Skip to content

[API Shield] Sequence mitigation custom rules #18775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 17, 2024
Merged

[API Shield] Sequence mitigation custom rules #18775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/content/docs/api-shield/security/sequence-mitigation/configure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
title: Configure Sequence Mitigation
pcx_content_type: how-to
type: overview
sidebar:
order: 1
head:
- tag: title
content: Configure Sequence Mitigation
Expand Down
59 changes: 59 additions & 0 deletions src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
pcx_content_type: reference
title: Sequence Mitigation custom rules
sidebar:
order: 2

---

import { GlossaryTooltip, Render } from "~/components"

API Shield sequence custom rules use the configured API Shield <GlossaryTooltip term="session identifier">session identifier</GlossaryTooltip> to track the order of requests a user has made and the time between requests, and makes them available via [Cloudflare Rules](/rules). This allows you to write rules that match valid or invalid sequences.

These rules are different from [cookie sequence rules](/bots/concepts/sequence-rules/) in a few ways:

- They only require an API Shield subscription.
- They require [session identifiers](/api-shield/get-started/#session-identifiers) to be set in API Shield.
- Because they use an API's session identifiers, they can be used for APIs designed for mobile applications.
- Because Cloudflare stores the user state in memory and not in a cookie, the session lifetime is limited to 10 minutes.

Rules built using these custom rules are different from sequence mitigation rules built [via API or the Cloudflare dashboard](/api-shield/security/sequence-mitigation/). The custom rules syntax enables free-form logic and response options that the dashboard does not.

## Availability

<Render file="sequence-rules-availability" product="bots" />

## Example rules

Each saved endpoint will have an endpoint ID visible in its details page in Endpoint Management in the form of a UUID. The references below (`aaaaaaaa`, `bbbbbbbb`, and `cccccccc`) are the first eight characters of the endpoint ID.

The visitor must wait more than 2 seconds after requesting endpoint `aaaaaaaa` before requesting endpoint `bbbbbbbb`:

```txt
cf.sequence.current_op eq "bbbbbbbb" and
cf.sequence.msec_since_op["aaaaaaaa"] ge 2000
```

The visitor must request endpoints `aaaaaaaa`, then `bbbbbbbb`, then `cccccccc` in that exact order:

```txt
cf.sequence.current_op eq "cccccccc" and
cf.sequence.previous_ops[0] == "bbbbbbbb" and
cf.sequence.previous_ops[1] == "aaaaaaaa"
```

The visitor must request endpoint `aaaaaaaa` before endpoint `bbbbbbbb`, but endpoint `aaaaaaaa` can be anywhere in the previous 10 requests:

```txt
cf.sequence.current_op eq "bbbbbbbb" and
any(cf.sequence.previous_ops[*] == "aaaaaaaa")
```

The visitor must request either endpoint `aaaaaaaa` before endpoint `bbbbbbbb`, or endpoint `cccccccc` before endpoint `bbbbbbbb`:

```txt
(cf.sequence.current_op eq "bbbbbbbb" and
any(cf.sequence.previous_ops[*] == "aaaaaaaa")) or
(cf.sequence.current_op eq "bbbbbbbb" and
any(cf.sequence.previous_ops[*] == "cccccccc"))
```
40 changes: 1 addition & 39 deletions src/content/docs/bots/concepts/sequence-rules.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,45 +56,7 @@ Cloudflare only stores up to the 10 most recent operations in a sequence for up

## Availability

These sequence fields are available in:

- [Custom rules](/waf/custom-rules/) (`http_request_firewall_custom` phase)
- [Rate limiting rules](/waf/rate-limiting-rules/) (`http_request_ratelimit`)
- [Bulk redirects](/workers/examples/bulk-redirects/) (`http_request_redirect`)
- [HTTP request header modification rules](/rules/transform/response-header-modification/) (`http_request_late_transform`)

<table>
<thead>
<tr>
<th style="width: 35%;">Field name</th>
<th>Description</th>
<th>Example value</th>
</tr>
</thead>
<tbody style='vertical-align:top'>
<tr>
<td><p><code>cf.sequence.current_op</code><br />`String`</p></td>
<td>
<p>This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string.</p>
</td>
<td><p><code>c821cc00</code></p></td>
</tr>
<tr>
<td><p><code>cf.sequence.previous_ops</code><br />`Array<String>`</p></td>
<td>
<p>This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request. <br /><br /> If an operation is repeated, it will appear multiple times in the sequence.</p>
</td>
<td><p><code>["f54dac32", "c821cc00", "a37dc89b"]</code></p></td>
</tr>
<tr>
<td><p><code>cf.sequence.msec_since_op</code><br />`Map<Number>`</p></td>
<td>
<p>This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred. <br /><br /> This does not include the current request or operation as it only factors in previous operations in the sequence.</p>
</td>
<td><p>`{"f54dac32": 1000, "c821cc00": 2000}`</p></td>
</tr>
</tbody>
</table>
<Render file="sequence-rules-availability" />

### Example rules

Expand Down
44 changes: 44 additions & 0 deletions src/content/partials/bots/sequence-rules-availability.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
{}

---

These sequence fields are available in:

- [Custom rules](/waf/custom-rules/) (`http_request_firewall_custom` phase)
- [Rate limiting rules](/waf/rate-limiting-rules/) (`http_request_ratelimit`)
- [Bulk redirects](/workers/examples/bulk-redirects/) (`http_request_redirect`)
- [HTTP request header modification rules](/rules/transform/response-header-modification/) (`http_request_late_transform`)

<table>
<thead>
<tr>
<th style="width: 35%;">Field name</th>
<th>Description</th>
<th>Example value</th>
</tr>
</thead>
<tbody style='vertical-align:top'>
<tr>
<td><p><code>cf.sequence.current_op</code><br />`String`</p></td>
<td>
<p>This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string.</p>
</td>
<td><p><code>c821cc00</code></p></td>
</tr>
<tr>
<td><p><code>cf.sequence.previous_ops</code><br />`Array<String>`</p></td>
<td>
<p>This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request. <br /><br /> If an operation is repeated, it will appear multiple times in the sequence.</p>
</td>
<td><p><code>["f54dac32", "c821cc00", "a37dc89b"]</code></p></td>
</tr>
<tr>
<td><p><code>cf.sequence.msec_since_op</code><br />`Map<Number>`</p></td>
<td>
<p>This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred. <br /><br /> This does not include the current request or operation as it only factors in previous operations in the sequence.</p>
</td>
<td><p>`{"f54dac32": 1000, "c821cc00": 2000}`</p></td>
</tr>
</tbody>
</table>
Loading