A Security Application configuration determines the action that will take place when a threat is identified or a request exceeds a rate limit.
Threats
A Security Application configuration identifies a traffic profile, the rules that determine how that traffic will be screened, and the enforcement action that will take place when a threat is identified. This enforcement action is defined when you assign an access rule or managed to a Security Application configuration. The user experience for each possible configuration is described below.
-
Alert: Our service treats the request as if it had not been screened. The client will be unaware that the request was screened by Security.
-
Block: The user experience for requests blocked by Security is described below.
- The user will receive a
403 Forbidden
instead of the requested asset. - The response for the blocked request will include an additional response header. The name of this response header is defined by the corresponding rule’s
Response Header Name
option. This response header will be set to403
.
Default security response header name/value:
X-EC-Security-Audit: 403
- The user will receive a
-
Custom Response: Our service provides a custom response to identified threats. This custom response is defined within a Security Application configuration when setting up access rules and managed rules. It defines the response headers, body, and status code that will be sent to the user.
Rate Limiting
Upon exceeding a rate limit, your Security Application configuration determines the action that will be applied to eligible requests. The user experience for each possible configuration is described below.
- Alert Only: Alerts do not alter the user experience. Our service treats the request as if it had not exceeded the rate limit.
- Custom Response: Our service provides a custom response to rate limited requests. This custom response is defined within a Security Application configuration when setting up rate rules. It defines the response headers, body, and status code that will be sent to the user.
- Drop Request: Our service sends a
503 Service Unavailable
response with aRetry-After
header to rate limited requests. - Redirect (HTTP 302): Our service redirects rate limited requests to a predefined URL. The client will receive the response for the resource located at that URL and a
302 Found
.
Bot Rules
Our service serves a browser challenege whenever a client submits a request that matches the traffic identification critieria defined within your Security Application and bot rule configuration. The status code for this browser challenge is defined within your Security Application configuration. If a client is unable to solve a request, then the client will receive another browser challenge.