All HUMAN enforcer configuration is stored in a data group named pxconfig. Configuration values are read from this data group at runtime.
To modify a configuration value, use the following command on the F5 shell:
Where:
KEY_NAME is the name of the configuration directiveVALUE is the value to setExample: Enable blocking mode:
Example: Set a custom IP header:
Some directives in the configuration may require a specific name which contains the appID of the application taken from the portal.
The name in the configuration must be identical to the name configured in the data group/virtual server/pool.
A mismatch in the name may lead to errors on the module.
When enabled, the iRule will automatically inject the HUMAN JavaScript sensor into HTML pages:
When sensor injection is enabled, the iRule will remove the Accept-Encoding header from incoming requests so the origin will NOT return compressed content. Make sure to enable compression on the LTM level if you use script injection.
Send the risk score to your origin server for custom handling:
This will add an x-px-score header to requests forwarded to your origin.
Send the PXDE (PerimeterX Data Enrichment) payload to your origin:
If your application is behind a proxy or CDN, specify the header containing the real client IP:
For troubleshooting, enable debug logging:
Remember to disable debug logging in production as it can impact performance.
The Credential Intelligence feature extracts credentials (hashed username and password) from login requests and sends them to HUMAN as additional info in the Risk API call. If credentials are found to be compromised, the enforcer can notify your origin via a header.
Credential Intelligence must be enabled in your HUMAN Console before configuring the enforcer. Contact your HUMAN representative for access.
To enable Credential Intelligence, configure the following in the pxconfig data group:
Choose the appropriate protocol version for your login flow:
Standard Login (v2) - Username and password are submitted in a single request:
Multi-Step SSO (multistep_sso) - Username and password are submitted in separate requests:
For multi-step SSO, configure your extraction class with a path pattern that matches both login steps. On each step, only the username OR password will be present, and the enforcer will detect which field is available.
When credentials are checked, the enforcer adds a header to the request with the result:
The header value will be 0 (not compromised) or 1 (compromised), based on the HUMAN Risk API response.
The header is only added when Credential Intelligence is enabled and the Risk API returns data enrichment information.
To report whether login attempts were successful, configure one of the following methods:
Status-Based Reporting - Determine success based on HTTP response status code:
Header-Based Reporting - Determine success based on a response header:
Additional S2S activity sends enhanced login attempt data to HUMAN, including response code, login success status, and optionally the raw username.
Method 1: Origin Forwards Activity (Header-Based)
The enforcer adds activity data as headers for your origin to forward to HUMAN:
When enabled, the enforcer adds:
px-additional-activity - JSON containing the activity datapx-additional-activity-url - The HUMAN endpoint URL to forward the data toYour origin is responsible for forwarding this data to HUMAN.
Method 2: Enforcer Sends Directly (Default)
When ci_additional_s2s_activity_header_enabled is 0, the enforcer sends the additional S2S activity directly via syslog during the HTTP response phase.
To include the raw (unhashed) username in the additional S2S activity:
The raw username is only included when credentials were successfully extracted from the request.