Configuration Reference | HUMAN Documentation

Overview

All HUMAN enforcer configuration is stored in a data group named pxconfig. Configuration values are read from this data group at runtime.

Modifying Configuration

To modify a configuration value, use the following command on the F5 shell:

$ modify /ltm data-group internal pxconfig records modify { KEY_NAME { data VALUE } }

Where:

KEY_NAME is the name of the configuration directive
VALUE is the value to set

Example: Enable blocking mode:

$ modify /ltm data-group internal pxconfig records modify { module_mode { data 2 } }

Example: Set a custom IP header:

$ modify /ltm data-group internal pxconfig records modify { ip_header { data X-Forwarded-For } }

Directives

Directive	Description	Default	Value
app_id	HUMAN application id	NONE	String
cookie_secret_key	Cookie hashing secret (salt)	NONE	String
auth_token	JWT used to authenticate with px servers	NONE	String
enable_module	Sets the module on/off	1	int
module_mode	Sets the module working mode: `2` = blocking, `1` = sync monitor, `0` = async monitor	1	int
whitelisted_routes_class	Name of the class for allowlist routes	px_<APP_ID>_whitelisted_routes	String
whitelisted_query_params_class	Name of the class for allowlist query parameters	px_<APP_ID>_whitelisted_query_params	String
specific_routes_class	Name of the class for specific routes	px_<APP_ID>_specific_routes	String
sensitive_routes_class	Name of the class for sensitive routes	px_<APP_ID>_sensitive_routes	String
monitor_routes_class	Name of the class for monitor routes (domain/path based monitor mode)	px_<APP_ID>_monitor_routes	String
send_page_activities	Toggles send page requested activity	0	int
send_block_activities	Toggles send block activities	1	int
excluded_extensions	Flags which extensions the module will skip	regex String	String
risk_vs	Correlates with the virtual server for making risk api calls	px_backend_<APP_ID>_vip	String
risk_timeout	Sets the timeout for api calls (in milliseconds)	2500	int
debug	Toggles debug mode on/off, see troubleshooting for more information	0	int
ip_header	Custom user header that contains real user ip	NONE	String
sensitive_headers	List of sensitive headers not to send in risk api calls	[“cookie”]	list
custom_logo	Path to url that contains a logo to be displayed on default block page	NONE	String
js_ref	Path to url that contains a custom js file to inject into the default block page	NONE	String
css_ref	Path to url that contains a custom css file to inject into the default block page	NONE	String
allowed_domains	A list of domain names on which the enforcer will run on. Run on all if blank	[""]	list
enable_module_header_name	The header name that should be used to enable the module (The header’s value should be `True`)	NONE	String
whitelist_ips	A list of ips/CIDRs to allow. If empty all the requests will be processed.	[""]	list
bypass_monitor_header	The header name that can be used to bypass monitor mode on blocking activities.	NONE	String
enable_advanced_blocking_response	Toggles the use of advanced blocking response	1	int
custom_cookie_header	A header name which will be used to extract the HUMAN cookie from.	NONE	String
enable_first_party	Toggles first-party mode on/off.	1	int
enable_sensor_injection	Toggles automatic JavaScript sensor injection on/off	0	int
enable_score_header	Toggles sending the risk score to origin via `x-px-score` header	0	int
px_data_enrichment_header_name	Header name to use for sending PXDE (data enrichment) payload to origin	NONE	String

Directives containing APP_ID

Some directives in the configuration may require a specific name which contains the appID of the application taken from the portal.

The name in the configuration must be identical to the name configured in the data group/virtual server/pool.

A mismatch in the name may lead to errors on the module.

Configuration Examples

Enable Blocking Mode

$ modify /ltm data-group internal pxconfig records modify { module_mode { data 2 } }

Enable Sensor Injection

When enabled, the iRule will automatically inject the HUMAN JavaScript sensor into HTML pages:

$ modify /ltm data-group internal pxconfig records modify { enable_sensor_injection { data 1 } }

When sensor injection is enabled, the iRule will remove the Accept-Encoding header from incoming requests so the origin will NOT return compressed content. Make sure to enable compression on the LTM level if you use script injection.

Enable Score Header

Send the risk score to your origin server for custom handling:

$ modify /ltm data-group internal pxconfig records modify { enable_score_header { data 1 } }

This will add an x-px-score header to requests forwarded to your origin.

Enable Data Enrichment Header

Send the PXDE (PerimeterX Data Enrichment) payload to your origin:

$ modify /ltm data-group internal pxconfig records modify { px_data_enrichment_header_name { data x-px-data-enrichment } }

Set Custom IP Header

If your application is behind a proxy or CDN, specify the header containing the real client IP:

$ modify /ltm data-group internal pxconfig records modify { ip_header { data X-Real-IP } }

Enable Debug Logging

For troubleshooting, enable debug logging:

$ modify /ltm data-group internal pxconfig records modify { debug { data 1 } }

Remember to disable debug logging in production as it can impact performance.