June 22, 2021 - Subnet functionality for VPCs
To complement the initial VPC release from May 13, 2021, the StackPath Control Portal now offers VPC users the ability to create subnets.
A subnet is a segment of a VPC's IP address range where you can group isolated resources. You can use a subnet to create a route for resources within a specific workload. 
Additionally, the following API calls have been published:
- Create a subnet
- View subnets
Currently, all VPC functionality is considered a beta feature.
- To view FAQs for this VPC release, see Frequently Asked Questions About Virtual Private Clouds.
- To learn more about VPC, including how to create a subnet, see Create and Manage a VPC Network.
- To view API information, see VPC network.
- To learn more about beta at StackPath, see Beta at StackPath.
June 10, 2021 - Updated WAF product
In the StackPath Control Portal, the WAF product offering has been converted into 2 separate offerings called WAF Standard and WAF Enterprise.
Current WAF users have already been converted to the new product offering. Specifically, WAF10 users are now WAF Standard users.
Additionally in this release, StackPath will maintain DDoS settings for WAF Standard users; WAF Enterprise users can update their DDoS settings via a support ticket.
Note:
If you previously made changes to your DDoS settings, then those changes are still in place.
Note:
DDoS settings are a fairly technical, and sometimes confusing feature. Based on user feedback, StackPath decided to maintain DDoS settings to prevent potential problems with improperly configured DDoS settings on user sites.
Also in this release, to upgrade your WAF product, you must now contact StackPath to determine which WAF offering is best for you.
To view your WAF offering:
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation, click WAF.
- Review the label next to WAF Settings, which will display Standard or Enterprise.
To learn more about the WAF, see Obtain or Upgrade WAF on an Existing Site.
May 19, 2021 - WAF changelog
In the StackPath Developer Portal, a WAF-specific changelog has launched.
You can use this changelog to stay informed with the latest WAF changes.
Note:
While WAF releases take place on Tuesdays, a release may not take place every Tuesday.
Additionally, the WAF team may make emergency updates outside of the Tuesday release date.
To view the changelog, see WAF changelog.
May 13, 2021 - VPC networks
In the StackPath Control Portal, you can now create and assign virtual private cloud (VPC) networks to your workloads.
VPCs provide networking functionality to your workloads, allowing resources to securely communicate with each other, the internet, and on-premise networks.
Additionally, the StackPath Developer Portal has been updated with the following calls:
- Get all VPC networks
- Create a VPC network
- Get a VPC network
- Delete a VPC network
Note:
This feature is a beta release. To learn more about beta at StackPath, see Beta at StackPath.
To learn more about the VPC Network screen in the portal, see Create and Manage a VPC Network.
To learn more about the VPC network API calls, see VPC Network in the StackPath Developer Portal.
May 12, 2021 - Updated process to create a site
In the StackPath Control Portal, the process to create a site has been updated to improve user experience. Specifically, there is a step-by-step workflow in the portal to guide you through the process to create, configure, and complete a new site.
Previously, to create a site, you needed to navigate to different screens and sections of the portal. With this release, you can stay on the same page as prompts help you to move forward in the creation process.
This update applies to both full site and static asset site creation.
To create a site:
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Click Create Site.
- Select Full Site Integration or Static Asset Integration, and then follow the on-screen prompts to create a new site.
After you create a site, StackPath recommends that you verify the integration, as well as configure specific settings. To learn more, see Create and Configure a Site.
May 12, 2021 - Updated WAF policies
In the StackPath Control Portal, new policies have been added to the WAF screen of the Sites section:
| Policy | Description |
| External Reputation Block List Data Bases | Validate traffic from any known spammer or abuser, based on data from multiple services. |
|
Traffic From Suspicious NAT Ranges |
Challenge traffic from high-risk NAT ranges, based on historical web behavior detected by a machine learning classifier. |
Additionally:
- The Traffic From Scanner policy has been merged into the Convicted Bot Traffic policy.
- The Automation Escalation policy has been merged into the Challenge Automate Clients policy
- The WordPress Ruleset policy has been renamed to Wordpress WAF Ruleset. Additionally, this policy has been moved from the WAF & OWASP Top Threats section to the CMS Protection section.
This release includes additional minor updates and bug fixes.
To learn more about WAF policies, see CDN & WAF Site Settings Overview.
May 11, 2021 - Updated WAF screens
In the StackPath Control Portal, the WAF section of the Analytics screen has been updated. Specifically, in the Web Application Firewall Requests graph, when you click on a specific plot, the Requests table will filter data for that particular selection. The table will display the date and time, as well as the corresponding Traffic Type. When you click on a plot, the Requests table will refresh and remove previously selected filters that do no relate to the selected plot.
Additionally, the Overview section of the Analytics screen now displays the Status Codes graph. Previously, this graph was located in the CDN section of the Analytics screen.
To learn more, see View WAF Analytics.
May 11, 2021 - Updated virtual machine images
Review the following updates to virtual machine images:
- Ubuntu 21.04 is now supported.
- Ubuntu 18.04 has been updated for a bug fix.
- Ubuntu 18.04 (previous version) and Ubuntu 20.10 have been tagged with a deprecation and obsoletion date.
- The deprecation date is June 1st.
- The obsoletion date is September 1st.
To learn more about virtual machine images, see Create, Manage, and Access Virtual Machine Images.
May 11, 2021 - Updated cookie settings
In the StackPath Control Portal and the WAF, cookie settings for UTGv2 have been updated. With this release, UTGv2 cookies will expire after 180 days.
Previously, UTGv2 cookies expired after 365 days.
To learn more about StackPath’s cookie settings, see Cookie Preferences.
April 29, 2021 - Updated WAF policies
In the StackPath Control Portal, new policies have been added to the WAF screen of the Sites section:
| Policy name | Description |
| Automations Escalation (under Anti-Automation & Bot Protection) | Challenge or block clients that use or maybe using automation tools, based on static and behavioral indications. |
| Traffic From Scanner (under Traffic Sources) | Challenge traffic from any known scanners' IP address to block bots and devices. Malicious users may use scanners for reconnaissance purposes. |
| Whitelist PimCore admins logged-in users (under CMS Protection) | Enable whitelist PimCore admin logged-in users. |
Additionally, the existing Force Browser Validation on traffic anomalies policy has been updated with new rules (Block Clients With Invalid SP Cookie and Challenge Clients With Invalid Cookies).
To learn more about other WAF policies, see CDN & WAF Site Settings Overview.
April 8, 2021 - Updated WAF and CDN subscriptions
StackPath has updated pricing for its CDN10 and WAF10 subscriptions.
Customers who signed up for CDN10 and WAF10 before April 8, 2021, will be "grandfathered" into their existing access and pricing structure.
To learn more, see Frequently Asked Questions About CDN and WAF Services.
April 6, 2021 - Updated Edge Delivery Bundles
StackPath has end-of-sale its E20, E200, and E2000 Edge Delivery bundles.
Customers who signed up for E20, E200, and E2000 before April 6, 2021, will be "grandfathered" into their existing access and pricing structure.
To learn more, see Frequently Asked Questions About CDN and WAF Services.
April 6, 2021 - Updated DDoS configuration
In the StackPath Control Portal, in the WAF Settings screen, DDoS configurations have been updated. Specifically, the default value for Burst Threshold has been updated to 500.
Previously, the default value was 110.
If you have updated this value, then you are not affected by this change.
To learn more about DDoS configurations for WAF, see Learn about Edge Computing and Serverless Scripting.
March 18, 2021 - New WAF policies
In the StackPath Control Portal, 3 new policies have been added, specifically to the WAF & OWASP Top Threats section.
- Open Redirect
- Use this policy to block requests that are open redirect attacks.
- This attack exploits vulnerabilities in a web application to redirect a user to a new website without any validation of the target.
- Shell Injection
- Use this policy to block requests that are shell injection attacks.
- This attack executes arbitrary operating system commands on the server that is running an application with the purpose of compromising the application and data.
- Code Injection
- Use this policy to block requests that are code injection attacks.
- This attack injects code that the application will execute.
To learn more about other WAF policies, see CDN & WAF Site Settings Overview.
March 18, 2021 - Updated WAF Analytics screen
In the StackPath Control Portal, the WAF section of the Analytics screen has been updated with the following changes:
- In the Web Application Firewall Requests graph, the filters have been updated with the term Blocked to better describe the displayed data.
- The Security Events table has been renamed to Requests.
- Previously, this table only displayed security events. With this release, the table displays additional request types.
- The Requests table has been updated with more detailed filters to better customize the displayed data.
- The Top Threat Origins table has been updated to include a geographical view to display the location for your top threat origins.
To learn more about WAF analytics, see View WAF Analytics.
March 17, 2021: Updated virtual machine images
In the StackPath Control Portal, StackPath now supports the following virtual machine images:
- ubuntu-1804-bionic-v202103030924 based on Ubuntu 18.04.5
- debian-10-buster-v202103021354 based on Debian 10.8.0
- debian-9-stretch-v202103021322 based on Debian 9.13.0
- centos-8-v202103021256 based on CentoOS 8.3.2011
- centos-7-v202103021226 based on CentOS 7.9-2009
- ubuntu-2010-groovy-v202103041602 based on ubuntu 20.10
Additionally, the following images are deprecated and will be obsolete on June 1, 2021:
- Ubuntu 1904
- Ubuntu 1910
To learn more about images, see Create, Manage, and Access Virtual Machine Images.
To see a current list of supported images:
- In the StackPath Control Portal, in the left-side navigation, click Edge Compute.
- In the left-side navigation, click Images.
- Under StackPath Images, review the list of images.
February 24, 2021: Downward API environment variables
In the StackPath Control Portal, the process to create a container-based workload has changed. Specifically, there is now the option to add Downward API Environment Variables. You can use this option to expose application information to the workload and other instances in the same workload.
Additionally, there is a Commands field where you can specify a command that will execute when the instance starts.
To learn how to create a container-based workload with downward API environment variables, see Create and Manage Virtual Machines, Containers, and Workloads.
February 10, 2021: Updates to notifications
In the StackPath status page, you can now subscribe to outages via a Slack notification.
To learn how to subscribe to an outage, see Contact StackPath Support.
To visit the StackPath status page, see https://status.stackpath.com/#.
November 30, 2020: Updates to free SSL certificates
In the StackPath Control Portal, the process to obtain a free SSL certificate has been updated to improve user experience. Specifically, the previous Validation and Validation Method sections have been merged and renamed to Verify Domain Ownership. With this update, the step to select a validation method has been removed; by default, both validation options will display.
For API users, the APIs below have been updated. Specifically, the response now includes a statusDetail entry that displays details about the certificate's status, including a list of verification failure reasons.
- Get verification details (CDN SSL)
- Get sites associated with a certificate (WAF SSL)
- Get a certificate (SSL)
- Get a certificate’s latest version (SSL)
Additionally, for SSL API calls, there are new certificate statuses:
- Ready
- This status indicates that the certificate has issued, but has not been downloaded yet.
- Revoked
- This status indicates that the certificate has been revoked by the SSL provider.
To learn more about SSL certificates, see Create and Manage SSL Certificates.
November 12, 2020: Updates to WAF services
Overview
On November 12, 2020, StackPath replaced WAF Events with WAF Requests in the StackPath Control Portal (SP2) platform, as well as the corresponding StackPath API system.
At a high level, compared to WAF Events, WAF Requests capture more data, including expanded user agent information and details about the origin's response to the user. Similarly, WAF Requests are easier to search and process.
Which users are affected by this update?
This update applies if you use the StackPath Control Portal with an active WAF service.
This update does not relate if you use the MaxCDN, Highwinds, or legacy StackPath platforms.
Will the StackPath Control Portal change?
Yes. In the Security Events table, you can now filter requests based on the triggered rule type:
- To filter requests that triggered StackPath's predefined rules, select Policy.
- To filter requests that triggered custom rules created by users on your account, select Custom Rules.
Additionally, the name of the main WAF-related graph has been updated to display the term requests.
Do I need to update anything to prepare for this change?
If you use the StackPath API system, you must update your code to replace the soon-to-be deprecated event-related calls with the newly created request-equivalent calls.
Starting on November 12, 2020, for 30 days both the event-related calls and the request-related calls will be available; however, after 30 days, the event-related calls will be formally removed. As a result, StackPath recommends that you replace the calls as soon as possible.
Review the following calls to replace:
Get Request Statistics
Replace the old call with the new call to get request statistics:
Old call:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/event_stats`](https://stackpath.dev/reference/events#geteventstatistics)
New call:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/request_stats`](https://stackpath.dev/reference/events#getrequeststatistics)
For this call, only the call's URL has changed. The inputs and outputs are the same.
Get All Requests
Replace the old call with the new call to get all WAF requests:
Old:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/events`](https://stackpath.dev/reference/events#searchevents)
New:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests`](https://stackpath.dev/reference/requests#getrequests)
In addition to the new URL and response structure, this call's inputs have changed to use StackPath's standard pagination, sorting, and filter input.
Get an Individual Request
Replace the old call with the new calls to get individual WAF event information:
Old:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/events/:event_id`](https://stackpath.dev/reference/events#getevent)
New:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests/:request_id`](https://stackpath.dev/reference/requests#getrequest)
New:
[`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests/:request_id/details`](https://stackpath.dev/reference/requests#getrequestdetails)
The first new call retrieves an event summary.
The second new call returns a full event object.
Get WAF Traffic Report
Replace the old call with the new call to get WAF traffic reports:
Old:
[`GET /waf/v1/stacks/:stack_id/traffic`](https://stackpath.dev/reference/traffic#gettraffic)
New:
[`GET /waf/v2/stacks/:stack_id/traffic`](https://stackpath.dev/reference/traffic#gettrafficv2)
The new call's inputs have an additional DAILY resolution, as well as a simplified output structure.
To learn more about the StackPath WAF in the portal, see WAF.
To learn more about the Stack API system for WAF, see Requests.