The security configuration section allows you to define security rules and exceptions for your CDN deployment. This includes Web Application Firewall (WAF) rules, IP blocking, and various threat detection mechanisms.
View Complete Schema
Configuration Structure
Basic structure of security configuration with deny groups and exceptions for fine-grained control.
{
"security_config": {
"deny_groups": [...], // Security rule groups to enforce
"exceptions": {...} // Exceptions to security rules
}
}
Security Groups
Web Application Firewall Rules
Core WAF protection against common web application attacks including injection and cross-site scripting.
Basic WAF Protection
Enable essential web application firewall rules for common attack vectors.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"CMD-INJECTION-ANOMALY"
]
}
}
Core WAF Groups
| Group | Description |
|---|
SQL-INJECTION-ANOMALY | Detects SQL injection attack attempts |
XSS-ANOMALY | Cross-site scripting protection |
CMD-INJECTION-ANOMALY | Command injection detection |
LFI-ANOMALY | Local file inclusion protection |
RFI-ANOMALY | Remote file inclusion protection |
WAT-ANOMALY | Web application firewall anomalies |
PLATFORM-ANOMALY | Platform-specific security violations |
POLICY-ANOMALY | Security policy violations |
PROTOCOL-ANOMALY | Network protocol violations |
BOT-BROWSER-IMPERSONATOR | Bot detection and browser impersonation |
IPBLOCK-BURST | IP burst detection |
IPBLOCK-SUMMARY | IP blocking summaries |
REP | Reputation-based blocking |
Exception Management
Security Rule Exceptions
Create specific exclusions for security rules based on paths, IPs, or rule IDs to allow legitimate traffic.
Exception Structure
Define exceptions for specific security groups with multiple exclusion criteria.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/legacy", "/admin/upload"],
"v4_ips": ["192.0.2.0/24", "198.51.100.1"],
"v6_ips": ["2001:db8::/32"]
}
}
}
}
Path-Based Exceptions
Exclude specific URL paths from security rules for legacy applications or special endpoints.
Path Prefix Exceptions
Use path prefixes to exclude entire sections of your application.
{
"paths": [
"/api/v1/upload",
"/admin/",
"/public/assets"
]
}
IP Address Exceptions
Whitelist trusted IP addresses or ranges to bypass security rules for internal traffic.
IPv4 and IPv6 Exceptions
Support for both IPv4 and IPv6 addresses with CIDR notation.
{
"v4_ips": [
"192.0.2.100",
"198.51.100.0/24",
"203.0.113.0/24"
],
"v6_ips": [
"2001:db8::1",
"2001:db8::/32"
]
}
ASN-Based Exceptions
Whitelist entire networks or organizations by their ASN, useful for trusted cloud providers, partners, or corporate networks.
Exclude Cloud Provider ASNs
Allow traffic from major cloud providers without security restrictions.
{
"security_config": {
"deny_groups": [
"REP",
"BOT-BROWSER-IMPERSONATOR"
],
"exceptions": {
"REP": {
"asn": [
16509,
15169,
8075
]
},
"BOT-BROWSER-IMPERSONATOR": {
"asn": [16509, 15169],
"paths": ["/api/webhook", "/api/callback"]
}
}
}
}
Partner Network ASN Exception
Whitelist specific partner networks using ASN with string format.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"asn": ["32934", "13335", "20940"],
"paths": ["/api/partner/"]
}
}
}
}
Mixed ASN and IP Exceptions
Combine ASN exceptions with traditional IP-based exceptions for comprehensive whitelisting.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"asn": [16509, 15169],
"v4_ips": ["192.0.2.0/24", "198.51.100.0/24"],
"v6_ips": ["2001:db8::/32"]
}
}
}
}
ASN Format Reference
| Provider | ASN (Integer) | ASN (String) |
|---|
| Amazon AWS | 16509 | "16509" |
| Google Cloud | 15169 | "15169" |
| Microsoft Azure | 8075 | "8075" |
| Cloudflare | 13335 | "13335" |
| Facebook | 32934 | "32934" |
List References in Exceptions
WAF exception fields (`paths`, `v4_ips`, `v6_ips`, `asn`) support `{{list.<key>}}` references, letting you define reusable values once and reference them across rules. List refs can be used alone or mixed with inline values.
{
"lists": {
"health_check_paths": ["/health", "/status", "/ready"],
"internal_ips": ["10.0.0.0/8", "192.168.0.0/16"]
},
"security_config": {
"deny_groups": ["SQL-INJECTION-ANOMALY"],
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["{{list.health_check_paths}}", "/internal/metrics"],
"v4_ips": "{{list.internal_ips}}"
}
}
}
}
See the Lists reference for full details on defining lists, common config, override behavior, and more examples.
Complete Exception Types
All Exception Properties
Security rule exceptions support five different exception types that can be combined for granular control.
Complete Exception Example
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"REP"
],
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/search", "/api/filter"],
"v4_ips": ["192.0.2.0/24"],
"v6_ips": ["2001:db8::/32"],
"asn": [16509, 15169]
},
"XSS-ANOMALY": {
"paths": ["/admin/wysiwyg"],
"v4_ips": ["198.51.100.0/24"]
},
"REP": {
"asn": [16509, 15169, 8075],
"paths": ["/api/webhook"]
}
}
}
}
Exception Property Reference
| Property | Type | Limit | Description |
|---|
paths | array[string] or list ref | 1-50 | URL path prefixes to exclude (supports {{list.*}} references) |
rule_ids | array[string] | 1-50 | Deprecated -- Specific rule IDs to exclude |
v4_ips | array[string] or list ref | 1-50 | IPv4 addresses/CIDR to exclude (supports {{list.*}} references) |
v6_ips | array[string] or list ref | 1-50 | IPv6 addresses/CIDR to exclude (supports {{list.*}} references) |
asn | array[int|string] or list ref | 1-50 | AS numbers to exclude (supports {{list.*}} references) |