Installing the Enforcer
Prerequisites
In order to compile and deploy Fastly Compute Package, rust compiler and Fastly CLI must be installed and configured: Compute services
Communicate with the HUMAN Backend
For the Enforcer to communicate with HUMAN services, four backend servers must be added and configured in the Fastly UI (or by using the contrib/pxbackend.sh script).
Backend parameters (replace ${APP_ID} with your HUMAN Application ID):
- Name:
human_sapi, Address:sapi-${APP_ID}.perimeterx.net - Name:
human_collector, Address:collector-${APP_ID}.perimeterx.net - Name:
human_client, Address:client.perimeterx.net - Name:
human_captcha, Address:captcha.px-cdn.net
All HUMAN backends should use SSL/TLS. It is recommended to set both First byte (ms) and Between bytes (ms) to 1000 ms.
Module installation
Include perimeterx-fastly-enforcer dependency to Cargo.toml:
Module integration
To integrate the HUMAN Rust module into existing Rust code, initialize PXEnforcer, register any optional callbacks before calling enforce, and then send the request through the Enforcer. If enforce returns a response, return it immediately because it is a block or first-party response. Otherwise, continue to the origin and call post_enforce before returning the origin response:
PXEnforcer Setup
Initialize the PXEnforcer structure with the name of the Fastly Config Store and the Fastly Secret Store. You can use the default names: perimeterx_fastly_enforcer::DEFAULT_CONFIGSTORE_NAME ("PXConfig") and perimeterx_fastly_enforcer::DEFAULT_SECRETSTORE_NAME ("PXSecrets").
When secret_store_name is a non-empty string, the Enforcer opens the Fastly Secret Store and overlays these keys (same px_* names): px_app_id, px_cookie_secret and px_auth_token. Secret Store values override Config Store values for those fields. Missing secrets are non-fatal and leave the Config Store value (or default) in place. Pass an empty string ("") for secret_store_name to disable Secret Store loading.
This function takes a request and returns an optional response for block or first-party requests:
At the end of request processing, call the following function to finalize HUMAN Enforcer response handling:
Access the PXContext structure through px.ctx():
To set custom parameter values, use the following callback type:
where:
req:fastly::Requestconf:PXConfigparams: modifiable structure withcustom_param1throughcustom_param10fields
To register the custom parameters callback, use the following setter:
Sample code
This example shows how to use the HUMAN Rust module with custom parameter enrichment, additional activity handling, sensitive request detection, filtered request detection, request-specific module mode, and context access:
Migrating from 1.x to 2.x
This guide walks you through upgrading the HUMAN Enforcer on Fastly from version 1.x to 2.x. There are three changes to make:
- Backend configuration — replace the single HUMAN backend with four dedicated backends.
- Secret Store configuration — optionally move sensitive values from the Config Store to a Secret Store.
- PXContext fields — update custom code to handle fields that are now optional.
What changed at a glance
Prerequisites
- Your HUMAN Application ID (
${APP_ID}). Substitute it wherever${APP_ID}appears below. - Access to the Fastly service that runs the Enforcer, with permission to edit and activate service versions.
- If you plan to use a Secret Store, permission to create and manage Fastly Secret Stores.
1. Backend configuration
Version 1.x used a single Fastly backend for HUMAN communication. Version 2.x uses four dedicated backends. This separates Risk API, activity collection, client-side assets, and CAPTCHA traffic. Keeping these destinations separate makes routing clearer, supports first-party and CAPTCHA flows, and lets each HUMAN service endpoint be configured independently in Fastly.
Add the following backends (replace ${APP_ID} with your HUMAN Application ID):
Update an existing Fastly service (web UI)
- Open the Fastly service that runs the Enforcer.
- Clone the active service version so the backend changes can be edited.
- Open the Origins configuration page.
- Add the four backends listed above. For each backend:
- Set the backend name and address.
- Enable SSL/TLS.
- Set the override host to the same value as the address.
- Set both First byte (ms) and Between bytes (ms) to
1000for each HUMAN backend. - Save the changes and activate the new Fastly service version.
- After you confirm the new version is serving traffic correctly, remove the old 1.x single HUMAN backend.
Tip: Keep the old 1.x backend in place until step 7. Removing it only after verifying the new version lets you roll back to the previous service version if anything looks wrong.
2. Secret Store configuration
In version 1.x, sensitive values were stored in the Fastly Config Store. In version 2.x, sensitive values can be stored in a Fastly Secret Store.
When the Enforcer is initialized with a non-empty Secret Store name (default: PXSecrets), it overlays the following fields from the Secret Store:
Behavior to keep in mind:
- Secret Store values override Config Store values for the fields listed above.
- Missing secrets are non-fatal. If a secret is absent, the existing Config Store value (or the default) stays in place.
- To disable secret loading, pass an empty string for the Secret Store name.
3. PXContext fields
Many PXContext fields that were always present in 1.x are now optional (Option<T>) in 2.x, because they are only populated after specific enforcement paths run. For example, a request may not have a score, a Risk API call may not run, or data enrichment may not be returned. Setting score to 0 is not a valid substitute for an absent score, because 0 is a valid score value. That is why the getters now return Option<T> instead of T.
Access the context through px.ctx() and handle the Option<> values returned by the getter methods. The examples below show the recommended pattern for the most common getters.
Read the score (only present when scoring ran):
Read the visitor ID:
Read the Risk API round-trip time (only present when the Risk API was called):
Read the block reason (only present when the request was blocked):
Read data enrichment (only present when enrichment was returned):
Verify the migration
After activating the new service version, confirm the upgrade is healthy before removing the old backend:
- Traffic is being served normally with no increase in errors.
- The four HUMAN backends show healthy connections in the Fastly dashboard.
- If you enabled the Secret Store, confirm the overlaid fields resolve correctly (for example, requests authenticate and are scored as expected).
- Any custom code that reads
PXContextcompiles and behaves correctly with the newOption<>getters.
Roll back
Because you cloned the active version, you can revert by reactivating the previous Fastly service version at any time before the old backend is removed.