Supported Features
The following features are supported on the latest GO Enforcer (Version 4.0.0)
Advanced Blocking Response (ABR)
In specific cases (e.g., XHR post requests), a full captcha page render might not be an option. In such cases the advanced blocking response returns a JSON object containing all the information needed to render a customized captcha challenge implementation - be it a popup modal, a section on the page, etc. This allows for flexibility and customizability in terms of how the captcha pages are displayed.
Block Page Captcha
A captcha page is one of the possible response types returned to the client as a result of a request blocked by the enforcer. In the case of a request with a high risk score, the user receives an HTML page presenting a captcha challenge to solve.
Block Page Rate Limit
Rate limit is one of the possible response types returned to the client as a result of a request blocked by the enforcer. Rate Limit means that in case of a request with high score, the user receives an HTML page with the rate limit response code (429).
Bypass Monitor Header
When enabling the enforcer for the first time, it is recommended to do so in monitor mode to collect data before actually starting to block user requests. Prior to switching the module mode to active_blocking
entirely, it's also crucial to verify that the full blocking flow works as expected. This feature activates the full blocking flow even while in monitor mode if a particular header is present on the request.
Client IP Extraction
The real client IP is included in the information that the enforcer gathers and sends. When the request passes through a proxy or a load balancer before reaching the customer’s application, the module considers the internal IP as the user's IP by default. The px_ip_headers
configuration defines which headers will contain the user's real IP, as set by a previous network component. The enforcer will try to extract the IP from these headers. If no IP exists, it will fall back to the IP of the machine it is directly connected to. If IP extraction is more complex than configuring a header, this enforcer also supports defining a custom function to extract the user IP.
CSS Ref
Provides a way to include an additional custom .css file to add to the block page.
Cookie V3
The latest version of our risk cookie, which includes encrypted content and more relevant information regarding the user (e.g., the risk score is between 0 and 100).
Custom Logo
Adds a custom logo to the block page that will be shown to users. This aligns the block page with the customer's brand.
Custom Parameters
This feature enriches activities sent from the enforcer to PerimeterX with additional custom data. This data can include user information, session IDs, or other data that PerimeterX should have access to. These custom parameters are defined by a configurable function that must return an object that contains these custom parameters. There is a limit of 10 custom parameters.
Custom Request Handler
Allows for defining a custom JavaScript function that adds a custom response handler to the request.
Filter By Route
Routes (endpoints) specified here will not be blocked, regardless of the score they receive. A client request to an allowed route will not generate any risk or async activities.
Filter By Extension
PerimeterX does not enforce static assets such as images and documents. To prevent unnecessary API calls to PerimeterX servers and needless computation, the enforcer filters all requests with a valid static file extension.
First Party
To prevent suspicious or unwanted behavior on the client side, some browsers or extensions (such as an Adblock extension) may deny the frontend JavaScript code from making requests to other domains. This prevents the PerimeterX sensor from making requests to the PerimeterX backends, which greatly limits PerimeterX's detection capabilities. To avoid this problem, first_party
enables the enforcer to be used as a proxy for PerimeterX servers, and to serve content to the browser from a first party endpoint (i.e., an endpoint on the customer’s domain).
JS Ref
Provides a way to include a custom JS script to add to the block page. This script will run after the default JS scripts.
Logger
Enforcers record logs when fatal errors occur during the run of the program. All other errors and messages are logged only when the enforcer is in debug mode. When px_logger_severity
is set to debug mode, the enforcer will output all additional messages to the logger.
Mobile Support
The enforcer recognizes and handles requests coming from PerimeterX Mobile SDK. Because mobile apps do not add cookies as part of the HTTP requests, the PX cookies are sent as headers instead. Mobile user-agents may change during the flow of the app, so the mobile 'cookies' are not signed with user-agent and are considered as tokens.
Module Enable
This feature serves as an on/off switch for the entire module, providing a way to enable and disable all PerimeterX capabilities quickly and easily.
Module Mode
This feature controls the behavior of the enforcer by changing how it executes certain parts of the workflow. Most notably, different modes allow for analysis and fine-tuning of the enforcer behavior without serving block pages that affect end users.
Sensitive Headers
The PerimeterX detector requires information about the HTTP request as part of its bot detections. Certain headers may contain information that should not be forwarded to other servers, including the PerimeterX backend. Configuring these header names as sensitive headers will remove these headers from requests sent to other backends by PerimeterX.
Sensitive Routes
Certain endpoints may require more stringent protection from bot attacks (e.g., endpoints that execute payments or handle personal information). In these cases, routes can be configured as sensitive routes, meaning risk API calls will be made even if the request contains a valid, unexpired cookie.
Telemetry Command
The enforcer_telemetry
activity is sent to PerimeterX servers whenever the enforcer receives a telemetry command. This activity provides information directly to PerimeterX about the current environment and configuration of the enforcer.
VID Extraction
The visitor ID (VID) is an identifier used by PerimeterX to identify clients during and across sessions. The VID is crucial for detection, and any mishandling of this feature could decrease its accuracy.
Graphql
For those using GraphQL endpoints, it is possible to trigger server-to-server risk calls on particular operation types or names. Like the sensitive routes feature, a request that contains an operation of the configured type or name will trigger risk and client activity requests to PerimeterX servers every time that operation is performed.
The risk and the client activity requests will contain a list of the one or more Graphql operations, each including the name, type and if it's sensitive.
Credentials Intelligence
Adds login information to risk API calls to identify compromised credentials as part of the Credentials Intelligence solution.
Updated 7 months ago