Fastly Rust Compute@Edge configuration options

Each Enforcer has a set of configuration options that control the Enforcer’s functionality and features. While some are required, many of these are optional configurations that you can use to customize the Enforcer’s behavior. You can reference available configurations with this article. PXConfig Config Store

While all Enforcers come with the same set of required configurations, the optional configurations available for each may differ. We recommend updating to the latest Enforcer version to ensure you have access to the latest features and configurations.

You can also store sensitive values in a Fastly Secret Store. When PXEnforcer is initialized with a non-empty Secret Store name (default: PXSecrets), the Enforcer overlays sensitive configurations from the Secret Store. These values override Config Store ones. Missing secrets are non-fatal and leave the Config Store value (or default) in place. Pass an empty string for the Secret Store name to disable secret loading.

A small number of options are runtime-only callbacks that cannot be expressed as Config Store values. These are set directly on the Enforcer in your Rust code before calling px.enforce() and are documented in Runtime callbacks.

Types & format

The Config Store stores every value as a string. The Enforcer parses each value according to the type of the configuration:

  • String: A sequence of characters without quotation marks, e.g. my_string
  • Boolean: A true or false value, e.g. true
  • Number: A numeric value, e.g. 100
  • List: A comma-separated list of values without quotation marks, e.g. value1, value2
  • Regex list: A comma-separated list of regular expressions without quotation marks, e.g. ^/graphql$, ^/api/graphql$
  • Object: A JSON-encoded value. Used by px_login_credentials_extraction.

You should add each configuration to the Fastly Config Store as a key-value pair. Enter both the key name and the value without quotation marks ('', ""). For array or list values, separate items with commas.

Deployment

For non-sensitive configurations, we recommend using a Fastly Config Store. However, for more sensitive configurations, we strongly recommend using a Fastly Secret Store instead. Populated values stored in a Secret Store override the same values in the Config Store.

Non-sensitive configurations are generally considered any configuration not listed in sensitive configurations. To deploy these configurations:

  1. Log in to your Fastly account.
  2. Navigate to Resources > Config Stores.
  3. Add or update a configuration as a key-value pair in the PXConfig Config Store.
  4. Click Save.

Quick reference

Feature nameKeyTypeDefaultDescription
Application IDpx_app_idString""The HUMAN application ID. Required to initialize the Enforcer. May be set in Config Store or Secret Store.
Authentication tokenpx_auth_tokenString""The token used for authorization with the HUMAN backend. Required to initialize the Enforcer. May be set in Config Store or Secret Store.
Cookie secretpx_cookie_secretString or Array of strings""The secret used to validate the risk cookie. Required to initialize the Enforcer. May be set in Config Store or Secret Store.

Required configurations

These configurations are necessary for the Enforcer’s basic functionality and features.

px_app_id
stringRequired

Your HUMAN Application ID in the form of PX12AB34CD. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview. If you have multiple applications, make sure to copy the ID of the application you want the Enforcer on.

We recommend storing this value in a Fastly Secret Store. If you do, it will override the px_app_id value in the Config Store.

Example
key: px_app_id
value: PX12345678
px_auth_token
stringRequired

The application’s server token needed to authorize with HUMAN’s backend. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview > Click the appropriate application > Server token tab.

We recommend storing this value in a Fastly Secret Store. If you do, it will override the px_auth_token value in the Config Store.

Example
key: px_auth_token
value: <AUTH_TOKEN>
string | string[]Defaults to stringRequired

The secret used to encrypt and decrypt the risk cookie sent from the HUMAN Sensor. You can copy this value from the HUMAN Console in Sightline Cyberfraud Defense > Traffic Policy Overview > Click the appropriate application > Click the key > Copy value.

If you need to rotate secrets, then adjust this configuration to be an array of strings (string[]) and include the new secret and old secret. The new secret value should be the first value in the array. This prevents decryption failures.

We recommend storing this value in a Fastly Secret Store. If you do, it will override the px_cookie_secret value in the Config Store.

key: px_cookie_secret
value: <COOKIE_SECRET>

Basic feature configurations

The configurations aren’t strictly required, but are integral for the Enforcer’s basic blocking functionality and are typically set to their default values if not manually configured.

px_s2s_timeout
integerDefaults to 2000

The total time in milliseconds that the Enforcer will wait for the Risk API request to return before timing out and passing the request.

Example
key: px_s2s_timeout
value: 1000
px_blocking_score
integerDefaults to 100

The minimum risk score that the Enforcer will block. Ranges from 0 (lowest risk) to 100 (highest risk).

Example
key: px_blocking_score
value: 80
px_user_agent_max_length
integerDefaults to 8528

Do not modify this value without consulting your HUMAN Solutions Engineer.

The maximum length of the User-Agent header. If the user agent header value exceeds this length, it will be truncated to this length prior to processing.

Example
key: px_user_agent_max_length
value: 2048
integerDefaults to 2048

The maximum length of the risk cookie. If the value exceeds this length, then validation will fail automatically.

Example
key: px_risk_cookie_max_length
value: 4096
integerDefaults to 500

The minimum accepted number of iterations for the Risk Cookie V3.

Example
key: px_risk_cookie_min_iterations
value: 500
integerDefaults to 5000

The maximum accepted number of iterations for the Risk Cookie V3.

Example
key: px_risk_cookie_max_iterations
value: 5000
px_debug
booleanDefaults to false

Whether the logger will generate detailed logs for debugging purposes. Not recommended for production environments.

See px_logger_auth_token for a header-based alternative.

Example
key: px_debug
value: true
px_ip_headers
string[]Defaults to []

An array of header names that are trusted to contain the true client IP. Headers are traversed in the order they’re listed, and the first header value will always be used as the client IP.

the client connection

Example
key: px_ip_headers
value: true-client-ip, x-forwarded-for
px_module_enabled
booleanDefaults to true

Whether the Enforcer module is enabled.

  • true: Enable the module
  • false: Disable the module
Example
key: px_module_enabled
value: true
px_module_mode
"monitor" | "active_blocking"Defaults to monitor

The Enforcer’s operation mode.

  • monitor: The Enforcer performs all functions without returning block responses. Useful for analyzing and adjusting Enforcer behavior without serving block pages to end users. If you have routes that must have enforcement at all times, see Enforced routes.
  • active_blocking: The Enforcer will return block responses as needed.
Example
key: px_module_mode
value: active_blocking

Optional configurations

These configurations aren’t required, but you can use them to further customize the Enforcer’s behavior.

Advanced blocking response (ABR)

px_advanced_blocking_response_enabled
booleanDefaults to true

In specific cases such as XHR post requests, a full CAPTCHA page render might not be an option. In such cases, the Advanced Blocking Response (ABR) returns a JSON object containing all the information needed to render a customized CAPTCHA challenge implementation such as a popup modal, a section on the page, etc. This provides more flexibility and customizability in displaying the CAPTCHA challenge.

Example
key: px_advanced_blocking_response_enabled
value: false

Bypass monitor header

px_bypass_monitor_header
stringDefaults to x-px-block

Activates the full blocking flow to verify the flow works as expected if a particular header is present on the request. Often used during monitor mode, where the Enforcer collects data without blocking user requests, before switching to active_blocking.

Example
key: px_bypass_monitor_header
value: x-bypass-monitor

Credentials Intelligence

These configurations let you extract and detect compromised credentials. They’re closely related to Credentials Intelligence-related features in Sightline Cyberfraud Defense.

At minimum, ensure the following are configured to enable Credential Intelligence:

  • px_login_credentials_extraction_enabled is set to true
  • px_login_credentials_extraction is configured with at least one credential endpoint

See Runtime callbacks for more options for configuring Credentials Intelligence.

px_login_credentials_extraction_enabled
booleanDefaults to false

Whether to enable the extraction and reporting of credentials from the Enforcer for Credential Intelligence.

  • true: Enable Credential Intelligence
  • false: Disable Credential Intelligence
Example
key: px_login_credentials_extraction_enabled
value: true
px_login_credentials_extraction
object

An array of configuration objects for each credential endpoint. Each element in the array is an object representing a distinct endpoint to which credentials are sent and includes:

  • How to identify these credential-bearing requests
  • How to extract the credentials from the request
  • How to determine if the request operation (login, signup, etc.) was successful based on the returned HTTP response

Click to expand the full properties list.

path
stringRequired

The path of the request that contains the credentials. It can be either an exact path or a string in the form of a regular expression.

Example
1{
2 // ...
3 path: '/sign-up',
4 // ...
5}
path_type
"exact" | "regex"Defaults to "exact"

Whether the incoming request path should be evaluated against the configured path as a regular expression or as an exact match.

  • exact: The value set in path must match the request path exactly as is.
  • regex: The value set in path is a regular expression to be matched against the request path.
Example
1{
2 // ...
3 path: '/auth/[A-Za-z0-9]{12}/login',
4 path_type: 'regex',
5 // ...
6}
method
stringRequired

The HTTP method of the request that contains the credentials. This can be set to any string representing an HTTP method.

Example
1{
2 // ...
3 method: 'POST',
4 // ...
5}
sent_through
"body" | "header" | "query-param" | "custom"Required

Whether the credentials should be extracted from the request headers, query parameters, body, or via a defined custom callback.

  • "body": The credentials will be extracted according to the configured user_field and pass_field values from the request body. The Enforcer parses the request body based on the following Content-Type request header:
    • application/json
    • application/x-www-form-urlencoded
    • multipart/form-data
  • "header": The credentials will be extracted according to the configured user_field and pass_field values from the request headers.
  • "query-param": The credentials will be extracted according to the configured user_field and pass_field values from the request query parameters.
  • "custom": The credentials will be extracted by invoking set_ci_extract_credentials_fn.
Example
1{
2 // ...
3 sent_through: 'body',
4 // ...
5}
user_field
string

Required if sent_through is set to "body", "header", or "query-param". The name of the field containing the username in the request body, headers, or query parameters.

Supports subfields in cases of Content-Type: application/json bodies with nested objects. The subfields can be separated with periods. For example, the credential endpoint configuration object can include a user_field with the value "user_info.username" and a pass_field with the value "authentication.password" to support extracting the credentials.

1{
2 // ...
3 sent_through: 'body',
4 user_field: 'username',
5 // ...
6}
pass_field
string

Required if sent_through is set to "body", "header", or "query-param". The name of the field, header name, or query parameter where the password can be found.

Supports subfields in cases of Content-Type: application/json bodies with nested objects. The subfields can be separated with periods. For example, the credential endpoint configuration object can include a user_field with the value "user_info.username" and a pass_field with the value "authentication.password" to support extracting the credentials.

1{
2 // ...
3 sent_through: 'body',
4 user_field: 'username',
5 // ...
6}
protocol
"v2" | "multistep_sso" | "both"Defaults to "both"

Whether to process credentials as part of single or multiple HTTP requests. By default, the module tries to process requests depending on which credential fields were extracted.

  • "v2": Both username and password are present on the same HTTP request and must be extracted successfully to trigger Credential Intelligence.
  • "multistep_sso": The username and password are delivered on different HTTP requests. Either the username or password, but not both, must be extracted successfully to trigger Credential Intelligence.
  • "both": The username and password may be present on the same HTTP request or on different HTTP requests. If either username or password is successfully extracted, the Enforcer will send the credentials according to the multistep_sso protocol. If both username and password are successfully extracted, the Enforcer will send the credentials according to the v2 protocol.
Example
1{
2 // ...
3 protocol: 'v2',
4 // ...
5}
login_successful_reporting_method
"status" | "body" | "header" | "custom"Defaults to statusRequired

The method by which the Enforcer will determine whether the login request was successful.

Example
1{
2 // ...
3 login_successful_reporting_method: 'status',
4 // ...
5}
login_successful_statuses
integer[]Defaults to [200]

An array of HTTP statuses signifying a successful login. All other status codes will be treated as unsuccessful login attempts. Takes effect only when the login_successful_reporting_method is set to "status".

Example
1{
2 // ...
3 login_successful_reporting_method: 'status',
4 login_successful_statuses: [200, 202],
5 // ...
6}
login_successful_body_regex
string

Required if login_successful_reporting_method is set to "body". A regular expression (or string representing a regular expression) to against which the response body will be evaluated. A match indicates a successful login.

Example
1{
2 // ...
3 login_successful_reporting_method: 'body',
4 login_successful_body_regex: 'Welcome, [A-Za-z0-9_]+!'
5 // ...
6}
login_successful_header_name
string

Required if login_successful_reporting_method is set to "header". A response header name signifying a successful login response. If the login_successful_header_value field is empty or not configured, any response containing this header name will be considered a successful login. If the login_successful_header_value is configured, the response header value must be an exact match.

Example
1{
2 // ...
3 login_successful_reporting_method: 'header',
4 login_successful_header_name: 'x-login-successful'
5 // ...
6}
login_successful_header_value
string

If this value is configured, a login attempt will be considered successful only if the response contains a header name matching the login_successful_header_name, and whose value is exactly equal to this configuration value. Takes effect only when the login_successful_reporting_method is set to "header".

Example
1{
2 // ...
3 login_successful_reporting_method: 'header',
4 login_successful_header_name: 'x-user-status',
5 login_successful_header_value: 'logged-in'
6 // ...
7}
Full example
1[
2 {
3 "path": "/login",
4 "path_type": "regex",
5 "method": "POST",
6 "sent_through": "body",
7 "user_field": "username",
8 "pass_field": "password",
9 "login_successful_reporting_method": "status",
10 "login_successful_statuses": [200, 202]
11 }
12]
px_credentials_intelligence_version
"v2" | "multistep_sso" | "both"Defaults to both

The default credential hashing protocol applied to endpoints that do not specify a protocol field.

  • "v2": Both username and password are present on the same HTTP request and must be extracted successfully to trigger Credential Intelligence.
  • "multistep_sso": The username and password are delivered on different HTTP requests. Either the username or password, but not both, must be extracted successfully to trigger Credential Intelligence.
  • "both": The username and password may be present on the same HTTP request or on different HTTP requests. If either username or password is successfully extracted, the Enforcer will send the credentials according to the multistep_sso protocol. If both username and password are successfully extracted, the Enforcer will send the credentials according to the v2 protocol.
Example
key: px_credentials_intelligence_version
value: both
px_compromised_credentials_header
stringDefaults to px-compromised-credentials

The header name to be set on the incoming request if the credentials are compromised. If this header is added, its value will always be 1. If credentials have not been identified as compromised, the header will not be added to the request.

Example
key: px_compromised_credentials_header
value: x-ci-compromised
px_additional_s2s_activity_enabled
booleanDefaults to true

Whether to send the additional_s2s activity, which reports on whether the login was successful, automatically in the postEnforce function. This should only be set to false if it’s not possible to determine whether the login was successful based on the HTTP response. However, if that’s the case, then the additional_s2s activity must be sent with px_additional_s2s_activity_header_enabled.

Example
key: px_additional_s2s_activity_enabled
value: false
px_additional_s2s_activity_header_enabled
booleanDefaults to false

Whether to attach the additional_s2s payload and URL as headers to the original request. This is done so that the additional_s2s activity can be enriched with the proper login_successful value and sent to the provided URL at a later stage. This should only be enabled if the px_additional_s2s_activity_enabled is set to false.

When set to true, the following headers are added to the origin request:

  • px-additional-activity: A JSON object containing the payload of the additional_s2s activity. The login_successful and http_status_code fields should be set prior to sending the activity.
  • px-additional-activity-url: The URL to which the additional_s2s payload should be sent as an HTTP POST request.
Example
key: px_additional_s2s_activity_header_enabled
value: true
px_send_raw_username_on_additional_s2s_activity
booleanDefaults to false

Whether to report the raw username on the additional_s2s activity.

  • false: The raw username will never be reported.
  • true: The raw username will only be reported if:
    • The credentials are compromised, and
    • The login request was successful.
Example
key: px_send_raw_username_on_additional_s2s_activity
value: true
px_login_successful_reporting_method
"status" | "body" | "header" | "custom"Defaults to status

The default login-success detection method applied to endpoints that don’t override it. See login_successful_reporting_method for the possible values.

Example
key: px_login_successful_reporting_method
value: custom
px_login_successful_status
integer[]Defaults to 200

The default HTTP status codes that indicate a successful login. This takes effect when the px_login_successful_reporting_method is set to status.

Example
key: px_login_successful_status
value: 200, 202
px_login_successful_body_regex
string

The default body regular expression that indicates a successful login. This takes effect when the px_login_successful_reporting_method is set to body.

Example
key: px_login_successful_body_regex
value: Welcome, [A-Za-z0-9_]+!
px_login_successful_header_name
string

The default response header name that indicates a successful login. This takes effect when the px_login_successful_reporting_method is set to header.

Example
key: px_login_successful_header_name
value: x-login-successful
px_login_successful_header_value
string

The default response header value that indicates a successful login. This takes effect when the px_login_successful_reporting_method is set to header.

Example
key: px_login_successful_header_value
value: logged-in

CORS support

You can configure the Enforcer to support Cross-Origin Resource Sharing (CORS) requests. CORS is a mechanism that lets the server indicate if a request contains cross-origin resources by adding special HTTP headers to the request. These headers let the browser load these resources. Without them, the browser may block requests to these resources for security reasons instead.

In most cases, CORS employs a two-stage procedure with a preliminary “preflight” request followed by the actual request. The preflight request checks if the actual request will be responded to. To learn more about different request types, see these examples.

You must configure the Enforcer to address both simple requests (without preflight) and more complex ones (with preflight) to support CORS requests.

See Runtime callbacks for more options for configuring CORS support.

px_cors_support_enabled
booleanDefaults to false

Whether to enable CORS support.

  • true: Enable CORS support
  • false: Disable CORS support

After setting this configuration to true, the Enforcer:

Example
key: px_cors_support_enabled
value: true
px_cors_preflight_request_filter_enabled
booleanDefaults to false

Disables enforcement for CORS preflight requests. When set to true, CORS preflight requests will be pass through the Enforcer flow without triggering detection or block responses.

  • true: Filter out preflight requests
  • false: Don’t filter out preflight requests
Example
key: px_cors_preflight_request_filter_enabled
value: true
stringDefaults to x-px-cookies

By default, the Enforcer extracts HUMAN cookies from the Cookie header. However, if these cookies are transferred on a different header, then that header’s name must be provided with this configuration.

Example
key: px_custom_cookie_header
value: x-custom-cookies

Enforced routes

These configurations let you define specific routes that should be enforced by HUMAN when the Enforcer is in monitor mode. These routes will always be subject to the full Enforcer workflow, including blocking requests if necessary.

px_enforced_routes
array<string>Defaults to []

An array of routes or prefixes that should be enforced by HUMAN even when the Enforcer is in monitor mode.

Example
key: px_enforced_routes
value: /enforced_route

Extracted cookies

px_extracted_cookies
array<string>Defaults to []

For each cookie name, the Enforcer will extract the cookie’s key-value pair and add it as a new field in the Risk API. This lets you include additional information to HUMAN’s detection mechanism if you’d like to.

Example
key: px_extracted_cookies
value: _ga, session_id

Filters

These configurations let you filter out certain requests or assets from the Enforcer. These values will be ignored by the Enforcer and will never be blocked.

See Runtime callbacks for more options for filtering requests based on custom logic.

px_filter_by_extension
array of stringsDefaults to [ '.css', '.bmp', '.tif', '.ttf', '.docx', '.woff2', '.js', '.pict', '.tiff', '.eot', '.xlsx', '.jpg', '.csv', '.eps', '.woff', '.xls', '.jpeg', '.doc', '.ejs', '.otf', '.pptx', '.gif', '.pdf', '.swf', '.svg', '.ps', '.ico', '.pls', '.midi', '.svgz', '.class', '.png', '.ppt', '.mid', '.webp', '.jar', '.json', '.xml' ]

Filters out requests with the specified file extension. By default, HUMAN doesn’t enforce static assets such as images and documents to minimize unncessary API calls and computation, but you can configure this list at any time.

Filtering by extension only applies to GET and HEAD HTTP methods.

Example
key: px_filter_by_extension
value: .css, .js, .png
px_filter_by_http_method
array of stringsDefaults to []

Filters out requests with the specified HTTP method to avoid unnecessary traffic in the Enforcer verification flow.

Example
key: px_filter_by_http_method
value: OPTIONS, DELETE
px_filter_by_ip
array of stringsDefaults to []

Filters out requests with the specified IP address to avoid unnecessary traffic in the Enforcer verification flow.

Example
key: px_filter_by_ip
value: 1.1.1.1, 2.2.2.2
px_filter_by_route
array of stringsDefaults to []

Filters out requests with the specified route to avoid unnecessary traffic in the Enforcer verification flow. Requests to these specified routes will never be blocked regardless of their risk score and will never generate risk or async activities.

Example
key: px_filter_by_route
value: /filtered_route
px_filter_by_user_agent
array of stringsDefaults to []

Filters out requests with the specified user agent to avoid unnecessary traffic in the Enforcer verification flow.

Example
key: px_filter_by_user_agent
value: filtered_UA

First party

These configurations let you use the Enforcer as a proxy for HUMAN servers and serve content to the browser from a first party endpoint. These are particularly useful when browser or extension restrictions that block JavaScript requests to other domains, such as adblockers, prevent the HUMAN Sensor from making requests to HUMAN’s backend. When this happens, it significantly limits HUMAN’s detection capabilities, so we recommend enabling these configurations to maintain full detection capabilities.

px_first_party_enabled
booleanDefaults to true

Whether to enable first party mode for Bot Defender or Sightline Cyberfraud Defense.

Example
key: px_first_party_enabled
value: false

GraphQL support

These configurations let the Enforcer extract GraphQL data from requests so that it can enforce these requests in the same way as other types of traffic.

px_graphql_enabled
booleanDefaults to false

Whether to parse and report information about GraphQL operations on incoming requests. When true, all POST requests with routes that match the prefixes configured in px_graphql_routes will have their bodies parsed for GraphQL operations.

  • true: Enable GraphQL support
  • false: Disable GraphQL support
Example
key: px_graphql_enabled
value: true
px_graphql_routes
array<RegExp>Defaults to ^/graphql$

A list of regex routes that should be considered GraphQL routes. If a request’s route matches any of the regexes in this list, HUMAN checks for sensitive GraphQL operations as specified in px_sensitive_graphql_operation_names and px_sensitive_graphql_operation_types.

Example
key: px_graphql_routes
value: ^/graphql$, ^/api/graphql$
px_sensitive_graphql_operation_names
array<string>Defaults to []

A list of operation types that should be considered sensitive. Some routes may be more prone to bot attacks than others, such as routes that execute payments or handle personal information. You can configure these routes as sensitive to ensure a more stringent protection.

If one or more GraphQL operations has a name or keyword matching this list, the Enforcer will trigger a Risk API call even if the request contains a valid, unexpired cookie. Matches against extracted GraphQL words from:

Example
key: px_sensitive_graphql_operation_names
value: SensitiveOperation1, SensitiveOperation2
px_sensitive_graphql_operation_types
'query' | 'mutation' | 'subscription' Defaults to []

A list of operation types that should be considered sensitive. Some routes may be more prone to bot attacks than others, such as routes that execute payments or handle personal information. You can configure these routes as sensitive to ensure a more stringent protection.

If one or more GraphQL operations on an HTTP request has a type matching this list, the Enforcer will trigger a Risk API call even if the request contains a valid, unexpired cookie.

Example
key: px_sensitive_graphql_operation_types
value: mutation, subscription
px_graphql_keywords
array<string | RegExp>Defaults to []

A list of keywords to identify important terms from GraphQL operation queries. These keywords are used to determine the purpose of the operation (such as login, checkout, or search) and can also be used to specify which operations should be considered sensitive. Any matching patterns will be extracted and reported to HUMAN. See px_sensitive_graphql_operation_names for more information.

Example
key: px_graphql_keywords
value: performLogin, addToCart
px_graphql_body_max_length
integerDefaults to 1048576

The maximum body prefix length in bytes that are read while parsing the GraphQL JSON body.

Example
key: px_graphql_body_max_length
value: 524288

Header data enrichment

These configurations let you add headers to incoming requests with additional data.

px_data_enrichment_header_name
stringDefaults to ""

Adds a header to the incoming request with the configured header name and the JSON-stringified data enrichment object as the value. If empty or if data enrichment has not been enabled for your policy, no header will be set. To view available data and enable this feature, see Data classification enrichment.

Example
key: px_data_enrichment_header_name
value: x-human-data-enrichment

HUMAN Challenge & hard block customization

These configurations let you customize the HUMAN Challenge block page as well as the hard block page, which appears when a request is blocked without a Challenge. Hard block pages inherit the same styling as the HUMAN Challenge according to the following configurations and cannot be customized separately.

px_css_ref
string

A way to include a custom CSS file to the block page.

Maps to {{{{cssRef}}}} in the block page template.

Example
key: px_css_ref
value: https://www.example.com/custom_style.css
px_js_ref
string

A way to include custom JavaScript to the block page. This script will run after the default JavaScript scripts.

Maps to {{{{jsRef}}}} in the block page template.

Example
key: px_js_ref
value: https://www.example.com/custom_script.js
stringDefaults to ""

Adds a custom logo to the HUMAN Challenge block page via URL.

Maps to {{{{customLogo}}}} in the block page template.

Example
key: px_custom_logo
value: https://www.example.com/custom_logo.png

Logging

px_log_endpoint
string

The name of the Fastly logging endpoint used by platform-specific activity delivery.

Example
key: px_log_endpoint
value: Human-Log
px_logger_auth_token
stringDefaults to ""Required

An alternative to the basic logger configuration. This sends Enforcer logs to HUMAN’s logging service if a specific header is present on the request. This is particularly useful for expedited debugging, diagnosis, and resolution of any integration or Enforcer-related issues.

Contact HUMAN to recieve your token.

We recommend storing this value in a Fastly Secret Store. If you do, it will override the px_logger_auth_token value in the Config Store.

Example
key: px_logger_auth_token
value: <LOGGER_AUTH_TOKEN>

MCP protection

These configurations let the Enforcer recognize and verify Model Context Protocol (MCP) requests. When enabled, the Enforcer extracts MCP JSON-RPC metadata such as the method, tool name, tool argument keys, and session id, then sends these to the Risk API for assessment. You can use these configurations in combination with other AgenticTrust-related features to enforce Agentic traffic.

px_agentic_trust_enabled
booleanDefaults to false

Whether to enable AgenticTrust verification for MCP requests.

  • true: Enable MCP verification
  • false: Disable MCP verification
Example
key: px_agentic_trust_enabled
value: true
px_agentic_trust_mcp_endpoint_path
stringDefaults to /mcp/

The MCP endpoint path used for AgenticTrust verification.

Example
key: px_agentic_trust_mcp_endpoint_path
value: /mcp/

Mobile support

Enforcers with Mobile Support automatically recognize and handle requests coming from HUMAN’s Mobile SDK. Since mobile apps don’t add cookies as part of HTTP requests, HUMAN sends Risk Cookies as headers instead of cookies. Further, because mobile user-agents can change during the application’s flow, these headers are considered tokens instead of being signed with the user-agent.

px_token_version
"2" | "3"Defaults to 3

The Risk Cookie version number the Mobile SDK can expect from requests from mobile applications.

  • "2": Denotes the Risk Cookie V2.
  • "3": Denotes the Risk Cookie V3.
Example
key: px_token_version
value: 3

Monitored routes

These configurations let you specify routes that should be monitored by the Enforcer, which means their requests will never be blocked, even when the Enforcer is in active_blocking mode. This means that these routes will go through the full Enforcer workflow and generate risk and async activities, but all block activities will only be simulated blocks on these routes.

px_monitored_routes
array<string>Defaults to []

A list of endpoints to be monitored rather than blocked by the Enforcer, even when the Enforcer is in active_blocking mode.

Example
key: px_monitored_routes
value: /monitored_route
px_secured_pxhd_enabled
booleanDefaults to false

The PX Hashed Data (PXHD) cookie links the first risk request with the browser activities as detected by the Sensor for better user tracking. It can also add more information that’s shared between the HUMAN Collector, Enforcer, and Sensor. This configuration determines whether the Secure cookie attribute is added when setting the PXHD cookie.

See Use of cookies & web storage for more information.

Example
key: px_secured_pxhd_enabled
value: true

Sensitive headers removal

px_sensitive_headers
string[]Defaults to Cookie, Cookies

Specifies certain headers that should not be forwarded to any other destination, including the HUMAN Detector. While HUMAN’s detection system will continue to use these headers to determine whether to block or not, the specified headers won’t be forwarded from the Enforcer, won’t appear in Enforcer activities, and won’t be sent to any other IP if the Enforcer acts as a proxy.

Example
key: px_sensitive_headers
value: x-sensitive-token

Sensitive routes

These configurations let you specify certain routes that need particularly stringent protection from attacks, such as endpoints that execute payments or handle personal information. Sensitive routes will always trigger a Risk API call even if the request contains a valid, unexpired, low-score cookie.

Requests with high-score cookies won’t send a Risk API call.

See Runtime callbacks for more options for configuring sensitive routes.

px_sensitive_routes
array<string>Defaults to []

A list of prefixes for all routes that should be considered sensitive.

Example
key: px_sensitive_routes
value: /login, /checkout
px_sensitive_routes_regex
array<string>Defaults to []

A list of regular expressions for all routes that should be considered sensitive.

Example
key: px_sensitive_routes_regex
value: ^/login$, ^/api/.*/checkout$

Users identifiers

These configurations let you extract user identifiers from a JWT carried on the request either in a cookie or a header. They’re closely related to the Accounts and Account Takeover or Fake Account features in Sightline Cyberfraud Defense.

stringDefaults to ""

The name of the cookie that contains the JWT token that HUMAN should extract user identifiers from.

Example
key: px_jwt_cookie_name
value: auth
stringDefaults to ""

The field name in the JWT object, extracted from the JWT cookie, that contains the user ID to be extracted and reported.

Example
key: px_jwt_cookie_user_id_field_name
value: nameID
string[]Defaults to []

The field names in the JWT object, extracted from the JWT cookie, that should be extracted and reported in addition to the user ID.

Example
key: px_jwt_cookie_additional_field_names
value: exp, iss
px_jwt_header_name
stringDefaults to ""

The name of the header that contains the JWT token that HUMAN should extract user identifiers from.

Example
key: px_jwt_header_name
value: x-jwt-authorization
px_jwt_header_user_id_field_name
stringDefaults to ""

The field name in the JWT object, extracted from the JWT header, that contains the user ID to be extracted and reported.

Example
key: px_jwt_header_user_id_field_name
value: sub
px_jwt_header_additional_field_names
string[]Defaults to []

The field names in the JWT object, extracted from the JWT header, that should be extracted and reported in addition to the user ID.

Example
key: px_jwt_header_additional_field_names
value: exp, iss

Runtime callbacks

Some supported features can’t be expressed as Config Store values. Instead, you can register runtime callbacks in your Rust code before calling px.enforce() to enable them.

Functions are mapped to equivalent standard configuration options used in other HUMAN Enforcers.

Additional activity handler

px_additional_activity_handler
functionDefaults to null

A custom function passed to the Enforcer that runs after sending page_requested or block activity to the Collector and before forwarding the request to the next step in the pipeline. A common use case is to set the score as a variable or header. Then the application can read the score and do what is defined within the application’s logic.

Registered via set_additional_activity_handler_fn.

Example
1pub type PXAdditionalActivityHandlerFn =
2 fn(req: &Request, conf: &PXConfig, ctx: &PXContext);
3
4pub fn set_additional_activity_handler_fn(&mut self, f: PXAdditionalActivityHandlerFn);

CORS support

See CORS support for Config Store options.

px_cors_create_custom_block_response_headers
functionDefaults to null

If the default CORS response headers are not sufficient, you can use this configuration to customize the headers that should be added to all block responses resulting from CORS requests. If this function is defined, the default headers will not be added. Only those headers specified in the returned object will be added to the block response.

Registered via set_cors_create_custom_block_response_headers_fn.

1pub type PXCorsCustomBlockResponseHeadersFn =
2 fn(req: &Request, conf: &PXConfig) -> Vec<(String, String)>;
3
4pub fn set_cors_create_custom_block_response_headers_fn(
5 &mut self,
6 f: PXCorsCustomBlockResponseHeadersFn,
7)
px_cors_custom_preflight_handler
functionDefaults to null

A custom function to define desired behavior for handling CORS preflight requests, if needed. The custom function should receive the original HTTP request and return an object representing the HTTP response to be returned. If null or any other falsy value is returned from the function, the Enforcer will continue processing the preflight request.

The px_cors_custom_preflight_handler will be invoked prior to determining whether to filter the request based on the px_cors_preflight_request_filter_enabled configuration. This allows for returning customized responses for preflight requests that meet certain conditions and filtering those that don’t meet these conditions.

Registered via set_cors_custom_preflight_handler_fn.

1pub type PXCorsCustomPreflightHandlerFn =
2 fn(req: &Request, conf: &PXConfig) -> Option<Response>;
3pub fn set_cors_custom_preflight_handler_fn(
4 &mut self, f: PXCorsCustomPreflightHandlerFn);

Credential Intelligence

See Credentials Intelligence for Config Store options.

extract_credentials_callback
object

Required if sent_through is set to "custom". A custom credential extraction callback that returns the raw credentials from the request. It receives the HTTP request and returns the raw credentials from the request, or None if neither field can be extracted.

Registered via set_ci_extract_credentials_fn.

Example
1pub type PXExtractCredentialsFn =
2 fn(req: &Request, endpoint_index: usize) -> Option<PXRawCredentials>;
3
4pub fn set_ci_extract_credentials_fn(&mut self, f: PXExtractCredentialsFn);
login_successful_custom_callback
string

Required if login_successful_reporting_method is set to "custom". A custom callback that accepts the HTTP response and returns a boolean that indicates whether the login attempt was successful.

Registered via set_ci_login_successful_fn.

Example
1pub type PXLoginSuccessfulFn =
2 fn(resp: &Response, endpoint_index: usize) -> Option<bool>;
3
4pub fn set_ci_login_successful_fn(&mut self, f: PXLoginSuccessfulFn);

Custom parameters

These configurations are related to custom parameters.

px_enrich_custom_parameters
functionDefaults to null

Enriches activities sent from the Enforcer to HUMAN with additional custom parameters. This data can include user information, session IDs, or other data that HUMAN should have access to. These custom parameters are defined by a configurable function that must return an object that contains these custom parameters. There is a limit of 10 custom parameters.

Registered via set_enrich_custom_params_fn.

Example
1pub type PXEnrichCustomParamsFn =
2 fn(req: &Request, conf: &PXConfig, params: &mut PXCustomParams);
3
4pub fn set_enrich_custom_params_fn(&mut self, f: PXEnrichCustomParamsFn);

Filter by custom function

See Filters for Config Store options.

px_filter_by_custom_function
functionDefaults to null

This configuration is meant for cases that require more complex logic. We recommended you use the other default filters available for most cases.

A custom function that lets you define which requests should be filtered based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be filtered.

Registered via set_is_filtered_request_fn.

Example
1pub type PXIsFilteredRequestFn = fn(req: &Request, conf: &PXConfig) -> bool;
2
3pub fn set_is_filtered_request_fn(&mut self, f: PXIsFilteredRequestFn);

Sensitive routes

See Sensitive routes for Config Store options.

px_custom_is_sensitive_request
functionDefaults to null

A custom function that lets you define which requests should be considered sensitive based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be considered sensitive.

Registered via set_is_sensitive_request_fn.

Example
1pub type PXIsSensitiveRequestFn = fn(req: &Request, conf: &PXConfig) -> bool;
2
3pub fn set_is_sensitive_request_fn(&mut self, f: PXIsSensitiveRequestFn);