Configuration
PX\_CONFIGS and PX\_CUSTOM
Enabling and configuring Enforcer features may require changes to the PX_CONFIGS VCL file, the PX_CUSTOM VCL file, or both. Each code sample below includes the name of the relevant VCL file where the changes should be made. See the instructions for each configuration below for more details.
Required Configurations
px_app_id
The application ID. Required to initialize the Enforcer.
px_auth_token
The token used for authorization with the Human Security backend. Required to initialize the Enforcer.
px_cookie_secret
The secret used to decrypt the risk cookie. Required to initialize the Enforcer.
Cookie secret rotation:
In case you would like to generate and use a new cookie secret, the enforcer will have to support both, old and new cookie secrets to avoid multiple ‘cookie decryption failed’ errors.
In your px_configs table, adjust the px_cookie_secret value to be the new generated cookie secret, and add an additional field name px_cookie_secret_old the holds the previous cookie secret value.
px_fastly_api_token
px_private private dictionary, and NOT the px_configs table in the PX_CONFIGS VCL file. px_remote_config_rdata dictionary. The Fastly API key with permissions to make changes to the Fastly service. (The scope must be global, but it only needs permissions for the specific Fastly service.) You can create an API token via the Fastly Console, CLI, or API.
px_remote_config_id
The ID of the Remote Config associated with your Fastly Service.
Default: ""
px_remote_config_auth_token
A secret token to use in the authentication of incoming Remote Config update requests.
Default: ""
px_enforcer_config_rdata_id
The dictionary ID associated with the px_enforcer_config_rdata dictionary. You can determine the dictionary ID via CLI or API.
Default: ""
Generic Enforcer Configurations
px_module_enabled
This boolean serves as an on/off switch for the entire module, providing a way to enable and disable all Enforcer capabilities quickly and easily.
Default: "true"
px_module_mode
This feature controls the behavior of the enforcer by changing how it executes certain parts of the workflow. Most notably, different modes allow for analysis and fine-tuning of the enforcer behavior without serving block pages that affect end users.
Possible values:
-
"monitor"- the enforcer will perform all functions without returning block responses -
"active_blocking"- the enforcer will return block responses when needed
Default: "monitor"
px_s2s_timeout
Adding this value in the px_configs table will not have any effect. Instead, this value can be set in the PX_CONFIGS VCL file under the PX_API backend definition. The connect_timeout, first_byte_timeout, and between_bytes_timeout can all be set to this same value.
The maximum time in milliseconds to wait for the risk API request. If this timeout is reached, the original request will be allowed to pass (fail open).
Default: 1000ms
px_custom_client_ip_extraction
By default, the value from the Fastly-Client-IP header is reported as the IP. However, if this value is inaccurate, the enforcer can extract the IP from the request using the logic defined in this subroutine. Returning an empty string from the subroutine means the enforcer will use the default Fastly-Client-IP header.
Default: Returns ""
Example:
px_custom_cookie_header
px_custom_cookie_header_enabled configuration and px_custom_cookie_header subroutine. Both have since been deprecated. The Enforcer attempts to extract the HUMAN cookies from the Cookie header. If the HUMAN cookies are transferred on a header other than Cookie, the header name should be configured here.
Default: "x-px-cookies"
px_secured_pxhd_enabled
Whether the PXHD cookie set on the HTTP response should include the Secure attribute.
Default: "false"
px_block_size_exceeded_15k_headers_size
Due to Fastly size limitations, large requests may sometimes result in 413 HTTP errors. If this error is received during a Risk API request, the default Enforcer behavior is to allow the request to pass to the origin. However, if this configuration is enabled, Risk API requests resulting in a 413 response will be blocked instead.
Default: "false"
px_add_block_result_header
Whether to include the px-ctx:block-result header with value "0" or "1" to origin requests. A header value of "0" means that HUMAN determined the request should pass, while "1" means HUMAN determined the request should be blocked.
This configuration is typically used while in monitor mode for testing and validation.
Default: "false"
px_additional_activity_handler
px_additional_activity_handler_enabled
Whether to invoke the px_custom_additional_activity_handler subroutine.
Default: "false"
px_custom_additional_activity_handler
A subroutine where custom logic can be performed after sending the page_requested or block activity at the end of the request flow. HUMAN metadata about the request can be found on the req.http.px-ctx header. This subroutine is called in vcl_deliver.
Default: Empty
Example:
px_pre_clean
The HUMAN Enforcer stores configurations and metadata on the client request HTTP headers to maintain access to them throughout the Fastly request lifecycle. During invocations of vcl_pass and vcl_miss that happen after the HUMAN enforcement flow, the px_miss and px_pass subroutines invoke logic to clean these HUMAN metadata headers from the backend request to your origin. If desired, you can configure a custom subroutine to run immediately before these HUMAN metadata headers are removed.
px_enable_pre_clean
Whether to invoke the px_custom_pre_clean subroutine.
Default: "false"
px_custom_pre_clean
This custom subroutine runs immediately before the HUMAN metadata headers are removed from the backend request. This subroutine is called in vcl_miss and vcl_pass.
Default: Empty
Example:
px_set_custom_risk_backend_overwrite
A custom subroutine that is called during the Risk API flow to change the backend used for the Risk API request. (This is most often done to adjust the backend timeouts in different regions.) Any HUMAN backends other than PX_API must be defined. If left empty, the default PX_API backend is used. The subroutine is called during vcl_pass only when a Risk API request is necessary.
Default: Empty
Example:
px_custom_add_custom_parameters
This subroutine defines custom parameters that are sent to HUMAN on the Risk API and asynchronous activities. The custom parameters must be set in the HUMAN Portal before implementing this subroutine.
Custom parameters can be added by setting a client request header with the name px-custom-param:<NUMBER>, where <NUMBER> corresponds to the custom parameter number between 1-10.
Default: Empty
Example:
px_custom_activity_headers
Fastly VCL limitations prevent the HUMAN Enforcer from reporting all request headers on the async activities. If there are additional headers that should be reported, they can be added to the async activities by implementing this custom subroutine.
The subroutine should return a string representing all headers that should be added to the async activities. Every header should be added in the following form, replacing <header_name> with the desired header. Note: The leading comma is very important!
",{%22name%22: %22<header name>%22, %22value%22: " if(req.http.<header name>, "%22" json.escape(req.http.<header name>) "%22", "null") "}"
Default: Returns ""
Example:
px_override_configs
px_configs table rather than adjust them during runtime. A custom subroutine that allows for adjusting the HUMAN configuration based on runtime values. See the PX VCL file for the list of req.http.px-cfg configuration header values that can be modified.
Default: Empty
Example:
First Party Configurations
px_first_party_enabled
To prevent suspicious or unwanted behavior on the client side, some browsers or extensions (e.g., adblockers) may deny the frontend JavaScript code from making requests to other domains. This prevents the Human Security sensor from making requests to the Human Security backends, which greatly limits Human Security’s detection capabilities. To avoid this problem, first party enables the enforcer to be used as a proxy for Human Security servers, and to serve content to the browser from a first party endpoint (i.e., an endpoint on the customer’s domain).
Default: "true"
px_custom_first_party_prefix
To enable first party mode, you will first need to follow the installation steps here, below the Installing the HumanFirstParty Lambda section.
By default, first party endpoints always begin with the application ID without the initial “PX”. For example, if the application ID is PX12345678, then all first party routes will take the form /12345678/*. This configuration sets a custom prefix for first party routes to use in addition to the default prefix. When configured, the enforcer will respond to first party requests with endpoints matching the patterns /<px_custom_first_party_prefix>/init.js, /<px_custom_first_party_prefix>/xhr/*, and /<px_custom_first_party_prefix>/captcha/*.
Default: ""
px_custom_first_party_sensor_endpoint
For an application with ID PX12345678, the first party sensor endpoint is /12345678/init.js by default. This configuration customizes the entire first party sensor script endpoint. Note that in addition to responding to requests that match this configured route, the enforcer will also proxy first party requests that match the default pattern (/12345678/init.js).
Default: ""
px_custom_first_party_xhr_endpoint
To enable first party mode, you will first need to follow the installation steps here, below the Installing the HumanFirstParty Lambda section.
For an application with ID PX12345678, the first party XHR endpoint is /12345678/xhr by default. This configuration customizes the first party XHR endpoint. Note that in addition to responding to requests that match this configured route, the enforcer will also proxy first party requests that match the default pattern (/12345678/xhr/\*) and patterns according to the custom prefix (/<pxcustomfirstpartyprefix>/xhr/\*) if one is configured.
Default: ""
px_custom_first_party_captcha_endpoint
To enable first party mode, you will first need to follow the installation steps here, below the Installing the HumanFirstParty Lambda section.
For an application with ID PX12345678, the first party captcha endpoint is /12345678/captcha by default. This configuration customizes the first party captcha endpoint. Note that in addition to responding to requests that match this configured route, the enforcer will also proxy first party requests that match the default pattern (/12345678/captcha/*) and patterns according to the custom prefix (/<px_custom_first_party_prefix>/captcha/*) if one is configured.
Default: ""
px_custom_first_party_response_modifier
A custom subroutine for modifications to first party responses. This subroutine is called in vcl_deliver, so changes to the response should be made with the client response object.
Default: Empty
Example:
Logging Configurations
px_async_activities_logger
The name of the logging endpoint used to send asynchronous activities.
Default: "PX-Async-Activities"
px_telemetry_activity_logger
The name of the logging endpoint used to send telemetry activities.
Default: "PX-Telemetry"
px_logger_severity
The verbosity of the logs generated by the enforcer.
Possible values:
-
"none"- No logs will be generated -
"error"- Sparse logs will be sent to the logging endpoint name set by thepx_error_syslog_nameconfiguration only when errors occur -
"debug"- Detailed logs will be sent to the logging endpoint name set by thepx_debug_syslog_nameconfiguration (not advisable for production environments)
Default: "error"
px_debug_syslog_name
The name of the logging endpoint to which debug logs will be sent.
Default: "PX-Debug"
px_error_syslog_name
The name of the logging endpoint to which error logs will be sent.
Default: "PX-Error"
px_debug_probability
Sometimes, logging every request to the service is impractical, and a random sample of logs is preferable. This configuration can be used to specify the likelihood of a log being generated for an incoming request. One out of every X requests will result in logs, where X is the number configured here. That is, setting this value to "2" means 1 out of every 2 requests, or a 50% chance; setting "100" means 1 out of every 100 requests, or a 1% chance.
Default: "1"
Filtering Configurations
px_custom_filter_by_extension
Human Security does not enforce static assets such as images and documents. To prevent unnecessary API calls to Human Security servers and needless computation, the enforcer filters all requests with a valid static file extension.
A custom subroutine that returns a boolean value. A return value of true means the request should be filtered from the enforcement flow due to the file extension in its URL. A return value of false means the request should proceed with the usual enforcement flow.
Default:
px_custom_filter_by_http_method
Filters out requests according to their HTTP method, avoiding unnecessary traffic in the enforcer verification flow and reducing operating costs.
A custom subroutine that returns a boolean value. A return value of true means the request should be filtered from the enforcement flow due to its HTTP method. A return value of false means the request should proceed with the usual enforcement flow.
Default: Returns false.
Example:
px_custom_filter_by_ip
Filters out requests according to their IP address, avoiding unnecessary traffic in the enforcer verification flow and reducing operation costs.
A custom subroutine that returns a boolean value. A return value of true means the request should be filtered from the enforcement flow due to its IP. A return value of false means the request should proceed with the usual enforcement flow.
Using Fastly ACLs
The easiest way to implement this subroutine is to declare and use a Fastly Access Control List (ACL) as shown in the example below. For more information, see here.
Default: Returns false.
Example:
px_custom_filter_by_route
A custom subroutine that returns a boolean value. A return value of true means the request should be filtered from the enforcement flow due to its route. A return value of false means the request should proceed with the usual enforcement flow.
Default: Returns false.
Example:
px_custom_filter_by_user_agent
A custom subroutine that returns a boolean value. A return value of true means the request should be filtered from the enforcement flow due to its user agent. A return value of false means the request should proceed with the usual enforcement flow.
Default: Returns false.
Example:
px_filter_on_cache_hit_enabled
Filters out requests if the requested resource results in a cache HIT at the edge POP. If shielding is enabled, a request that results in a cache MISS at the edge POP will undergo enforcement even if it results in a cache HIT at the shield POP. For more information about Fastly Shielding, see here.
Default: "false"
Special Routes Configurations
px_custom_enforced_routes
Customers may want certain, but not all, endpoints to be enforced by HUMAN, even when the Enforcer is in monitor mode. This custom subroutine returns a boolean value indicating whether the request is an enforced route.
A return value of true means the request should go through the full enforcer workflow, including blocking when necessary. That is, even when the enforcer is in monitor mode, these requests will behave as if in active blocking mode. A return value of false means the request should proceed with the usual flow based on the module mode.
Default: Returns false.
Example:
px_custom_monitored_routes
Enables certain endpoints to be monitored rather than enforced by HUMAN, even when the enforcer is in active blocking mode.
A return value of true means the request should go through the enforcement flow in monitor mode. That is, even when the enforcer is in active_blocking mode, these requests will behave as if in monitor mode. A return value of false means the request should proceed with the usual flow based on the module mode.
Default: Returns false.
Example:
px_bypass_monitor_header
When enabling the enforcer for the first time, it is recommended to do so in monitor mode to collect data before actually starting to block user requests. Prior to switching the module mode to active_blocking entirely, it’s also crucial to verify that the full blocking flow works as expected. This feature activates the full blocking flow even while in monitor mode if a particular header is present on the request.
Default: "x-px-block"
px_custom_check_sensitive_route
Certain endpoints may require more stringent protection from bot attacks (e.g., endpoints that execute payments or handle personal information). In these cases, this subroutine can be implemented. If the subroutine returns true, a Risk API call will be made even if the request contains a valid, unexpired cookie. If the subroutine returns false, the enforcer will use the value found in the valid, unexpired cookie.
Default: Returns false.
Example:
px_sensitive_headers
The HUMAN detector requires information about the HTTP request as part of its bot detections. Certain headers may contain information that should not be forwarded to other servers, including the HUMAN backend. Setting these configurations will remove the headers from requests sent to HUMAN.
The Cookie header is always removed from backend requests to HUMAN whether this feature is enabled or not.
px_sensitive_headers_enabled
Whether to invoke the px_custom_unset_sensitive_headers function to unset sensitive headers prior to requests to the HUMAN backend.
Default: "false"
px_custom_unset_sensitive_headers
A custom subroutine that is invoked prior to requests to the HUMAN backend to remove sensitive headers. This subroutine is called in vcl_pass, so headers should be unset from the bereq object.
Default: Empty
Example:
Custom Blocking Configurations
px_css_ref
Provides a way to include an additional custom .css file to add to the captcha page.
Default: ""
px_js_ref
Provides a way to include a custom JS script to add to the captcha page. This script will run after the default JS scripts.
Default: ""
px_custom_logo
Adds a custom logo to the captcha page that will be shown to users. This aligns the captcha page with the customer’s brand.
Default: ""
px_custom_block_page_content
A custom subroutine that returns a string representing the HTML response body to be returned on the block response. Returning an empty string will result in the default HTML block page.
Default: Returns ""
Example:
px_custom_create_synthetic_web_response
A subroutine that allows for customization of the HTML browser captcha response. This is applicable to the HTML captcha response only! This subroutine is called in vcl_error, so changes to the response should be made with the cache object type and the synthetic statement.
Default: Empty
Example:
px_custom_rate_limit_block_page
A subroutine that allows for customizing the rate limit block response. This will be invoked only if HUMAN has decided to return a 429 Too Many Requests response. This subroutine is called in vcl_error, so changes to the response should be made with the cache object type and the synthetic statement.
Default: Empty
Example:
px_advanced_blocking_response_enabled
In specific cases (e.g., XHR post requests), a full captcha page render might not be an option. In such cases the advanced blocking response returns a JSON object containing all the information needed to render a customized captcha challenge implementation - be it a popup modal, a section on the page, etc. This allows for flexibility and customizability in terms of how the captcha pages are displayed.
Default: "true"
px_custom_create_advanced_blocking_response
A subroutine that allows for customization of the JSON captcha response. This is applicable to the JSON captcha response only! This subroutine is called in vcl_error, so changes to the response should be made with the cache object type and the synthetic statement.
Default: Empty
Example:
px_custom_web_block_page_response
A subroutine that allows for customization of the HTML browser captcha response. This is applicable to the HTML captcha response only! This subroutine is called in vcl_error, so changes to the response should be made with the cache object type and the synthetic statement.
Default: Empty
Example:
CORS Configurations
CORS (Cross-Origin Resource Sharing) is a mechanism that enables the server to indicate when a request contains cross-origin resources. It does so by adding special HTTP headers to the request, which permits the browser to load these resources. Without these headers, the browser may block requests to these resources for security reasons.
In most cases, CORS employs a two-stage procedure with a preliminary “preflight” request followed by the actual request. The preflight request checks if the actual request will be responded to. To learn more about different request types, see these examples.
In the HUMAN Enforcer, CORS behavior must be configured to address both simple requests (without preflight) and more complex ones (with preflight).
px_cors_support_enabled
Enabling CORS support via this configuration will have the following effects:
- It will automatically add the following default CORS response headers to block responses resulting from CORS requests.
-
It will permit enabling the
px_cors_create_custom_block_response_headersconfiguration, which will allow for customizing the block response headers via a custom function. -
It will permit enabling the
px_cors_preflight_request_filter_enabledandpx_cors_custom_preflight_handlerconfigurations, which allow for filtering and custom handling of preflight requests.
Default: "false"
px_cors_preflight_request_filter_enabled
If both the px_cors_preflight_request_filter_enabled and px_cors_preflight_handler_enabled are set to true, the custom preflight handler will take priority and invoke the px_custom_cors_preflight_handler from the VCL error stage.
This configuration disables enforcement for CORS preflight requests. When this configuration is set to true, CORS preflight requests will be filtered from the enforcer flow. That is, they will pass through the enforcer flow without triggering detection or block responses.
Default: "false"
px_cors_preflight_handler
If a more customized approach is needed for handling CORS preflight requests, these configurations can be set to define the desired behavior.
px_cors_preflight_handler_enabled
If both the px_cors_preflight_request_filter_enabled and px_cors_preflight_handler_enabled are set to true, the custom preflight handler will take priority and invoke the px_custom_cors_preflight_handler from the VCL error stage.
Whether to invoke the px_custom_cors_preflight_handler subroutine. This is done by triggering a specific error with an error statement.
Default: "false"
px_custom_cors_preflight_handler
A custom subroutine for defining the desired CORS preflight response. This subroutine is called in vcl_error, so changes to the response should be made with the cache object type and the synthetic statement.
Default: Empty
Example:
px_cors_create_custom_block_response_headers
If the default CORS response headers are not sufficient, these configurations can be used to completely customize the headers that should be added to all block responses resulting from CORS requests. If this function is defined, the default headers will not be added; instead, the custom subroutine will be invoked.
px_cors_create_custom_block_response_headers_enabled
Whether to invoke the px_custom_cors_set_custom_block_response_headers subroutine. If set to "true", the px_custom_cors_set_custom_block_response_headers subroutine will be invoked on block responses to CORS requests. If set to "false", then the default CORS response headers (Access-Control-Allow-Origin: req.http.Origin and Access-Control-Allow-Credentials: true) will be added to block responses.
Default: "false"
px_custom_cors_set_custom_block_response_headers
A custom subroutine for adding any desired headers to block responses to CORS requests. This subroutine is called in vcl_error, so changes to the response should be made with the cache object type.
Default: Empty
Example:
GraphQL Configurations
px_graphql_enabled
Whether the enforcer should attempt to parse and report information about GraphQL operations on incoming requests.
Default: "true"
px_custom_is_graphql_route
A custom subroutine that returns a boolean indicating whether the request should be parsed as a GraphQL request. If px_graphql_enabled is "true" and this subroutine returns true, the enforcer will attempt to parse the request body for GraphQL data. If this subroutine returns false, the enforcer will not attempt to extract GraphQL data.
Default:
px_sensitive_graphql_operation_types
A space-separated list of operation types (query, mutation, or subscription) that should be considered sensitive. If one or more GraphQL operations on an HTTP request is found to have a type matching the list configured here, it will trigger a Risk API call even if the request contains a valid, unexpired cookie.
Default: ""
px_sensitive_graphql_operation_names
A space-separated list of operation names that should be considered sensitive. If one or more GraphQL operations on an HTTP request is found to have a name matching the list configured here, it will trigger a Risk API call even if the request contains a valid, unexpired cookie.
Default: ""
px_custom_check_sensitive_graphql_operation
This configuration should be used in cases that require more complex logic than allowed by the px_sensitive_graphql_operation_types and px_sensitive_graphql_operation_names configurations.
A custom subroutine that returns a boolean indicating whether the request should be treated as sensitive given the GraphQL data that was extracted by the enforcer.
Extracted data:
-
req.http.px-graphql:operation-type- The GraphQL operation type (query,mutation,subscription) on the request -
req.http.px-graphql:operation-name- The GraphQL operation name on the request
Default: Returns false
Example:
px_custom_extract_graphql_keywords
In order to extract GraphQL keywords, implement the px_custom_extract_graphql_keywords custom subroutine in PX_CUSTOM.vcl
The returned value should be a STRING containing the extracted keywords separated by commas (with no spaces in between)
Example:
Default: return ""
Account Defender Configurations
px_jwt_cookie_name
The name of the cookie that contains the JWT token from which user identifiers should be extracted.
Default: ""
px_jwt_cookie_user_id_field_name
The field name in the JWT object, extracted from the JWT cookie, that contains the user ID to be extracted and reported.
Default: ""
px_jwt_header_name
The name of the header that contains the JWT token from which user identifiers should be extracted.
Default: ""
px_jwt_header_user_id_field_name
The field name in the JWT object, extracted from the JWT header, that contains the user ID to be extracted and reported.
Default: ""
px_custom_extract_jwt_additional_fields
A custom subroutine that extracts any additional desired field names and values in the JWT object. The subroutine should set the client request header px-jwt:additional-fields to a valid JSON string in the format of {"<field_name_1>": "<field_value_1>", "field_name_2": "field_value_2"}. The values can be extracted from the decoded JWT token available on the header req.http.px-jwt:token-decoded.
Default: Empty
Example:
Credential Intelligence Configurations
The Credential Intelligence product allows customers to safeguard their users’ login information by leveraging HUMAN’s database of compromised credentials.
The enforcer plays a major role in the Credential Intelligence process as it is in charge of extracting and sending to Credential Intelligence an anonymized, hashed, and salted version of the credentials in real-time and provides a real-time response whether the credentials are compromised or not. (This requires enablement of the Data Enrichment feature.)
px_login_credentials_extraction_enabled
This enables the extraction and reporting of credentials from the Enforcer. This must be set to "true" to enable the Credential Intelligence product.
Default: false
px_login_credentials_extraction
A table detailing the settings for each credential endpoint. Each element in the array is an object representing a distinct endpoint to which credentials are sent, and includes information about how to identify these credential-bearing requests and how to extract the credentials from the request.
For each endpoint, define a credential entpoint suffix (e.g., _0, _1) and add this suffix to the keys corresponding to that endpoint (e.g., path_0, method_0, path_1, method_1). For more information, see the px_custom_is_login_request subroutine.
This table exists in the PX_CUSTOM VCL file. This table can be filled in or it may be removed in favor of a Fastly dictionary with the same name.
Default: Empty
Each credential endpoint configuration object contains the following fields:
path
Required. The path of the request that contains the credentials. (If you need to use a regular expression instead of an exact path, you can do so in the px_custom_is_login_request subroutine.)
method
Required. The HTTP method of the request that contains the credentials. Supported methods are "post" and "put".
sent_through
Required. Whether the credentials should be extracted from the request body or by invoking the custom subroutine.
Possible values:
"body"- The credentials will be extracted according to the configureduser_fieldandpass_fieldvalues from the request body. Please notice that body limit is 8K (see Fastly docs)."custom"- The credentials will be extracted by invoking thepx_custom_login_extraction_callbacksubroutine. This may be used for multiple credential endpoints, and all credential endpoints with this value will invoke the same subroutine.
The Enforcer parses the request body based on the Content-Type request header. Supported Content-Type values are:
-
application/json -
application/x-www-form-urlencoded
To support other content types, set the sent_through key to custom and define a px_custom_login_extraction_callback to extract the credentials from the request as desired.
user_field
Required only if sent_through is set to "body".
The name of the field, header name, or query parameter where the username can be found.
pass_field
Required only if sent_through is set to "body".
The name of the field, header name, or query parameter where the password can be found.
Nested Objects in a JSON Body
The user_field and pass_field configurations support Content-Type: application/json bodies with nested objects. The configurations need only include the specific key names associated with the desired values. Any higher-level keys can be ignored.
For example, the table can include a user_field with the value "username" and a pass_field with the value "password" to support extracting the credentials from the following JSON body. There is no need to include the higher-level fields (i.e., "user_info" or "authentication") in the configurations.
protocol
Optional. Whether to process credentials as part of single or multiple HTTP requests. By default, the module tries to process requests depending on which credential fields were extracted.
Possible values:
"v2"- Both username and password are present on the same HTTP request and must be extracted successfully to trigger Credential Intelligence."multistep_sso"- The username and password are delivered on different HTTP requests. Either the username or password, but not both, must be extracted successfully to trigger Credential Intelligence."both"- The username and password may be present on the same HTTP request or on different HTTP requests. If either username or password is successfully extracted, the Enforcer will send the credentials according to themultistep_ssoprotocol. If both username and password are successfully extracted, the Enforcer will send the credentials according to thev2protocol.
Default: "both"
px_custom_is_login_request
A custom subroutine that returns the correct credential endpoint suffix according to the the request URL. That is, this subroutine should return the credential endpoint suffix (e.g., _0, _1) that corresponds with the request’s path.
You may use the path values in the px_login_credentials_extraction table if an exact match is needed, or you may use a regular expression as desired.
Default:
px_custom_login_extraction_callback
A custom subroutine to extract the raw username and password from the request. All login extraction endpoints will use this same subroutine if their sent_through value is set to "custom". Use the req.http.px-creds:endpoint-index header, which has the value of the credential endpoint suffix (e.g., _0, _1), to differentiate between the endpoints.
Set the req.http.px-creds:raw-username header value to the raw username and the req.http.px-creds:raw-password header value to the raw password extracted from the request.
Default: Empty
Example:
px_credentials_intelligence_version
Deprecated
This configuration is deprecated. Set the Credential Intelligence protocol on a per-endpoint basis by adding the protocol field in the px_login_credentials_extraction table.
px_login_successful_reporting_method
The method by which the Enforcer will determine whether the login request was successful.
Possible values:
"status"- The Enforcer will determine if the login request was successful by evaluating the response status code against thepx_login_successful_statusconfiguration. (Supports only one status code. For multiple status codes, use the"custom"setting.)"header"- The Enforcer will determine if the login request was successful by evaluating whether thex-px-login-successfulheader is set to"1"."custom"- The Enforcer will determine if the login request was successful by invoking thepx_custom_set_login_successful_response_headersubroutine.
This setting will apply to all configured Credential Intelligence endpoints. If you need to differentiate between endpoints, set this value to "custom" and use the px_custom_set_login_successful_response_header to implement your desired logic on a per-endpoint basis.
Default: "status"
px_login_successful_status
An HTTP status signifying a successful login. All other status codes will be treated as unsuccessful login attempts. This configuration takes effect only when the px_login_successful_reporting_method is set to "status".
This configuration supports defining only one status code. For multiple status codes, set px_login_successful_reporting_method to "custom" and implement your desired logic in the px_custom_set_login_successful_response_header subroutine instead.
Default: "200"
px_custom_set_login_successful_response_header
A custom subroutine to indicate if the login attempt was successful. This configuration takes effect only when the px_login_successful_reporting_method is set to "custom". This subroutine is invoked during the vcl_deliver stage.
The subroutine should set the resp.http.x-px-login-successful header to "1" if the login request resulted in a successful login, or to "0" if the login attempt was unsuccessful.
Default: Empty
Example:
px_send_raw_username_on_additional_s2s_activity
Whether to report the raw username on the additional_s2s activity. When set to "false", the raw username will never be reported. When set to "true", the raw username will only be reported if (1) the credentials are compromised, and (2) the login request was successful.
Default: "false"
px_credentials_intelligence_query_string
Whether to add the URL query parameter compromised_credentials=true to the origin request URL if compromised credentials have been identified on the request.
Default: "false"
px_compromised_credentials_returned_status_response
This configuration modifies the returned client response status code if px_credentials_intelligence_query_string is enabled, and if the login request contained compromised credentials and resulted in a successful login.
Default: ""
px_additional_s2s_activity_header_enabled
Whether to attach the additional_s2s payload and URL as headers to the original request. This is done so that the additional_s2s activity can be enriched with the proper login successful value and sent to the provided URL at a later stage.
When set to "true", the additional_s2s activity will no longer be sent automatically by the Enforcer. Instead, the following headers will be added to the origin request:
px-additional-activity- A JSON object containing the payload of theadditional_s2sactivity. The login_successful and http_status_code fields should be set prior to sending the activity.px-additional-activity-url- The URL to which theadditional_s2spayload should be sent as an HTTP POST request.
Default: "false"
Below is an example of JavaScript code at the origin server to handle parsing, enrichment, and sending of the additional_s2s activities that arrive on request headers.
