Overview
Menu

Security Protection-related Queries

What Security Features Does EdgeOne Have?

EdgeOne provides reverse proxy and protocol-specific security protection for Web application services and TCP/UDP application services.
Access Service Type
(L7 CC Attack Protection)
L4 Proxy (TCP/UDP Application Service)
1
-
-
-
L7 Zone(Web Application Service)
1
2
Note:

Note 1
: Default platform-level protection is provided. If you have specific protection capacity requirements, please use Exclusive DDoS Protection Usage.

Note 2
: Bot Management subscription is required; see Billing Overview (New Version).

I've already configured a Web Application Firewall (WAF) on my origin server. Do I need to use EdgeOne security protection?

EdgeOne aims to provide integrated acceleration and security capabilities. Therefore, when you connect your application and services to EdgeOne, EdgeOne starts providing protection services. In addition to the protection already in place on your origin server, EdgeOne offers:
Distributed Security Protection: Provides protection resources distributed in multiple independent cleansing centers worldwide, offering efficient redundancy and disaster recovery through a distributed access architecture.
Protection Capability for Cached Resources: Can simultaneously check requests accessing cached resources. The usage of security policies intercepted by EdgeOne is not billed, reducing unnecessary content delivery costs.
Threat Recognition Closest to the Client: EdgeOne is typically accessed directly by clients, enabling collection and analysis of L4 connection session information from clients, assisting in identifying malicious access.
Compatibility with Your Origin Server Security Policies: Supports marking of origin-pull requests 3 allowing further analysis of requests at the origin server.
Note:
Note 3
: You need to subscribe to and enable Bot Management. Bot Management includes identification headers in origin-pull requests to assist in further analysis.

How to configure IP blocklists/allowlists? Can I configure network segment blocklists/allowlists?

If you need to configure an IP blocklist (i.e., block specified client IPs), you can configure the Basic Access Control in Custom Rules, select Client IP Control, configure the list of IPs to be blocked, and choose the blocking method.

If you need to configure an IP allowlist (i.e., allow specified client IPs), you can use Exception Rules, select the Client IP matching condition, and choose the security modules to be skipped.
Note:
The application scenarios for an IP allowlist may vary:
(1) Allow specified client IPs to pass. In this scenario, configure Exception Rules to skip specified security modules.
(2) Only allow specified client IPs to access. In this scenario, configure Basic Access Control rules in Custom Rules to block client IPs not in the specified list.

How to configure region blocking? How to block access from regions outside the Chinese mainland?

You can use Basic Access Control in Custom Rules, select Regional Control, configure the list of client regions to be blocked, and choose the blocking method. If you need to block access from regions outside the Chinese mainland, select the Region Mismatch, match the content to Chinese mainland region, and choose the blocking method.

How to configure Hotlink Protection? How to allow access only from this domain and specified domains?

Hotlink protection is mainly used to prevent static resources from being loaded by external website pages.

Common Hotlink Protection Techniques

The basic hotlink protection policy judges whether the request comes from page loading through the Referer header, intercepting requests for resources referenced by external sites and requests not accessed directly through page loading (example: directly accessing static resources by entering the URL in the browser). You can use Basic Access Control in Custom Rules to block requests with a Referer header not in the specified domain list.


Further Validation of Data Access Security

Using HTTP header fields can address common hotlinking scenarios, but malicious requests can still generate legitimate HTTP requests through technical means to obtain site resources. To further improve the security of resource access, you can dynamically generate URLs with time-sensitive random signatures. Before providing access to resources, verify the legality and validity of the signature to identify whether the request has permission to access resources. EdgeOne's Rule Engine offers Token Authentication options, assisting in generating signed URLs and providing a signature verification mechanism. You can also use EDGE-FUNCTION to implement custom dynamic access authentication.

What is "Monitor," and does the "Monitor" action involve interception?

The "Monitor" action only logs information and does not intercept requests. This is helpful for evaluating policies, as rules set to "Monitor" won't impact your business. Therefore, you can assess the impact on normal business and evaluate matching situations with malicious requests by checking the logs. This helps determine whether to enable interception. See Actions for more details.

What is "JavaScript Challenge," and what impact does the "JavaScript Challenge" action have on business?

The "JavaScript Challenge" action responds with a page that verifies whether the requesting client supports Cookie and JavaScript runtime environments. Browsers that meet the verification conditions can proceed with access, while other tools (example, cURL) will be intercepted. This method helps identify some non-browser tools.
Note:
APIs cannot handle JavaScript challenges and will be intercepted by the "JavaScript Challenge" action.