Security Configuration
The security configuration section allows you to define security rules and exceptions for your CDN deployment. This includes Web Application Firewall (WAF) rules, IP blocking, and various threat detection mechanisms.
View Complete Schema
Configuration Structure
Basic structure of security configuration with deny groups and exceptions for fine-grained control.
{
"security_config": {
"deny_groups": [...], // Security rule groups to enforce
"exceptions": {...} // Exceptions to security rules
}
}Security Groupsโ
Web Application Firewallโ
Web Application Firewall Rules
Core WAF protection against common web application attacks including injection and cross-site scripting.
Basic WAF Protection
Enable essential web application firewall rules for common attack vectors.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"CMD-INJECTION-ANOMALY"
]
}
}Core WAF Groups
| Group | Description |
|---|---|
SQL-INJECTION-ANOMALY | Detects SQL injection attack attempts |
XSS-ANOMALY | Cross-site scripting protection |
CMD-INJECTION-ANOMALY | Command injection detection |
LFI-ANOMALY | Local file inclusion protection |
RFI-ANOMALY | Remote file inclusion protection |
WAT-ANOMALY | Web application firewall anomalies |
PLATFORM-ANOMALY | Platform-specific security violations |
POLICY-ANOMALY | Security policy violations |
PROTOCOL-ANOMALY | Network protocol violations |
BOT-BROWSER-IMPERSONATOR | Bot detection and browser impersonation |
IPBLOCK-BURST | IP burst detection |
IPBLOCK-SUMMARY | IP blocking summaries |
REP | Reputation-based blocking |
Exception Managementโ
Security Rule Exceptionsโ
Security Rule Exceptions
Create specific exclusions for security rules based on paths, IPs, or rule IDs to allow legitimate traffic.
Exception Structure
Define exceptions for specific security groups with multiple exclusion criteria.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/legacy", "/admin/upload"],
"v4_ips": ["192.0.2.0/24", "198.51.100.1"],
"v6_ips": ["2001:db8::/32"]
}
}
}
}Path-Based Exceptionsโ
Path-Based Exceptions
Exclude specific URL paths from security rules for legacy applications or special endpoints.
Path Prefix Exceptions
Use path prefixes to exclude entire sections of your application.
{
"paths": [
"/api/v1/upload", // Matches /api/v1/upload and /api/v1/upload/*
"/admin/", // Matches all admin paths
"/public/assets" // Matches /public/assets and sub-paths
]
}IP Address Exceptionsโ
IP Address Exceptions
Whitelist trusted IP addresses or ranges to bypass security rules for internal traffic.
IPv4 and IPv6 Exceptions
Support for both IPv4 and IPv6 addresses with CIDR notation.
{
"v4_ips": [
"192.0.2.100", // Single IP
"198.51.100.0/24", // CIDR block
"203.0.113.0/24" // Another CIDR block
],
"v6_ips": [
"2001:db8::1", // Single IPv6
"2001:db8::/32" // IPv6 CIDR
]
}ASN-Based Exceptionsโ
Autonomous System Number (ASN) Exceptions
Whitelist entire networks or organizations by their ASN, useful for trusted cloud providers, partners, or corporate networks.
Exclude Cloud Provider ASNs
Allow traffic from major cloud providers without security restrictions.
{
"security_config": {
"deny_groups": [
"REP",
"BOT-BROWSER-IMPERSONATOR"
],
"exceptions": {
"REP": {
"asn": [
16509, // Amazon AWS
15169, // Google Cloud
8075 // Microsoft Azure
]
},
"BOT-BROWSER-IMPERSONATOR": {
"asn": [16509, 15169],
"paths": ["/api/webhook", "/api/callback"]
}
}
}
}Partner Network ASN Exception
Whitelist specific partner networks using ASN with string format.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"asn": ["32934", "13335", "20940"],
"paths": ["/api/partner/"]
}
}
}
}Mixed ASN and IP Exceptions
Combine ASN exceptions with traditional IP-based exceptions for comprehensive whitelisting.
{
"security_config": {
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"asn": [16509, 15169],
"v4_ips": ["192.0.2.0/24", "198.51.100.0/24"],
"v6_ips": ["2001:db8::/32"]
}
}
}
}ASN Exception Options
| Property | Type | Description |
|---|---|---|
asn | array[integer|string] | AS numbers to exclude (1-50 items, without AS prefix) |
Common ASN Use Cases
- Cloud Services: Whitelist AWS, GCP, Azure for webhook callbacks
- CDN Providers: Allow traffic from CDN origin shields
- Corporate Networks: Exempt entire corporate network from certain rules
- Payment Processors: Whitelist payment gateway providers
- Monitoring Services: Exclude uptime monitoring services
ASN Format Referenceโ
ASN Number Format
ASN values can be specified as integers or strings. Do NOT include the 'AS' prefix.
ASN Format Examples
| Provider | ASN (Integer) | ASN (String) |
|---|---|---|
| Amazon AWS | 16509 | "16509" |
| Google Cloud | 15169 | "15169" |
| Microsoft Azure | 8075 | "8075" |
| Cloudflare | 13335 | "13335" |
32934 | "32934" |
Complete Exception Typesโ
All Exception Properties
Security rule exceptions support five different exception types that can be combined for granular control.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"REP"
],
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/search", "/api/filter"],
"rule_ids": ["950001", "950907"],
"v4_ips": ["192.0.2.0/24"],
"v6_ips": ["2001:db8::/32"],
"asn": [16509, 15169]
},
"XSS-ANOMALY": {
"paths": ["/admin/wysiwyg"],
"v4_ips": ["198.51.100.0/24"]
},
"REP": {
"asn": [16509, 15169, 8075],
"paths": ["/api/webhook"]
}
}
}
}Exception Property Reference
| Property | Type | Limit | Description |
|---|---|---|---|
paths | array[string] | 1-50 | URL path prefixes to exclude |
rule_ids | array[string] | 1-50 | Specific rule IDs to exclude |
v4_ips | array[string] | 1-50 | IPv4 addresses/CIDR to exclude |
v6_ips | array[string] | 1-50 | IPv6 addresses/CIDR to exclude |
asn | array[int|string] | 1-50 | AS numbers to exclude |
Complete Examplesโ
Comprehensive Configurationโ
Comprehensive Security Configuration
A complete example showing multiple security groups with specific exceptions for different scenarios.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"CMD-INJECTION-ANOMALY",
"REP"
],
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/search", "/legacy/import"],
"v4_ips": ["192.0.2.0/24"]
},
"XSS-ANOMALY": {
"paths": ["/admin/wysiwyg"],
"v4_ips": ["198.51.100.1"]
}
}
}
}Use Case Examplesโ
E-commerce Securityโ
E-commerce Security Setup
Comprehensive security configuration tailored for e-commerce applications with payment processing.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"CMD-INJECTION-ANOMALY",
"BOT-BROWSER-IMPERSONATOR"
],
"exceptions": {
"SQL-INJECTION-ANOMALY": {
"paths": ["/api/search", "/api/catalog"],
"v4_ips": ["198.51.100.0/24"]
},
"BOT-BROWSER-IMPERSONATOR": {
"paths": ["/api/webhook"],
"v4_ips": ["203.0.113.0/24"]
}
}
}
}Content Managementโ
Content Management Security
Security configuration for content management systems with admin area protection.
{
"security_config": {
"deny_groups": [
"SQL-INJECTION-ANOMALY",
"XSS-ANOMALY",
"LFI-ANOMALY",
"RFI-ANOMALY",
"REP"
],
"exceptions": {
"XSS-ANOMALY": {
"paths": ["/admin/editor", "/admin/content"],
"v4_ips": ["192.0.2.0/24"]
},
"LFI-ANOMALY": {
"paths": ["/admin/media"],
"v4_ips": ["192.0.2.0/24"]
}
}
}
}Best Practices and Validationโ
๐ก๏ธ Defense Strategy
โ Start with core protections
โ Add security groups gradually
โ Monitor false positives
โ Document all exceptions
โ ๏ธ Exception Guidelines
โ Keep exceptions specific
โ Regular exception review
โ Validate necessity
โ Use narrowest scope possible
โ Monitoring
โ Review security logs regularly
โ Track blocked requests
โ Adjust rules based on data
โ Test exception effectiveness