Skip to main content

Security Configuration

The security configuration section allows you to define security rules and exceptions for your CDN deployment. This includes Web Application Firewall (WAF) rules, IP blocking, and various threat detection mechanisms.

View Complete Schema

Configuration Structure

Basic structure of security configuration with deny groups and exceptions for fine-grained control.

JSON
{
  "security_config": {
    "deny_groups": [...],    // Security rule groups to enforce
    "exceptions": {...}      // Exceptions to security rules
  }
}

Security Groups

Web Application Firewall Rules

Core WAF protection against common web application attacks including injection and cross-site scripting.

Basic WAF Protection

Enable essential web application firewall rules for common attack vectors.

JSON
{
  "security_config": {
    "deny_groups": [
      "SQL-INJECTION-ANOMALY",
      "XSS-ANOMALY",
      "CMD-INJECTION-ANOMALY"
    ]
  }
}
Core WAF Groups
GroupDescription
SQL-INJECTION-ANOMALYDetects SQL injection attack attempts
XSS-ANOMALYCross-site scripting protection
CMD-INJECTION-ANOMALYCommand injection detection
LFI-ANOMALYLocal file inclusion protection
RFI-ANOMALYRemote file inclusion protection
WAT-ANOMALYWeb application firewall anomalies
PLATFORM-ANOMALYPlatform-specific security violations
POLICY-ANOMALYSecurity policy violations
PROTOCOL-ANOMALYNetwork protocol violations
BOT-BROWSER-IMPERSONATORBot detection and browser impersonation
IPBLOCK-BURSTIP burst detection
IPBLOCK-SUMMARYIP blocking summaries
REPReputation-based blocking

Exception Management

Security Rule Exceptions

Create specific exclusions for security rules based on paths, IPs, or rule IDs to allow legitimate traffic.

Exception Structure

Define exceptions for specific security groups with multiple exclusion criteria.

JSON
{
  "security_config": {
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "paths": ["/api/legacy", "/admin/upload"],
        "v4_ips": ["192.0.2.0/24", "198.51.100.1"],
        "v6_ips": ["2001:db8::/32"]
      }
    }
  }
}

Path-Based Exceptions

Exclude specific URL paths from security rules for legacy applications or special endpoints.

Path Prefix Exceptions

Use path prefixes to exclude entire sections of your application.

JSON
{
  "paths": [
    "/api/v1/upload",
    "/admin/",
    "/public/assets"
  ]
}

IP Address Exceptions

Whitelist trusted IP addresses or ranges to bypass security rules for internal traffic.

IPv4 and IPv6 Exceptions

Support for both IPv4 and IPv6 addresses with CIDR notation.

JSON
{
  "v4_ips": [
    "192.0.2.100",
    "198.51.100.0/24",
    "203.0.113.0/24"
  ],
  "v6_ips": [
    "2001:db8::1",
    "2001:db8::/32"
  ]
}

ASN-Based Exceptions

Whitelist entire networks or organizations by their ASN, useful for trusted cloud providers, partners, or corporate networks.

Exclude Cloud Provider ASNs

Allow traffic from major cloud providers without security restrictions.

JSON
{
  "security_config": {
    "deny_groups": [
      "REP",
      "BOT-BROWSER-IMPERSONATOR"
    ],
    "exceptions": {
      "REP": {
        "asn": [
          16509,
          15169,
          8075
        ]
      },
      "BOT-BROWSER-IMPERSONATOR": {
        "asn": [16509, 15169],
        "paths": ["/api/webhook", "/api/callback"]
      }
    }
  }
}

Partner Network ASN Exception

Whitelist specific partner networks using ASN with string format.

JSON
{
  "security_config": {
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "asn": ["32934", "13335", "20940"],
        "paths": ["/api/partner/"]
      }
    }
  }
}

Mixed ASN and IP Exceptions

Combine ASN exceptions with traditional IP-based exceptions for comprehensive whitelisting.

JSON
{
  "security_config": {
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "asn": [16509, 15169],
        "v4_ips": ["192.0.2.0/24", "198.51.100.0/24"],
        "v6_ips": ["2001:db8::/32"]
      }
    }
  }
}
ASN Format Reference
ProviderASN (Integer)ASN (String)
Amazon AWS16509"16509"
Google Cloud15169"15169"
Microsoft Azure8075"8075"
Cloudflare13335"13335"
Facebook32934"32934"

List References in Exceptions

WAF exception fields (`paths`, `v4_ips`, `v6_ips`, `asn`) support `{{list.<key>}}` references, letting you define reusable values once and reference them across rules. List refs can be used alone or mixed with inline values.

JSON
{
  "lists": {
    "health_check_paths": ["/health", "/status", "/ready"],
    "internal_ips": ["10.0.0.0/8", "192.168.0.0/16"]
  },
  "security_config": {
    "deny_groups": ["SQL-INJECTION-ANOMALY"],
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "paths": ["{{list.health_check_paths}}", "/internal/metrics"],
        "v4_ips": "{{list.internal_ips}}"
      }
    }
  }
}

See the Lists reference for full details on defining lists, common config, override behavior, and more examples.

Complete Exception Types

All Exception Properties

Security rule exceptions support five different exception types that can be combined for granular control.

Complete Exception Example

JSON
{
  "security_config": {
    "deny_groups": [
      "SQL-INJECTION-ANOMALY",
      "XSS-ANOMALY",
      "REP"
    ],
    "exceptions": {
      "SQL-INJECTION-ANOMALY": {
        "paths": ["/api/search", "/api/filter"],
        "v4_ips": ["192.0.2.0/24"],
        "v6_ips": ["2001:db8::/32"],
        "asn": [16509, 15169]
      },
      "XSS-ANOMALY": {
        "paths": ["/admin/wysiwyg"],
        "v4_ips": ["198.51.100.0/24"]
      },
      "REP": {
        "asn": [16509, 15169, 8075],
        "paths": ["/api/webhook"]
      }
    }
  }
}
Exception Property Reference
PropertyTypeLimitDescription
pathsarray[string] or list ref1-50URL path prefixes to exclude (supports {{list.*}} references)
rule_idsarray[string]1-50Deprecated -- Specific rule IDs to exclude
v4_ipsarray[string] or list ref1-50IPv4 addresses/CIDR to exclude (supports {{list.*}} references)
v6_ipsarray[string] or list ref1-50IPv6 addresses/CIDR to exclude (supports {{list.*}} references)
asnarray[int|string] or list ref1-50AS numbers to exclude (supports {{list.*}} references)