User Experience (Response)

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAFWeb Application Firewall (Legacy) is designed to secure site traffic against DDoS and application layer attacks. It also filters unwanted traffic by enforcing a custom delivery profile and whitelists/blacklists.

This article explains the legacy version of WAF that will undergo end-of-life on June 30, 2021. Our new version of WAF expands upon all of the capabilities offered by WAF and Rate Limiting with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

Once a WAF instance has been activated through Rules Engine, all requests that meet the specified match criteria will be screened according to the profile associated with that instance. Additionally, that instance's Production Action setting determines whether WAF will generate alerts or block unwanted traffic. The user experience for each possible configuration is described below.

Configuration	Description
Alert	The requester will be unaware that the request was screened by WAF.
Block	The user experience for requests blocked by WAF is described below. The user will receive a 403 Forbidden instead of the requested asset. The response for the blocked request will include an additional response header. The name of this response header is defined by the corresponding profile's Response Header Name option. This response header will be set to "403." Default WAF response header name/value: X-EC-Security-Audit: 403

Configuration

Description

Alert

The requester will be unaware that the request was screened by WAF.

Block

The user experience for requests blocked by WAF is described below.

The user will receive a 403 Forbidden instead of the requested asset.
The response for the blocked request will include an additional response header. The name of this response header is defined by the corresponding profile's Response Header Name option. This response header will be set to "403."

Default WAF response header name/value: