ナビ付きでトピックを開く

 

User Experience (Response)

Applies To:
HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.
HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.
ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.
WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

ClosedShould I upgrade from WAF Essential to the full version of Web Application Firewall and Rate Limiting?

WAF Essential allows customers with basic security needs to leverage our powerful security solutions to protect their origin servers. WAF Essential allows you to create up to 2 profiles, 1 instance, and 3 rate limiting rules at any given time. This is sufficient to set up a dual WAF configuration through which you may validate a new WAF configuration without compromising the security of your origin servers.

WAF Essential cannot be configured via our APIs. However, you may leverage our APIs to retrieve WAF and Rate Limiting event log data.

Enterprise customers typically find the above limitations too constrictive when tailoring security to fit their business needs. Additional profiles, instances, and rate limiting rules provide the flexibility to tailor your security configuration by traffic profile.

Please contact your CDN account manager to upgrade to the full version.

User experience varies according to whether a request violated a:

WAF

Once a WAF instance has been activated through Rules Engine, all requests that meet the specified match criteria will be screened according to the profile associated with that instance. Additionally, that instance's Production Action setting determines whether WAF will generate alerts or block unwanted traffic. The user experience for each possible configuration is described below.

Configuration Description

Alert

The requester will be unaware that the request was screened by WAF.

Block

The user experience for requests blocked by WAF is described below.

  • The user will receive a 403 Forbidden instead of the requested asset.
  • The response for the blocked request will include an additional response header. The name of this response header is defined by the corresponding profile's Response Header Name option. This response header will be set to "403."

Default WAF response header name/value:

X-EC-Security-Audit: 403

Rate Limiting

Upon exceeding a rate limiting policy, a predefined action will be randomly applied to eligible requests. The type of action that will be applied to the request is defined in the rule being enforced. The user experience for each possible configuration is described below.

Configuration Description

Alert Only

This type of rate limiting policy will not alter the user experience for rate limited requests.

Custom Response

A predefined response (i.e., header(s), body, and HTTP status code) will be sent for rate limited requests.

Drop Request

A 503 Service Unavailable response with a Retry-After header will be sent for rate limited requests.

Redirect (HTTP 302)

Rate limited requests will be redirected to a predefined URL. The requester will receive the response for the resource located at that URL and a 302 Found.