Supporting First Party HUMAN calls on a CDN
- 26 Nov 2023
- Print
- DarkLight
Supporting First Party HUMAN calls on a CDN
- Updated on 26 Nov 2023
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
In some cases, you may choose to handle First-Party requests outside of the HUMAN Enforcer. While this document is focused on generic CDN configurations, you can apply these same rules within a load balancer, reverse proxy, web server, etc., that sit in front of the HUMAN Enforcer.
Supporting First-Party mode requires three separate reverse proxy routes or rules to be configured.
Note:
[app_id] is your HUMAN Application ID and [app_id without PX] is the appID without "PX". For example, if your HUMAN Application ID is PX1234567, [app_id] is PX1234567 and [app_id without PX] is 1234567.
Points to Consider
- If required, the proper corresponding cert pinning should be setup on the CDN.
- You can define specific rules to tell the CDN to expire cached content on their servers or your origin server can add headers to the content that contains expire information and the CDN can be configured to honor that instead. The cache TTL should be set to 10 mins or to honor the origin cache header as received from the origin.
- If caching at the CDN (recommended) the cache key should be set to the incoming host name instead of origin to avoid HUMAN domain name in cache key
Rule 1 - Sensor Call: Delivering HUMAN Sensor
Request to the HUMAN Sensor.
- In Third-Party mode, the request is sent to
https://client.perimeterx.net/[app_id]/main.min.js. - In First-Party mode, the request is sent to
https://www.customerdomain/[app_id without PX]/init.js.
To support this request, you need a rule that handles incoming requests for https://www.customerdomain/[app_id without PX]/init.js and that makes an origin call to https://client.perimeterx.net/[app_id]/main.min.js.
Rule 2 - Handling First-Party Captcha.js Call
This is the request that helps facilitate HUMAN Captchas.
In Third-Party mode, the request is sent to https://captcha.px-cdn.net/[app_id]/captcha.js?XXX. In First-Party mode, the request is sent to https://www.customerdomain/[app_id without PX]/captcha/*.
In order to support this request, you need a rule to handle incoming requests for https://www.customerdomain/[app_id without PX]/captcha/* that makes an origin call to https://captcha.px-cdn.net/[app_id]/captcha.js?XXX
Rule 3 - Handling XHR calls at the CDN:
This is the request that facilitates HUMAN feedback from the client.
In Third-Party mode, the request will be to https://collector-[app_id].px-cloud.net/api/v[*]/collector. In First-Party mode, this same request will be to https://www.customerdomain.com/[app_id without PX]/xhr/[$1]. $1 is used as a variable that contains the rest of the path after https://www.customerdomain.com/[app_id without PX]/xhr/.
For example, requests will be on the path https://www.customerdomain.com/of8vanwA/xhr/api/v1/collector. The requested rule on CDN should route it to https://collector-pxof8vanwA.px-cloud.net/api/v1/collector.
In order to support this request, you need a rule that handles incoming requests for https://www.customerdomain.com/[app_id without PX]/xhr/[$1] that make an origin call to collector-[app_id].perimeterx.net/[$1].
Points to Consider
- If required, the proper corresponding cert pinning should be setup on CDN.
- These calls should NOT be cached
First Party Calls
There are 3 main calls that need to be configured for first-party.
Third Party | First Party (incoming) | Origin Call |
|---|---|---|
|
|
|
|
| |
|
|
|
Next Steps
After configuring the CDN to handle First-Party requests, complete the steps listed on the Integrate 1st-Party JS Snippet to make sure your snippet is setup to serve the Javascript Sensor via First Party.
Was this article helpful?