Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Action

The Web protection module provides multiple action options. Different feature modules support different actions, please refer to the specific feature module document.
Action
Use Case
Action Description
Subsequent Action
Block
Used to block requests to access a site (including cached or non-cached content).
Respond with block page and block status code.
No longer
matches other policies
Allow
Used to skip the remaining rules in the current security module.
In the current module, the remaining rules will no longer match this request.
Continue to match other effective rules
Monitor
Used to evaluate or grayscale its security policies.
Logs are only recorded, no actions are taken.
Continue to match other rules
Redirect
Used to provide standby resources and improve user access experience when blocked.
Redirect to the specified URL.
No longer
matches other policies
ReturnCustomPage
Used to provide block pages with a better experience.
Used to be compatible with the API format and respond to error messages that the API can parse.
Used to monitor business and monitor blocked requests by specifying status codes.
Returns a custom error page and status code. Supports referencing page content defined in the Custom Error Page feature.
No longer
matches other policies
BlockIP
Used to punish malicious clients.
When a request matches the conditions, discard requests from that client IP within a period of time.
Note:
If the matching condition used is client IP (the XFF header is matched first), IP blocking will be based on the request source client IP, rather than the XFF header. Configure with caution.
No longer
matches other policies
JSChallenge
Used to identify tool clients that do not support JavaScript, frequently seen in DDoS attack sources.
Respond with an HTTP 302 redirect page, the page carries JavaScript code to verify the client browser behavior, and only the visitors that passes the verification can continue to access.
Requests that pass the challenge continue to match other rules
ManagedChallenge
Used for Bot defense, JavaScript challenge verification is first performed, and then CAPTCHA human verification is performed on requests that pass the verification.
First take the JavaScript challenge. For clients that pass the verification, they need to respond to the redirection (HTTP 302) page and carry the verification code for verification, and the user completes the verification through interactive operations. Only visitors who pass both verifications can continue to visit.
Requests that pass the challenge continue to match other rules

JavaScript Challenge

The JavaScript challenge verification process is imperceptible browser verification, neither displaying a verification page nor requiring manual intervention. The browser can automatically complete the verification and display the requested resources. This method can effectively filter DDoS attacks initiated by distributed scripts.

JavaScript Challenge Use Cases

JavaScript Challenge mainly applies to protection of the following resources:
Pages visited in the browser;
Resources accessed only after you visit a page in the browser.
Note:
JavaScript Challenge is not suitable for the following scenarios:
Non-browser client access and certain scenarios, such as APIs accessed by mobile applications and APIs not called through a page. In such scenarios, the client may fail to pass verification for it cannot handle the JavaScript response content properly, thereby causing access to be blocked.
Scenarios where the request header options such as Accept are used for accessing non-HTML static resources. In such scenarios, the client may fail to pass verification for the JavaScript challenge response content does not match the Content-Type option in the Accept header, thereby causing failure of the resource access.
For the above business scenarios, you should use the ReturnCustomPage , Redirect or Block action, or configure protection exception rules to ensure normal business operation.

JavaScript Challenge Interaction Flow


When the security policy uses JavaScript Challenge to handle requests, EdgeOne responds with a redirect page (HTTP 302) containing a JavaScript program to verify the browser runtime environment. After receiving this response, browsers with JavaScript enabled will execute the verification program and perform an HTTP 302 redirect. After receiving the redirect request, the EdgeOne security protection module will allow requests carrying valid identifiers (client IP and User-Agent).
Note:
When the client frequently attempts JavaScript challenges and triggers interceptions, it will lead to the client entering the JavaScript Challenge blocklist. For a period of time, the security policy will no longer respond to JS challenges for that client and will directly respond with an interception page. To restore the client's access, please configure Protection Exception Rules.

Managed Challenge

Managed Challenge integrates JavaScript Challenge and CAPTCHA (human-machine verification) to verify the browser environment and human users through two-factor authentication. This method effectively filters out non-browser client access.

Managed Challenge Interaction Flow


When the security protection policy uses JavaScript Challenge to handle requests, EdgeOne first implements the JavaScript challenge mechanism, that is, responds with a redirect page (HTTP 302) containing a JavaScript program to verify the browser runtime environment. After receiving this response, browsers with JavaScript enabled will continue to respond with a redirect page (HTTP 302) that has an embedded interactive CAPTCHA verification program. After the program completes verification on the client, an HTTP 302 redirect is performed. After receiving the redirect request, the EdgeOne security protection module will allow requests carrying valid identifiers (client IP and User-Agent).
Note:
When the client frequently attempts JavaScript challenges and triggers interceptions, it will lead to the client entering the JavaScript Challenge blocklist. For a period of time, the security policy will no longer respond to JS challenges for that client and will directly respond with an interception page. To restore the client's access, please configure Protection Exception Rules.