# Security Configuration The security configuration section allows you to define security rules and exceptions for your CDN deployment. This includes Web Application Firewall (WAF) rules, IP blocking, and various threat detection mechanisms. > [View Complete Schema](/tenant-schema.html#security-config) ```json { "security_config": { "deny_groups": [...], // Security rule groups to enforce "exceptions": {...} // Exceptions to security rules } } ``` ## Security Groups ### Web Application Firewall **Basic WAF Protection** Enable essential web application firewall rules for common attack vectors. ```json { "security_config": { "deny_groups": [ "SQL-INJECTION-ANOMALY", "XSS-ANOMALY", "CMD-INJECTION-ANOMALY" ] } } ``` **Core WAF Groups** | Group | Description | | --- | --- | | `SQL-INJECTION-ANOMALY` | Detects SQL injection attack attempts | | `XSS-ANOMALY` | Cross-site scripting protection | | `CMD-INJECTION-ANOMALY` | Command injection detection | | `LFI-ANOMALY` | Local file inclusion protection | | `RFI-ANOMALY` | Remote file inclusion protection | | `WAT-ANOMALY` | Web application firewall anomalies | | `PLATFORM-ANOMALY` | Platform-specific security violations | | `POLICY-ANOMALY` | Security policy violations | | `PROTOCOL-ANOMALY` | Network protocol violations | | `BOT-BROWSER-IMPERSONATOR` | Bot detection and browser impersonation | | `IPBLOCK-BURST` | IP burst detection | | `IPBLOCK-SUMMARY` | IP blocking summaries | | `REP` | Reputation-based blocking | ## Exception Management ### Security Rule Exceptions **Exception Structure** Define exceptions for specific security groups with multiple exclusion criteria. ```json { "security_config": { "exceptions": { "SQL-INJECTION-ANOMALY": { "paths": ["/api/legacy", "/admin/upload"], "v4_ips": ["192.0.2.0/24", "198.51.100.1"], "v6_ips": ["2001:db8::/32"] } } } } ``` ### Path-Based Exceptions **Path Prefix Exceptions** Use path prefixes to exclude entire sections of your application. ```json { "paths": [ "/api/v1/upload", // Matches /api/v1/upload and /api/v1/upload/* "/admin/", // Matches all admin paths "/public/assets" // Matches /public/assets and sub-paths ] } ``` ### IP Address Exceptions **IPv4 and IPv6 Exceptions** Support for both IPv4 and IPv6 addresses with CIDR notation. ```json { "v4_ips": [ "192.0.2.100", // Single IP "198.51.100.0/24", // CIDR block "203.0.113.0/24" // Another CIDR block ], "v6_ips": [ "2001:db8::1", // Single IPv6 "2001:db8::/32" // IPv6 CIDR ] } ``` ### ASN-Based Exceptions **Exclude Cloud Provider ASNs** Allow traffic from major cloud providers without security restrictions. ```json { "security_config": { "deny_groups": [ "REP", "BOT-BROWSER-IMPERSONATOR" ], "exceptions": { "REP": { "asn": [ 16509, // Amazon AWS 15169, // Google Cloud 8075 // Microsoft Azure ] }, "BOT-BROWSER-IMPERSONATOR": { "asn": [16509, 15169], "paths": ["/api/webhook", "/api/callback"] } } } } ``` **Partner Network ASN Exception** Whitelist specific partner networks using ASN with string format. ```json { "security_config": { "exceptions": { "SQL-INJECTION-ANOMALY": { "asn": ["32934", "13335", "20940"], "paths": ["/api/partner/"] } } } } ``` **Mixed ASN and IP Exceptions** Combine ASN exceptions with traditional IP-based exceptions for comprehensive whitelisting. ```json { "security_config": { "exceptions": { "SQL-INJECTION-ANOMALY": { "asn": [16509, 15169], "v4_ips": ["192.0.2.0/24", "198.51.100.0/24"], "v6_ips": ["2001:db8::/32"] } } } } ``` **ASN Exception Options** | Property | Type | Description | | --- | --- | --- | | `asn` | array[integer|string] | AS numbers to exclude (1-50 items, without AS prefix) | ### ASN Format Reference **ASN Format Examples** | Provider | ASN (Integer) | ASN (String) | | --- | --- | --- | | Amazon AWS | `16509` | `"16509"` | | Google Cloud | `15169` | `"15169"` | | Microsoft Azure | `8075` | `"8075"` | | Cloudflare | `13335` | `"13335"` | | Facebook | `32934` | `"32934"` | ## Complete Exception Types ```json { "security_config": { "deny_groups": [ "SQL-INJECTION-ANOMALY", "XSS-ANOMALY", "REP" ], "exceptions": { "SQL-INJECTION-ANOMALY": { "paths": ["/api/search", "/api/filter"], "rule_ids": ["950001", "950907"], "v4_ips": ["192.0.2.0/24"], "v6_ips": ["2001:db8::/32"], "asn": [16509, 15169] }, "XSS-ANOMALY": { "paths": ["/admin/wysiwyg"], "v4_ips": ["198.51.100.0/24"] }, "REP": { "asn": [16509, 15169, 8075], "paths": ["/api/webhook"] } } } } ``` **Exception Property Reference** | Property | Type | Limit | Description | | --- | --- | --- | --- | | `paths` | array[string] | 1-50 | URL path prefixes to exclude | | `rule_ids` | array[string] | 1-50 | Specific rule IDs to exclude | | `v4_ips` | array[string] | 1-50 | IPv4 addresses/CIDR to exclude | | `v6_ips` | array[string] | 1-50 | IPv6 addresses/CIDR to exclude | | `asn` | array[int|string] | 1-50 | AS numbers to exclude | ## Complete Examples ### Comprehensive Configuration ```json { "security_config": { "deny_groups": [ "SQL-INJECTION-ANOMALY", "XSS-ANOMALY", "CMD-INJECTION-ANOMALY", "REP" ], "exceptions": { "SQL-INJECTION-ANOMALY": { "paths": ["/api/search", "/legacy/import"], "v4_ips": ["192.0.2.0/24"] }, "XSS-ANOMALY": { "paths": ["/admin/wysiwyg"], "v4_ips": ["198.51.100.1"] } } } } ``` ## Use Case Examples ### E-commerce Security ```json { "security_config": { "deny_groups": [ "SQL-INJECTION-ANOMALY", "XSS-ANOMALY", "CMD-INJECTION-ANOMALY", "BOT-BROWSER-IMPERSONATOR" ], "exceptions": { "SQL-INJECTION-ANOMALY": { "paths": ["/api/search", "/api/catalog"], "v4_ips": ["198.51.100.0/24"] }, "BOT-BROWSER-IMPERSONATOR": { "paths": ["/api/webhook"], "v4_ips": ["203.0.113.0/24"] } } } } ``` ### Content Management ```json { "security_config": { "deny_groups": [ "SQL-INJECTION-ANOMALY", "XSS-ANOMALY", "LFI-ANOMALY", "RFI-ANOMALY", "REP" ], "exceptions": { "XSS-ANOMALY": { "paths": ["/admin/editor", "/admin/content"], "v4_ips": ["192.0.2.0/24"] }, "LFI-ANOMALY": { "paths": ["/admin/media"], "v4_ips": ["192.0.2.0/24"] } } } } ``` ## Best Practices and Validation ## Next Steps