Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify a single person, or to identify an individual in context.
It is important for us to keep personal private information out of our servers. Therefore, by default, we do not send the request body and cookies to HUMAN backend servers, the entire communication is based on headers data.
PII is not a recommended setting. If PII is essential for your organization, contact HUMAN Support.
When PII is enabled, HUMAN does not store a client’s full IP information (Client IP, HTTP Headers). In IPv4 this is done by zeroing 4th IP octet (for example, the IP 1.2.3.4 will be stored as 1.2.3.0). In IPv6 this is done by zeroing the last four (4) octets (for example, the IP 1:2:3:4:1:2:3:4 will be stored as 1:2:3:4:1:2:3:0). Removing the IP’s last octet can result small reduction of detection capability, usually for the models and signatures that are based on IPs.
The HUMAN BigIP module allows you to set a number of configurational classes (data groups) to control which routes are processed in different ways.
Routes added to this class will bypass HUMAN enforcement entirely.
<APP_ID> with your HUMAN app id.whitelisted_routes_class directive is the same as the name you provided in step 2.Query parameters added to this class will be excluded from the URL sent to HUMAN for risk evaluation. This is useful for removing sensitive or dynamic parameters from the evaluation.
<APP_ID> with your HUMAN app id.The Value field uses regex matching. For example, to whitelist all values for a parameter, use .* as the value.
Example: To whitelist the session_id parameter with any value:
session_id.*Routes added to this class will be the only routes that HUMAN enforces. All other routes will bypass enforcement.
<APP_ID> with your HUMAN app id.specific_routes_class directive is the same as the name you provided in step 2.Routes added to this class will trigger a server-to-server risk API call regardless of the cookie score. This provides higher security for critical endpoints.
<APP_ID> with your HUMAN app id.sensitive_routes_class directive is the same as the name you provided in step 2.Routes added to this class will be processed in monitor mode regardless of the global module_mode setting. This allows you to enable blocking mode globally while keeping specific routes in monitor mode, or vice versa.
The class supports domain/path based configuration for more granular control.
<APP_ID> with your HUMAN app id.example.com/api)Monitor routes can be specified with just a path (e.g., /api/v1) or with a domain prefix (e.g., api.example.com/v1).
This class defines the endpoint where login credentials should be extracted. The credentials are hashed and sent to HUMAN for breach detection.
Before creating this class, ensure Credential Intelligence is enabled in the pxconfig data group. See Credential Intelligence for details.
ci_login_credentials_extraction_class (e.g., px_login_credentials).Both path and method matching are case-insensitive. The path field supports regular expression patterns.
For a login endpoint at /api/auth/login that accepts POST requests with JSON body:
Configure the class with these records:
For a login form that submits to /login with form-urlencoded data:
When sent_through is set to body, the enforcer supports:
The enforcer automatically detects the content type based on the Content-Type or Accept request header.
When sent_through is set to header, the user_field and pass_field values specify the header names:
When sent_through is set to query-string, the user_field and pass_field values specify the query parameter names:
This would extract credentials from a URL like /login?user=john&pass=secret.