Enforcer frameworksFastly Rust Compute@Edge

Configuration Options

Configuring the rust module in Fastly is done via the Compute@Edge Dictionary.

Required Configurations

Configuration NameTypeDefault
px_app_idstring""
px_cookie_secretstring""
px_auth_tokenstring""

Optional Configurations

Configuration NameTypeDefault
px_module_enabledboolfalse
px_module_mode”active_blocking”, “monitor""monitor”
px_debugboolfalse
px_blocking_scorenumber100
px_sensitive_headerslist[]
px_sensitive_routeslist[]
px_filter_by_routelist[]
px_filter_by_user_agentlist[]
px_filter_by_iplist[]
px_filter_by_http_methodlist[]
px_custom_cookie_headerstring""
px_enforced_routeslist[]
px_monitored_routeslist[]
px_bypass_monitor_headerstring""
px_first_party_enabledbooltrue
px_custom_logostring""
px_js_refstring""
px_css_refstring""
px_ip_headerslist[]
log_endpointstring""
px_graphql_enabledboolfalse
px_graphql_sensitive_routeslist[”^/graphql$“]
px_sensitive_graphql_operation_typeslist[]
px_sensitive_graphql_operation_nameslist[]

Auto deploying the configurations

We have created the pxconfig.sh script to be used to populate the configurations in the Dictionary automatically. Following is an example to populate the required configurations only:

1Required options:
2-s, --service-id=SERVICE_ID       specify a service to deploy the dictionary
3-v, --version=VER                 specify a service version
4-a, --appid=APPID                 specify an appid
5-c, --cookie_secret=SECRET        specify a cookie_secret
6-t, --auth_token=TOKEN            specify an auth_token

GraphQL Configurations

px_graphql_enabled

Whether the enforcer should attempt to parse and report information about GraphQL operations on incoming requests.

Default: "false"

1    "px_graphql_enabled": "false"

px_graphql_routes

A list of route regexes that will be checked for sensitive GraphQL operations. If a request’s route matches any of the regexes in this list, it will be checked for sensitive GraphQL operations as configured in px_sensitive_graphql_operation_types and px_sensitive_graphql_operation_names. If the request contains a sensitive operation, it will trigger a server call to HUMAN servers every time that operation is performed, regardless of cookie state.

Default: ["^/graphql$"]

1    "px_graphql_routes": ["^/graphql$"]

px_sensitive_graphql_operation_types

A comma-separated list of operation types (query, mutation, or subscription) that should be considered sensitive. If one or more GraphQL operations on an HTTP request is found to have a type matching the list configured here, it will trigger a Risk API call even if the request contains a valid, unexpired cookie.

Default: ""

1    "px_sensitive_graphql_operation_types": "mutation,subscription",

px_sensitive_graphql_operation_names

A comma-separated list of operation names that should be considered sensitive. If one or more GraphQL operations on an HTTP request is found to have a name matching the list configured here, it will trigger a Risk API call even if the request contains a valid, unexpired cookie.

Default: ""

1    "px_sensitive_graphql_operation_names": "SensitiveOperation1,SensitiveOperation2",