removed. Instead, use the px_custom_cors_set_custom_block_response_headers configuration.
  • The px_custom_captcha_handler configuration option has been removed. Instead, use the px_custom_create_synthetic_web_response custom subroutine.
  • The px_custom_check_block_post_url and px_custom_check_block_by_size configuration options which were never executed, have been removed,
  • The px_custom_check_enabled_route and px_custom_redirect configuration option which is not according to spec has been removed. This logic can be implemented in the customers' VCL as desired.
  • The px_custom_data_enrichment_handler configuration option which is not according to spec has been removed.
  • Removed logic related to error code 996 which was never executed
  • Removed px_ip_headers dependency from PX.vcl, and instead added px_custom_client_ip_extraction subroutine that returns custom IP header value.
  • Rename the login-set header to px-creds:endpoint-index
  • The custom subroutine px_custom_set_login_successful_response_header now returns 0 or 1 indicating whether the login was successful, instead of returning the indication in the resp.http.x-px-login-successful header.
  • Removed the deprecated CSP feature
  • The use_callback option of px_login_credentials_extraction has been moved to be one of the sent_through field options.
  • The px_custom_create_block_page custom subroutine has been removed. This logic should be implemented in the custom px_custom_create_synthetic_web_response and px_custom_create_synthetic_mobile_response custom subroutines
  • The px_custom_extract_jwt_additional_fields custom subroutine now returns the jwt additional fields in format of: "fieldName1":"fieldValue1","fieldName2":"fieldValue2"
  • The px_custom_create_block_page custom subroutine has been renamed to px_custom_block_page_content.
  • The px_custom_create_synthetic_mobile_response custom subroutine which is not according to spec has been removed.
  • The px_custom_create_synthetic_web_response custom subroutine has been renamed to px_custom_web_block_page_response.
  • The px_custom_block_handler custom subroutine has been removed. Instead, use the px_custom_web_block_page_response custom subroutine.
  • The px_custom_post_block_handler custom subroutine which were never executed, have been removed.
  • The px_bypass_monitor_header default value was changed from empty to x-px-block.
  • eng_key in cs_data table moved to px_configs and renamed to px_fastly_api_token
  • px_enforcer_config_rdata_id in cs_data table moved to px_configs
  • cs_data table removed
  • px_enforcer_config_rdata table changed to dictionary always
  • px_remote_config_secret renamed to px_remote_config_auth_token
  • Added remote config ID and secret to Risk API and async activities
  • Modified remote log key names for remote config (from remoteConfigVersion to configVersion, from remoteConfigID to configID) and added moduleVersion

Version 10.2.1

Released 2024-05-07

Added

  • Added x-sigsci-no-inspection header to disable Fastly Next-Gen WAF for Risk API request
  • Added unit testing framework (Falco)
  • Added active, static and remote config support on Telemetry activity

Fixed

  • Added state changes (via return(pass) invocations) to px_pass subroutine for risk API and push data flows
  • Fixed Telemetry activity

Version 10.2.0

Released 2024-04-17

Changed

  • Extracted cookies feature support (including access_cookie)
  • Remote config is merged with base config without over memory usage
  • Additional configurations for remote config
  • Sending workspace bytes free on activities
  • New block page supports first party timeout
  • added SameSite=Lax to PXHD cookie

Version 10.1.1

Released 2024-02-21

Changed

  • Removed workspace headers count log

Version 10.1.0

Released 2024-03-18

Added

  • Remote config dictionaries are configurable as part of the deployment process
  • Calling Fastly's native log function directly to avoid header overflow when logging is enabled.
  • A binary executor to generate manifest files. Can be created by npm run package
  • Adding build step in package.json
  • Automatically defining ssl_sni_hostname when px_backend_url is defined
  • Added Enforcer Fuzzer as part of CI process

Removed

  • out directory

Changed

  • Building the manifest is now done by npm run bundle
  • All default configurations are part of source code instead of json default.
  • Reading path from js config file is done by absolute path.
  • Using a newer version of helm so wait-for-job.sh is no longer necessary
  • Exiting on first failure of tests to save time
  • Retry delay of one minute between failures to let Fastly load resources (it might be the failure case)

Fixed

  • Fixed remote config functionality
  • Fixed the origin failiure if statemnt in main.vcl
  • Fixed clean px headers before origin on POST filtered requests

Version 10.0.1

Released 2024-02-22

  • First-party requests not proxied in default configuration bug fix
  • Remove bugged GitHub action that pushes out directory to the repository.
  • Increase the wait time for Fastly services to be ready before running the e2e tests.

Version 10.0.0

Released 2023-12-12

  • Reduced HUMAN workspace footprint (in terms of headers count and workspace free bytes)
  • Add a new feature - skip enforcer logic for requests that result in a HIT at the cache
  • pulumi deployment
  • Support for custom GraphQL routes based on custom function
  • Generating VCLs using templating
  • Implemented Human Security Logger
  • Implemented write Remote Configuration
  • Support Read Remote Config
  • Support the following features without regex:
    • px_sensitive_routes
    • px_graphql_routes
    • px_sensitive_graphql_operation_names
    • px_sensitive_graphql_operation_types
    • px_filter_by_route
  • Masking sensitive domain names in GitHub action e2e_ci.
  • Removed Async Monitor mode
  • Requests with exceeded body size (8K) will go thourgh regular detection flow

Version 9.1.0

Released 2023-08-16

  • Updated block page for improved mobile support
  • Added risk activity fields to async activities for improved detection and aligned field names and types
  • Changed names for internal headers IP (x-px-socket-ip) and client UUID (x-px-client-uuid)
  • Changed px_custom_activity_headers format to align with new activity header format
  • Fixed a small bug which prevented the px_backend_url from being configured properly

Version 9.0.0

Released 2023-07-24

  • Important change! Async activities are sent via HTTPS instead of syslog. This necessitates a change to the async activities logging endpoint.
  • Aligned Risk API and async activity field names and formatting

Version 8.8.0

Released 2023-06-05

  • Added custom function px_custom_first_party_response_modifier
  • Removed custom function px_custom_first_party_access_control_allow_origins_whitelist which was never executed

Version 8.7.2

Released 2023-05-03

  • Fixed CI v2 normaliazation process

Version 8.7.1

Released 2023-05-03

  • Added support extracting numeric user id from JWT token

Version 8.7.0

Released 2023-04-23

  • Added support CI v2 protocol
  • Added support CI both protocol
  • Added support CI protocol per endpoint
  • Added credentials_compromised field on async activities
  • Excluded credentials hashing of empty strings and null objects

Version 8.6.0

Released 2023-03-21

  • Added Support for CORS preflight requests and CORS headers in block responses

Version 8.5.0

Released 2023-03-15

  • Added custom subroutine px_custom_cookie_header_value with default return value req.http.x-px-cookies
  • Cookie processing considers both px_custom_cookie_header_value and cookie header value
  • px_custom_cookie_header_enabled configuration and px_custom_cookie_header subroutine deprecated

Version 8.4.7

Released 2023-02-09

  • Fixed s2s call reason on mobile errors

Version 8.4.6

Released 2022-12-20

  • bugfix: now first party resources are automatically compressed via gzip regardless the default policy

Version 8.4.5

Released 2022-12-16

  • Added HUMANHD cookie to risk request for improved detection.
  • Fixed bugs in JWT token decoding and parsing such that the user_id field is extracted and reported properly.

Version 8.4.4

Released 2022-12-07

  • Added support for server info related fields on RiskAPI to improve detection
  • Added to Credentials Intelligence support adding to the request an indication of compromised credentials in the form of a query string
  • Added to Credentials Intelligence support modifying the status code of a successful login response which was made with compromised credentials
  • Added to Credentials Intelligence support PUT method in the extraction of the Credentials Intelligence details

Version 8.4.2

Released 2022-11-29

  • Fixed px_shield snippet bug that deactivated shielding for certain requests while in monitor mode.

Version 8.4.1

Released 2022-10-30

  • GraphQL query parsing ignores whitespace and \n at the beginning of the string

Version 8.4.0

Released 2022-10-11

  • Added JA3 fingerprint to enforcer activities for detection improvement
  • Added request cookie names to page_requested and block activities for detection improvement
  • Fixed custom block page default template compilation issue
  • Fixed request cookie names unnecessary spaces issue
  • Rearranged the code slightly so more fields on the request are accessible in the custom parameters subroutine

Version 8.3.1

Released 2022-08-23

  • Improved validation of pxvid cookie.

Version 8.3.0

Released 2022-07-28

  • Added support for User identifiers feature - extract application user id and additional fields from JWT token.
  • enables Account defender support on Fastly Enforcer.
  • Fixed send redundant page_requested in addition to block activity on sensitive routes on specific cases bug.

Version 8.2.0

Released 2022-06-30

  • Added configurable first party sensor endpoint to circumvent adblockers that prevent requests to the default init.js endpoint. The default init.js endpoint remains active even when a custom endpoint is configured. Note that the sensor endpoint must be changed to use the custom endpoint in the JS snippet as well.

Version 8.1.0

Released 2022-04-10

  • Added Custom logo in block JSON response
  • Updated block page to use new template

Version 8.0.2

Released 2022-03-14

  • Credential Intelligence - added ci_version, sso_step, credentials_compromised fields to block activity for complete visibility for the CI feature on HUMAN's portal.
  • Improved custom block page code structure and code separation for in PX_CUSTOM.vcl and Internal code.

Version 8.0.1

Released 2022-02-15

  • Improved upgradability
  • Updated px_metadata.json
  • Removed redundant default values assignments from px_configs table

Version 8.0.0

Released 2022-02-03

  • Added Sensitive GraphQL operation support, in order to distinguish between GraphQL operations that are sensitive and require RISK validation, support for GraphQL detection enhancement.
  • Added Additional Activity Handler support - customizable callback The Enforcer runs after sending page_requested or block_activity.
  • Added Filter by HTTP method, user agent, route and IP - customizable callbacks that can skip Enforcer validation flow based on rules of the request HTTP method, user agent, route or IP.
  • Added Support First Party Gzip Compression - Allowing compression of first party content such as HUMAN's sensor.
  • Core refactor - The enforcer is now support automatic update.
  • Minor bug fixes and improvements

Version 7.2.0

Released 2022-01-23

  • Added Support for credentials intelligence protocols v1 and multistep_sso
  • Added Support for login successful reporting methods header, status, and custom
  • Added Support for automatic sending of additional_s2s activity
  • Added Support for manual sending of additional_s2s activity via request header
  • Added Support for sending raw username on additional_s2s activity
  • Added Support for login credentials extraction via custom callback
  • Added New request_id field to all enforcer activities
  • Added Login credentials extraction handles body encoding based on Content-Type request header (supports application/json and application/x-www-form-urlencoded)
  • Added Successful login credentials extraction automatically triggers risk_api call without needing to enable sensitive routes
  • Fixed the bug of Unset X-PX-uuid header before sending request to customer's origin

Version 7.1.6

Released 2022-01-17

  • Fixed the bug of Fastly WAF is called twice on some requests due to restart caused by the Enforcer.

Version 7.1.5

Released 2021-12-29

  • Added server_info_origin to all Enforcer activities - indicates which CDN POP/Datacenter the request hit.

Version 7.1.4

Released 2021-10-25

  • Added Compromised credentials header support - indicates the origin of that a compromised credentials was detected by HUMAN.
  • Added CDN Deploy Tool installation support - support for clean/install of the enforcer using automated tool.

Version 7.1.3

Released 2021-07-01

  • Changed initial, threshold, and window configs for backend health check to align with Fastly new limitations and avoid requests timeouts.

Version 7.1.2

Released 2021-06-28

  • increased timeout for backend health check to align with Fastly new limitations and avoid requests timeouts.

Version 7.1.1

Released 2021-06-03

  • Added support for login credentials extraction - This feature extracts credentials (hashed username and password) from requests and sends them to HUMAN as additional info in the risk api call. The feature can be toggled on and off, and may be set for any number of unique paths.

Version 7.1.0 (REMOVED)

Released 2020-11-26

  • Added tier 2 for CSP report only policy
  • Moved to user subroutines instead of vcl snippets in main.vcl to enforce code order on Main.vcl file.
  • Moved to using px_shield snippet instead of do_shield subroutine.
  • Updated main.vcl base file to be aligned with Fastly's new boilerplate format.
  • Fixed the issue of missing vid in risk_api activity when call reason is cookie_expired
  • Fixed the issue of missing risk_rtt field in block activity

Version 6.1.1

Released 2020-08-12

  • Fixed the issue of module version is sent without version number

Version 6.1.0

Released 2020-08-10

  • Added Send page_response activity
  • Code optimization to reduce memory usage

Version 6.0.0

Released 2020-07-21

  • Added support for remote data
  • Added CSP module (Content Security Policy)

Version 5.0.10

Released 2020-06-18

  • Fixed the issue of invalid cookies by limit cookie characters to a specific range of characters
  • Added px_orig_cookie field on page_requested and block to contain the original cookie value

Version 5.0.9

Released 2020-06-17

  • Fixed cookie with non-printable characters fix may cause being mishandled.

Version 5.0.8

Released 2020-05-20

  • Fixed Telemetry Json formatting

Version 5.0.7

Released 2020-04-22

  • Added support for HUMANHD cookie secure mode via config

Version 5.0.6

Released 2020-03-10

  • Fixed Handle header size overflow. Fail-Open or Fail-Close is configurable in such case.

Version 5.0.5

Released 2020-02-20

  • Removed hard-coded tokens that required Fastly Deploy Tool to be used
  • Detect edge better to prevent attacks

Version 5.0.4

Released 2020-01-28

  • delete x-px-cookie-data header
  • Header px-orig-cookie to include the original cookie in case of decryption failed
  • Added utf-8 validation before requesting px backend to prevent s2s_error

Version 5.0.3

Released 2019-12-08

  • Fixed the issue of page_requested not being sent due to redundant spaces

Version 5.0.0

Released 2019-11-28

  • Added support for single or multiple (4) backends to work with HUMAN
  • Decreased number of headers being used on HUMAN module.
  • Fixed the issue of expired cookie with year of 1990 and below was not parsed well.

Updated 12 days ago