Cloudflare configuration options
Each Enforcer has a set of configuration options that control the Enforcer’s functionality and features. While some are required, many of these are optional configurations that you can use to customize the Enforcer’s behavior. You can reference available configurations with this article. You must update and maintain configurations in the HumanSecurityConfiguration object within the Enforcer’s JavaScript code.
While all Enforcers come with the same set of required configurations, the optional configurations available for each may differ. We recommend updating to the latest Enforcer version to ensure you have access to the latest features and configurations.
Quick reference
Basic functionality
Basic features
Optional
Required configurations
These configurations are necessary for the Enforcer’s basic functionality and features.
Basic functionality configurations
For security reasons, we recommend storing tokens and secrets as Cloudflare Worker environment variables rather than hardcoding them into the JavaScript code.
px_app_id
Your HUMAN Application ID in the form of PX12AB34CD. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview. If you have multiple applications, make sure to copy the ID of the application you want the Enforcer on.
px_auth_token
The application’s server token needed to authorize with HUMAN’s backend. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview > Click the appropriate application > Server token tab.
px_cookie_secret
The secret used to encrypt and decrypt the risk cookie sent from the HUMAN Sensor. You can copy this value from the HUMAN Console in Sightline Cyberfraud Defense > Traffic Policy Overview > Click the appropriate application > Click the key > Copy value.
If you need to rotate secrets, then adjust this configuration to be an array of strings (string[]) and include the new secret and old secret. The new secret value should be the first value in the array. This prevents decryption failures.
px_s2s_timeout
The total time in milliseconds that the Enforcer will wait for the Risk API request to return before timing out and passing the request.
px_blocking_score
The minimum risk score that the Enforcer will block. Ranges from 0 (lowest risk) to 100 (highest risk).
px_user_agent_max_length
Do not modify this value without consulting your HUMAN Solutions Engineer.
The maximum length of the User-Agent header. If the user agent header value exceeds this length, it will be truncated to this length prior to processing.
px_backend_url
Base URL for HUMAN SAPI (Risk API and related calls). If empty, the Enforcer uses the default host for your application ID. Set this only when directed by HUMAN (for example, custom routing or non-standard environments).
Basic feature configurations
px_logger_severity
The severity at which the logger will output logs.
"none": The logger will not generate any logs."error": The logger will only generate logs on fatal errors."debug": The logger will generate detailed logs for debugging purposes. Not recommended for production environments.
See px_logger_auth_token for a header-based alternative.
px_ip_headers
An array of header names that are trusted to contain the true client IP. Headers are traversed in the order they’re listed, and the first header value will always be used as the client IP.
Taken from CF-Connecting-IP by default.
px_module_enabled
Whether the Enforcer module is enabled.
true: Enable the modulefalse: Disable the module
px_module_mode
The Enforcer’s operation mode.
"monitor": The Enforcer performs all functions without returning block responses. Useful for analyzing and adjusting Enforcer behavior without serving block pages to end users. If you have routes that must have enforcement at all times, see Enforced routes."active_blocking": The Enforcer will return block responses as needed.
Optional configurations
These configurations aren’t required, but you can use them to further customize the Enforcer’s behavior.
Additional activity handler
px_additional_activity_handler
A custom function passed to the Enforcer that runs after sending page_requested or block activity to the Collector and before forwarding the request to the next step in the pipeline. A common use case is to set the score as a variable or header. Then the application can read the score and do what is defined within the application’s logic.
The request body can only be read once! If you plan on reading the request body in this function, we recommend you clone the request prior to doing so.
Parameters:
config: HumanSecurityConfigurationcontext: IContextrequest:Request
Returns: void or a Promise resolving to void
Advanced blocking response (ABR)
px_advanced_blocking_response_enabled
In specific cases such as XHR post requests, a full CAPTCHA page render might not be an option. In such cases, the Advanced Blocking Response (ABR) returns a JSON object containing all the information needed to render a customized CAPTCHA challenge implementation such as a popup modal, a section on the page, etc. This provides more flexibility and customizability in displaying the CAPTCHA challenge.
Bypass monitor header
px_bypass_monitor_header
Activates the full blocking flow to verify the flow works as expected if a particular header is present on the request. Often used during monitor mode, where the Enforcer collects data without blocking user requests, before switching to active_blocking.
Credentials Intelligence
These configurations are specific to Credentials Intelligence-related features in Sightline Cyberfraud Defense.
px_login_credentials_extraction_enabled
Whether to enable the extraction and reporting of credentials from the Enforcer for Credential Intelligence.
true: Enable Credential Intelligencefalse: Disable Credential Intelligence
px_login_credentials_extraction
An array of configuration objects for each credential endpoint. Each element in the array is an object representing a distinct endpoint to which credentials are sent and includes:
- How to identify these credential-bearing requests
- How to extract the credentials from the request
- How to determine if the request operation (login, signup, etc.) was successful based on the returned HTTP response
Click to expand the full properties list.
Properties
path
The path of the request that contains the credentials. It can be either an exact path or a string in the form of a regular expression.
path_type
Whether the incoming request path should be evaluated against the configured path as a regular expression or as an exact match.
exact: The value set inpathmust match the request path exactly as is.regex: The value set inpathis a regular expression to be matched against the request path.
method
The HTTP method of the request that contains the credentials. This can be set to any string representing an HTTP method.
sent_through
Whether the credentials should be extracted from the request headers, query parameters, body, or via a defined custom callback.
"body": The credentials will be extracted according to the configureduser_fieldandpass_fieldvalues from the request body. The Enforcer parses the request body based on the followingContent-Typerequest header:application/jsonapplication/x-www-form-urlencodedmultipart/form-data
"header": The credentials will be extracted according to the configureduser_fieldandpass_fieldvalues from the request headers."query-param": The credentials will be extracted according to the configureduser_fieldandpass_fieldvalues from the request query parameters."custom": The credentials will be extracted by invoking theextract_credentials_callback.
user_field
Required if sent_through is set to "body", "header", or "query-param". The name of the field containing the username in the request body, headers, or query parameters.
Supports subfields in cases of Content-Type: application/json bodies with nested objects. The subfields can be separated with periods. For example, the credential endpoint configuration object can include a user_field with the value "user_info.username" and a pass_field with the value "authentication.password" to support extracting the credentials.
pass_field
Required if sent_through is set to "body", "header", or "query-param". The name of the field, header name, or query parameter where the password can be found.
Supports subfields in cases of Content-Type: application/json bodies with nested objects. The subfields can be separated with periods. For example, the credential endpoint configuration object can include a user_field with the value "user_info.username" and a pass_field with the value "authentication.password" to support extracting the credentials.
extract_credentials_callback
Required if sent_through is set to "custom". A custom credential extraction callback that returns the raw credentials from the request. It receives the HTTP request as a parameter and should return a Credentials object:
Parameters:
request:Request
Returns: A Credentials object or a Promise resolving to a Credentials object. If neither the username or the password can be extracted from the request, the function should return null.
The request body can only be read once! If you plan on reading the request body in this function, we recommend you clone the request prior to doing so.
protocol
Whether to process credentials as part of single or multiple HTTP requests. By default, the module tries to process requests depending on which credential fields were extracted.
"v2": Both username and password are present on the same HTTP request and must be extracted successfully to trigger Credential Intelligence."multistep_sso": The username and password are delivered on different HTTP requests. Either the username or password, but not both, must be extracted successfully to trigger Credential Intelligence."both": The username and password may be present on the same HTTP request or on different HTTP requests. If either username or password is successfully extracted, the Enforcer will send the credentials according to the multistep_sso protocol. If both username and password are successfully extracted, the Enforcer will send the credentials according to the v2 protocol.
login_successful_reporting_method
The method by which the Enforcer will determine whether the login request was successful.
"status": The Enforcer will determine if the login request was successful by evaluating the response status code against thelogin_successful_statusesconfiguration."body": The Enforcer will determine if the login request was successful by evaluating the response body content against thelogin_successful_body_regexconfiguration."header": The Enforcer will determine if the login request was successful by evaluating the response headers against thelogin_successful_header_nameandlogin_successful_header_valueconfigurations."custom": The Enforcer will determine if the login request was successful by invoking thelogin_successful_callbackconfiguration.
login_successful_statuses
An array of HTTP statuses signifying a successful login. All other status codes will be treated as unsuccessful login attempts. Takes effect only when the login_successful_reporting_method is set to "status".
login_successful_body_regex
Required if login_successful_reporting_method is set to "body". A regular expression (or string representing a regular expression) to against which the response body will be evaluated. A match indicates a successful login.
login_successful_header_name
Required if login_successful_reporting_method is set to "header". A response header name signifying a successful login response. If the login_successful_header_value field is empty or not configured, any response containing this header name will be considered a successful login. If the login_successful_header_value is configured, the response header value must be an exact match.
login_successful_header_value
If this value is configured, a login attempt will be considered successful only if the response contains a header name matching the login_successful_header_name, and whose value is exactly equal to this configuration value. Takes effect only when the login_successful_reporting_method is set to "header".
login_successful_custom_callback
Required if login_successful_reporting_method is set to "custom". A custom callback that accepts the HTTP response and returns a boolean or Promise resolving to a boolean that indicates whether the login attempt was successful.
Parameters:
response:Response
Returns: A boolean or a Promise resolving to a boolean.
The response body can only be read once! If you plan on reading the response body in this function, we recommend you clone the response prior to doing so.
px_compromised_credentials_header
The header name to be set on the incoming request if the credentials are compromised. If this header is added, its value will always be 1. If credentials have not been identified as compromised, the header will not be added to the request.
px_automatic_additional_s2s_activity_enabled
Whether to send the additional_s2s activity, which reports on whether the login was successful, automatically in the postEnforce function. This should only be set to false if it is not possible to determine whether the login was successful based on the HTTP response. However, if that’s the case, then the additional_s2s activity must be sent with px_additional_s2s_activity_header_enabled.
px_additional_s2s_activity_header_enabled
Whether to attach the additional_s2s payload and URL as headers to the original request. This is done so that the additional_s2s activity can be enriched with the proper login_successful value and sent to the provided URL at a later stage. This should only be enabled if the px_automatic_additional_s2s_activity_enabled is set to false.
When set to true, the following headers are added to the origin request:
px-additional-activity: A JSON object containing the payload of theadditional_s2sactivity. Thelogin_successfulandhttp_status_codefields should be set prior to sending the activity.px-additional-activity-url: The URL to which theadditional_s2spayload should be sent as an HTTP POST request.
px_send_raw_username_on_additional_s2s_activity
Whether to report the raw username on the additional_s2s activity.
false: The raw username will never be reported.true: The raw username will only be reported if:- The credentials are compromised, and
- The login request was successful.
CORS support
You can configure the Enforcer to support Cross-Origin Resource Sharing (CORS) requests. CORS is a mechanism that lets the server indicate if a request contains cross-origin resources by adding special HTTP headers to the request. These headers let the browser load these resources. Without them, the browser may block requests to these resources for security reasons instead.
In most cases, CORS employs a two-stage procedure with a preliminary “preflight” request followed by the actual request. The preflight request checks if the actual request will be responded to. To learn more about different request types, see these examples.
You must configure the Enforcer to address both simple requests (without preflight) and more complex ones (with preflight) to support CORS requests.
px_cors_support_enabled
Whether to enable CORS support.
true: Enable CORS supportfalse: Disable CORS support
After setting this configuration to true, the Enforcer:
- Automatically adds the following default CORS response headers to block responses resulting from CORS requests.
- Activates the
px_cors_create_custom_block_response_headersconfiguration, which lets you customize the block response headers via a custom function. - Activates the
px_cors_preflight_request_filter_enabledandpx_cors_custom_preflight_handlerconfigurations, which lets you filter and custom handle preflight requests.
px_cors_create_custom_block_response_headers
If the default CORS response headers are not sufficient, you can use this configuration tocustomize the headers that should be added to all block responses resulting from CORS requests. If this function is defined, the default headers will not be added. Only those headers specified in the returned object will be added to the block response.
The request body can only be read once! If you plan on reading the request body in this function, we recommend you clone the request prior to doing so.
Parameters:
request:Request
Returns: An object of the type Record<string, string[]> or a Promise resolving to this type
px_cors_preflight_request_filter_enabled
Disables enforcement for CORS preflight requests. When set to true, CORS preflight requests will be pass through the Enforcer flow without triggering detection or block responses.
true: Filter out preflight requestsfalse: Don’t filter out preflight requests
px_cors_custom_preflight_handler
A custom function to define desired behavior for handling CORS preflight requests, if needed. The custom function should receive the original HTTP request and return an object representing the HTTP response to be returned. If null or any other falsy value is returned from the function, the Enforcer will continue processing the preflight request.
The px_cors_custom_preflight_handler will be invoked prior to determining whether to filter the request based on the px_cors_preflight_request_filter_enabled configuration. This allows for returning customized responses for preflight requests that meet certain conditions and filtering those that don’t meet these conditions.
Parameters:
request:Request
Returns: An object of the type IMinimalResponse or a Promise resolving to this type
Custom cookie header
px_custom_cookie_header
By default, the Enforcer extracts HUMAN cookies from the Cookie header. However, if these cookies are transferred on a different header, then that header’s name must be provided with this configuration.
Custom first party endpoints
These configurations let you use the Enforcer as a proxy for HUMAN servers and serve content to the browser from a first party endpoint. These are particularly useful when browser or extension restrictions that block JavaScript requests to other domains, such as adblockers, prevent the HUMAN Sensor from making requests to HUMAN’s backend. When this happens, it significantly limits HUMAN’s detection capabilities, so we recommend enabling these configurations to maintain full detection capabilities.
px_first_party_enabled
Whether to enable first party mode for Bot Defender or Sightline Cyberfraud Defense.
px_custom_first_party_prefix
Sets a custom prefix for first party routes to use in addition to the default prefix. By default, first party endpoints always begin with the Application ID without the initial “PX”. For example, if the ID is PX12345678, then all first party routes will take the form /12345678/*.
When configured, the Enforcer will respond to first party requests with endpoints matching the following patterns:
/<px_custom_first_party_prefix>/init.js/<px_custom_first_party_prefix>/xhr/*/<px_custom_first_party_prefix>/captcha/*
If empty, the configuration will use the default as described above.
px_custom_first_party_sensor_endpoint
Customizes the entire first party Sensor script endpoint. By default, for an Application ID PX12345678, the first party endpoint is /12345678/init.js.
In addition to responding to requests that match this configured route, the Enforcer will also proxy first party requests that match the default pattern (/12345678/init.js) and patterns according to the custom prefix (/<px_custom_first_party_prefix>/init.js) if one is configured.
px_custom_first_party_xhr_endpoint
Customizes the first party XHR endpoint. By default, for an Application ID PX12345678, the first party XHR endpoint is /12345678/xhr.
In addition to responding to requests that match this configured route, the Enforcer will also proxy first party requests that match the default pattern (/12345678/xhr/*) and patterns according to the custom prefix (/<px_custom_first_party_prefix>/xhr/*) if one is configured.
px_custom_first_party_captcha_endpoint
Customizes the first party CAPTCHA endpoint. By default, for an Application ID PX12345678, the first party CAPTCHA endpoint is /12345678/captcha.
In addition to responding to requests that match this configured route, the Enforcer will also proxy first party requests that match the default pattern (/12345678/captcha/*) and patterns according to the custom prefix (/<px_custom_first_party_prefix>/captcha/*) if one is configured.
px_first_party_timeout_ms
The maximum time in milliseconds to wait for first party requests.
Custom parameters
These configurations are related to custom parameters.
px_enrich_custom_parameters
Enriches activities sent from the Enforcer to HUMAN with additional custom parameters. This data can include user information, session IDs, or other data that HUMAN should have access to. These custom parameters are defined by a configurable function that must return an object that contains these custom parameters. There is a limit of 10 custom parameters.
The request body can only be read once! If you plan on reading the request body in this function, we recommend you clone the request prior to doing so.
Parameters:
config: HumanSecurityConfigurationrequest:Request
Returns: Promise<CustomParameters>
Enforced routes
These configurations let you define specific routes that should be enforced by HUMAN when the Enforcer is in monitor mode. These routes will always be subject to the full Enforcer workflow, including blocking requests if necessary.
px_enforced_routes
An array of routes or prefixes that should be enforced by HUMAN even when the Enforcer is in monitor mode.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_custom_is_enforced_request
This configuration is meant for cases that require more complex logic. We recommended you use px_enforced_routes for most cases.
A custom function that lets you define which requests should be enforced based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be enforced.
Parameters:
request:Request
Returns: A boolean or a Promise resolving to a boolean.
Filters
These configurations let you filter out certain requests or assets from the Enforcer. These values will be ignored by the Enforcer and will never be blocked.
px_filter_by_extension
Filters out requests with the specified file extension. By default, HUMAN doesn’t enforce static assets such as images and documents to minimize unncessary API calls and computation, but you can configure this list at any time.
Filtering by extension only applies to GET and HEAD HTTP methods.
px_filter_by_http_method
Filters out requests with the specified HTTP method to avoid unnecessary traffic in the Enforcer verification flow.
px_filter_by_ip
Filters out requests with the specified IP address to avoid unnecessary traffic in the Enforcer verification flow.
px_filter_by_route
Filters out requests with the specified route to avoid unnecessary traffic in the Enforcer verification flow. Requests to these specified routes will never be blocked regardless of their risk score and will never generate risk or async activities.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_filter_by_user_agent
Filters out requests with the specified user agent to avoid unnecessary traffic in the Enforcer verification flow.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_custom_is_filtered_request
This configuration is meant for cases that require more complex logic. We recommended you use the default filters listed below for most cases.
A custom function that lets you define which requests should be filtered based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be filtered.
Parameters:
request:Request Returns: A boolean or a Promise resolving to a boolean.
GraphQL support
These configurations lets the Enforcer extract GraphQL data from requests so that it can enforce these requests in the same way as other types of traffic.
px_graphql_enabled
Whether to parse and report information about GraphQL operations on incoming requests. When true, all POST requests with routes that match the prefixes configured in px_graphql_routes will have their bodies parsed for GraphQL operations.
true: Enable GraphQL supportfalse: Disable GraphQL support
px_graphql_routes
A list of prefixes for all routes that should be considered GraphQL routes.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_sensitive_graphql_operation_names
A list of operation names or keywords that should be considered sensitive. If one or more GraphQL operations has a name or keyword matching this list, the Enforcer will trigger a Risk API call even if the request contains a valid, unexpired cookie. Matches against extracted GraphQL words from:
px_graphql_keywordsconfigurationpx_extract_graphql_keywordsconfiguration
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^RegexFormattedString$/i").
px_sensitive_graphql_operation_types
A list of operation types that should be considered sensitive. If one or more GraphQL operations on an HTTP request has a type matching this list, the Enforcer will trigger a Risk API call even if the request contains a valid, unexpired cookie.
px_graphql_keywords
A list of keywords to identify important terms from GraphQL operation queries. These keywords are used to determine the purpose of the operation (such as login, checkout, or search) and can also be used to specify which operations should be considered sensitive. Any matching patterns will be extracted and reported to HUMAN. See px_sensitive_graphql_operation_names for more information. See px_extract_graphql_keywords for an alternative using a custom function.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^RegexFormattedString$/i").
px_extract_graphql_keywords
A custom function that identifies key terms from GraphQL operation queries. An alternative to the px_graphql_keywords configuration.
This function accepts the GraphQL query string and must return an array of strings representing all keywords found in the query. These keywords are used to determine the purpose of the operation (such as login, checkout, search) and can also be used to specify which GraphQL operations should be considered sensitive. See px_sensitive_graphql_operation_names for more information.
If this function is defined and returns an array (even an empty array), then the returned array will be used as the GraphQL keywords. If this function is defined and returns null, then the query will continue to be evaluated using px_graphql_keywords.
Parameters:
graphqlQuery:string
Returns string[] or a Promise resolving to string[].
Header data enrichment
These configurations let you add headers to incoming requests with additional data.
px_data_enrichment_header_name
Adds a header to the incoming request with the configured header name and the JSON-stringified data enrichment object as the value. If empty or if data enrichment has not been enabled for your policy, no header will be set. To view available data and enable this feature, see Data classification enrichment.
px_score_header_name
Adds a header to the incoming request with the configured header name and the score (0-100) as the value. If empty, no header will be set.
px_client_uuid_header_name
Adds a header to the incoming request with the configured header name and the client UUID as the value. If empty, no header will be set.
HUMAN Challenge customization
These configurations let you customize the HUMAN Challenge block page.
px_css_ref
A way to include a custom CSS file to the block page.
px_js_ref
A way to include custom JavaScript to the block page. This script will run after the default JavaScript scripts.
px_custom_logo
Adds a custom logo to the HUMAN Challenge block page via URL.
Monitored routes
These configurations let you specify routes that should be monitored by the Enforcer, which means their requests will never be blocked, even when the Enforcer is in active_blocking mode. This means that these routes will go through the full Enforcer workflow and generate risk and async activities, but all block activities will only be simulated blocks on these routes.
px_monitored_routes
A list of endpoints to be monitored rather than blocked by the Enforcer, even when the Enforcer is in active_blocking mode.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_custom_is_monitored_request
This configuration is meant for cases that require more complex logic. We recommended you use px_monitored_routes for most cases.
A custom function that lets you define which endpoints should be monitored based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be monitored.
Parameters:
request:Request
Returns: A boolean or a Promise resolving to a boolean.
PXHD cookie
px_secured_pxhd_enabled
The PX Hashed Data (PXHD) cookie links the first risk request with the browser activities as detected by the Sensor for better user tracking. It can also add more information that’s shared between the HUMAN Collector, Enforcer, and Sensor. This configuration determines whether the Secure cookie attribute is added when setting the PXHD cookie.
See Use of cookies & web storage for more information.
Remote Configuration
Remote Configuration lets you update your Enforcer’s configuration from the HUMAN portal rather than interacting with the Enforcer package directly.
Remote Configuration requires access to Cloudflare KV. Follow the instructions in Install the Cloudflare Enforcer to set up Remote Configuration.
px_logger_auth_token
An alternative to the basic logger configuration. This sends Enforcer logs to HUMAN’s logging service if a specific header is present on the request. This is particularly useful for expedited debugging, diagnosis, and resolution of any integration or Enforcer-related issues.
Contact HUMAN to recieve your token.
px_remote_config_auth_token
The token used to authenticate the Enforcer with the HUMAN Remote Configuration service.
Contact HUMAN to receive your token.
px_remote_config_id
px_remote_config_kv_key_name
When using the PXKV namespace for Remote Configuration, this static configuration determines the KV key name whose value will contain the Enforcer configuration.
px_remote_config_max_fetch_attempts
The maximum number of time to attempt to fetch the Remote Configuration. If the Enforcer fails to fetch the Remote Configuration after the specified maximum, it will use the last known configuration.
px_remote_config_retry_interval_ms
The interval time in milliseconds to wait between attempts to fetch the Remote Configuration.
Response custom parameters
These configurations enrich async activities with values derived from the origin response.
px_enrich_response_custom_parameters
A function that receives the configuration and the Response from the origin and returns up to ten fields: custom_param11 through custom_param20. These are merged into page_requested, additional_s2s, and simulated block activities. There is a limit of ten response custom parameters.
The response body can only be read once! If you plan on reading the response body in this function, we recommend you clone the response prior to doing so.
Parameters:
config: HumanSecurityConfigurationresponse:Response
Returns: An object with custom_param11–custom_param20 keys, or a Promise resolving to that object.
Sensitive headers removal
px_sensitive_headers
Specifies certain headers that should not be forwarded to any other destination, including the HUMAN Detector. While HUMAN’s detection system will continue to use these headers to determine whether to block or not, the specified headers won’t be forwarded from the Enforcer, won’t appear in Enforcer activities, and won’t be sent to any other IP if the Enforcer acts as a proxy.
Sensitive routes
These configurations let you specify certain routes that need particularly stringent protection from attacks, such as endpoints that execute payments or handle personal information. Sensitive routes will always trigger a Risk API call even if the request contains a valid, unexpired, low-score cookie.
Requests with high-score cookies won’t send a Risk API call.
px_sensitive_routes
A list of prefixes for all routes that should be considered sensitive.
Supports strings or regular expressions, including regex-formatted strings (i.e. "/^/regex/formatted/string/i").
px_custom_is_sensitive_request
This configuration is meant for cases that require more complex logic. We recommended you use px_sensitive_routes for most cases.
A custom function that lets you define which requests should be considered sensitive based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be considered sensitive.
Parameters:
request:Request
Returns: A boolean or a Promise resolving to a boolean.
URL-decode reserved characters
px_url_decode_reserved_characters
When true, the Enforcer will decode reserved characters such as %3F and %2F in the request URL path prior to processing. In other words, the Enforcer will treat the URIs /login%3F.ico and /login?.ico as equivalent. By default, the Enforcer doesn’t decode reserved characters and treats these URIs separately.
true: Decode reserved characters in the request URL.false: Do not decode reserved characters in the request URL.
Users identifiers
These configurations are related to Accounts and Account Takeover or Fake Account features in Sightline Cyberfraud Defense.
px_jwt_cookie_name
The name of the cookie that contains the JWT token that HUMAN should extract user identifiers from.
px_jwt_cookie_user_id_field_name
The field name in the JWT object, extracted from the JWT cookie, that contains the user ID to be extracted and reported.
px_jwt_cookie_additional_field_names
The field names in the JWT object, extracted from the JWT cookie, that should be extracted and reported in addition to the user ID.
px_jwt_header_name
The name of the header that contains the JWT token that HUMAN should extract user identifiers from.
px_jwt_header_user_id_field_name
The field name in the JWT object, extracted from the JWT header, that contains the user ID to be extracted and reported.
px_jwt_header_additional_field_names
The field names in the JWT object, extracted from the JWT header, that should be extracted and reported in addition to the user ID.
Snippet injection
These configurations let you dynamically inject the Sensor script into the head element of any HTTP response with a Content-Type header containing text/html. This acts as an alternative to inserting the snippet into your application.
Snippet injection does not apply to block responses generated by the Enforcer. These responses already contain code that retrieves the HUMAN Sensor without requiring a snippet.
px_snippet_injection_enabled
If true, the Enforcer will inject the default Sensor snippet, shown below, into the head element of HTML responses. Any HTTP response with a Content-Type containing text/htmlis considered an HTML response.
Snippet injection does not apply to block responses generated by the Enforcer. These responses already contain code that retrieves the HUMAN JavaScript Sensor without requiring a snippet to be injected.
See px_create_custom_snippet to inject customized JavaScript snippets.
true: Snippet injection enabled.false: Snippet injection disabled.
px_create_custom_snippet
A custom function that lets you create or retrieve a customized snippet to be injected into HTML responses. If an empty or non-string value is returned from the custom function, then the default snippet will be injected instead.
Parameters:
Returns: A string or a Promise resolving to a string.
The response is provided as a parameter, but it should not be modified!
