Best Practices
Practical guidance for building, testing, and debugging EaaS tenant configurations.
Security Configuration
Start with Core Protections
Enable essential WAF groups first, then add more as you monitor false positives:
Use Specific Exceptions
When adding exceptions, scope them as narrowly as possible. Combine multiple exception types (paths + IPs + ASNs) to avoid over-permitting:
Avoid broad exceptions like exempting an entire /api/ prefix or a /0 CIDR block from all rules.
Rate Control Tiers
Security groups IPBLOCK-BURST and IPBLOCK-SUMMARY provide rate limiting. The thresholds are configured at the security policy level. Common tiers:
Delivery Configuration
Rule Ordering
Most delivery features use a rule-based structure where the first matching rule wins. Order rules from most specific to least specific:
In this example: user API requests bypass cache, other API requests cache for 5 minutes, everything else caches for 1 hour. If the broad /api/* rule were first, the specific /api/v2/users/* rule would never fire.
Match Condition Efficiency
- Prefer prefix matching (
paths_startswith) over wildcard matching (paths_wildcard) when possible — it's faster. - Use
matchAll(AND) for common cases. UsematchAny(OR) only when you genuinely need "any of these conditions." - Keep match arrays reasonable. Each match condition supports up to 100 values, but smaller arrays evaluate faster.
Simple vs Rule-Based
Some features accept both a simple value and a rule-based structure. Use the simple form when you don't need conditional logic:
Testing Your Configuration
1. Validate Against the Schema
Before deploying, validate your tenant JSON:
- Online: Paste your config into the Tenant Validator
- CLI: Use
check-jsonschemawith the schema file:
- IDE: Point your editor's JSON Schema validation at the schema file for real-time feedback.
2. Use Debug Headers
EaaS supports debug response headers that reveal how the edge processed your request. Add the debug header to your request:
The debug key is configured via the PMUSER_EAAS_DEBUG_KEY variable in your Property Manager configuration. Contact your Akamai representative if you don't know your debug key.
3. Test on Staging First
Always test configuration changes on the Akamai staging network before activating on production. Use --resolve to point your request at the staging IP:
Debug Response Headers
When the <debug-header-name> header is included in your request, the edge returns these response headers:
General
Caching
Tenant Log Format
The x-eaas-tenant-log header value follows this format:
Schema Limits Reference
Key limits defined in the tenant schema: