EdgeRules are versatile and customizable, but it can be a daunting task at times to curate a specific rule that is tailored to the desired outcome. Provided here are examples of EdgeRules that are commonly applied to solve a variety of everyday use-cases.
- Redirect all Requests from one Subdomain to Another
- Redirect to Mobile Site
- Hide X-Powered-By Header
- Hide S3 Headers
- Hide Google Headers
- X-SS Protection
- Add X-Robots-Tag
- Excluding Content from CDN Cache
- Negative Capture Request Headers
- Using Variables to Add Headers to WAF Events
Redirect all Requests from one Subdomain to Another
This EdgeRule will execute a redirect from the current or requested subdomain to the intended subdomain while keeping the file path intact as it redirects. For example, this rule can fulfill the intention of sub1.example.com/page1.php redirecting to sub2.example.com/page1.php, maintaining the file path "page1.php" as it redirects.
IF URL Matches *://sub1.example.com*
THEN Redirect https://sub2.example.com%client.request.fullfilepath%%client.request.params%
Redirect to Mobile Site
This rule will detect when the iPhone or Android user-agent exists in the headers and redirects to the specified mobile version of a website. This is beneficial to provide the best possible experience when visiting a website, allowing mobile users to view a mobile-optimized version of a website.
IF Header Regex Matches /.*iPhone.*|.*Android.*/
THEN Redirect https:/m.example.com
Hide X-Powered-By Header
The X-Powered-By header is a non-standard response header that is typically included to advertise what type of server or framework the website is using. This can be removed for aesthetic reasons or otherwise, as it is a non-essential HTTP header.
IF URL Matches *
THEN Hide Header regex:(?i)x-powered-by*.*
Hide S3 headers
Amazon's Simple Storage Service (S3) includes response headers when serving content from an S3 bucket or using their bucket as an origin. These are non-essential headers that can be removed if desired.
IF URL Matches *
THEN Hide Header regex:(?i)x-amz*.*
Hide Google headers
Similar to S3 headers, Google includes its own headers when using their Google Cloud service as either an origin or to serve assets from. These are non-essential headers that can be removed if desired.
IF URL Matches *
THEN Hide Header regex:(?i)x-goog*.*
X-XSS Protection
The X-XSS-Protection header is a browser feature that stops pages from loaded when they detect cross-site scripting attacks. This is typically unnecessary in modern browsers, however, it can still provide protections for users of older browsers.
IF URL Matches *
THEN Add Response Header X-XSS-Protection 1; mode=block
Add X-Robots-Tag
The X-Robots-Tag is a header that controls the indexing of a page, in addition to specific elements on the page.
- Select the specific URL this tag should be added to
- Add a response header with the desired value
IF URL Matches https://www.example.com/wp-admin
THEN Add Response Header X-Robots-Tag noindex
Excluding content from CDN cache
Using the following EdgeRule will exclude the specified URL from being cached by the StackPath CDN. In the following example, the wp-admin path is excluded, as it is not necessary to cache the administrator backend of a Wordpress site.
IF URL Matches https://www.example.com/wp-admin
THEN Do Not Cache
Negative Capture Request Headers
This rule is a template for performing custom Edge Rule actions on end-user requests based on User-Agent headers. The negative capture methodology seen here, can be used in any number of conditional matches.
In this example we will detect any User-Agent header that does not contain "chrome" and perform some action.
IF Header Matches regex:!/(?i)user-agent: .*chrome.*/
THEN {Your Action}
Using Variables to Add Headers to WAF Events
Using the EdgeRules "Add Header to CDN" action, headers can be added to the generated WAF security events. This allows additional data about the request that generated a security event to be provided, allowing more specific actions to be taken when blocking unwanted requests
To Implement the following, Use the "Add Header to CDN" action and type your desired header name with one of the available variables as action.
Example for adding the city code:
IF URL Matches *
THEN Add Header To CDN ClientCity %client.geoip.city%
Here are a few examples of other variables that can be used for additional data:
- %client.geoip.countryCode% - The two-character ISO-3166-1 country code
- %client.geoip.countryName% - The country name
- %client.geoip.latitude% - The latitude
- %client.geoip.longitude% - The longitude
For a complete list of variables that can be used to return information in WAF security events, refer to this article.
For a deeper dive into our EdgeRules capabilities including more use-case situations, a complete list of expansion variables and more, visit our Getting Started with CDN Custom EdgeRules page.
If any more clarification is needed, please drop us a line at hi@stackpath.com