Release Notes and Product Announcements

Edge Compute

August 8, 2023 - Addition of Larger Geometries

Users are now able to provision larger geometries in StackPath Edge Compute PoPs. SP-6, SP-7 and SP-8 are now available for Edge Compute containers and VMs.

Take advantage of larger geometries that offer increased CPU and RAM resources, enhanced performance for resource-intensive applications, and improved scalability for better overall system performance.

These larger geometries are now listed in the Spec drop-down setting within Step 3 of the Create Workload process.

The table below contains the specifications of these new geometries:

Subscription	Cores	RAM
SP-6	16	64GiB
SP-7	32	128GiB
SP-8	48	256GiB

For pricing information, please refer to either our Virtual Machines or Containers pages on stackpath.com.

June 22, 2021 - Subnet Functionality for VPCs

To complement the initial VPC release from May 13, 2021, the StackPath Control Portal now offers VPC users the ability to create subnets. 

A subnet is a segment of a VPC's IP address range where you can group isolated resources. You can use a subnet to create a route for resources within a specific workload. 

Additionally, the following API calls have been published: 

• Create a subnet
• View subnets

Currently, all VPC functionality is considered a beta feature. 

• To view FAQs for this VPC release, see Frequently Asked Questions About Virtual Private Clouds.
• To learn more about VPC, including how to create a subnet, see Create and Manage a VPC Network.
• To view API information, see VPC network.
• To learn more about beta at StackPath, see Beta at StackPath.

---

May 13, 2021 - VPC networks

In the StackPath Control Portal, you can now create and assign virtual private cloud (VPC) networks to your workloads.

VPCs provide networking functionality to your workloads, allowing resources to securely communicate with each other, the internet, and on-premise networks.

 

Additionally, the StackPath Developer Portal has been updated with the following calls: 

• Get all VPC networks
• Create a VPC network
• Get a VPC network
• Delete a VPC network

Note:

This feature is a beta release. To learn more about beta at StackPath, see Beta at StackPath. 

To learn more about the VPC Network screen in the portal, see Create and Manage a VPC Network.

To learn more about the VPC network API calls, see VPC Network in the StackPath Developer Portal.

---

May 11, 2021 - Updated virtual machine images

Review the following updates to virtual machine images:

• Ubuntu 21.04 is now supported.
• Ubuntu 18.04 has been updated for a bug fix.
• Ubuntu 18.04 (previous version) and Ubuntu 20.10 have been tagged with a deprecation and obsoletion date.
  • The deprecation date is June 1st.
  • The obsoletion date is September 1st.

To learn more about virtual machine images, see Create, Manage, and Access Virtual Machine Images.

---

March 17, 2021: Updated virtual machine images

In the StackPath Control Portal, StackPath now supports the following virtual machine images: 

• ubuntu-1804-bionic-v202103030924 based on Ubuntu 18.04.5
  
• debian-10-buster-v202103021354 based on Debian 10.8.0
  
• debian-9-stretch-v202103021322 based on Debian 9.13.0
  
• centos-8-v202103021256 based on CentoOS 8.3.2011
  
• centos-7-v202103021226 based on CentOS 7.9-2009
  
• ubuntu-2010-groovy-v202103041602 based on ubuntu 20.10

Additionally, the following images are deprecated and will be obsolete on June 1, 2021:

• Ubuntu 1904
• Ubuntu 1910

To learn more about images, see Create, Manage, and Access Virtual Machine Images.

To see a current list of supported images:

1. In the StackPath Control Portal, in the left-side navigation, click Edge Compute. 
2. In the left-side navigation, click Images. 
3. Under StackPath Images, review the list of images. 

---

February 24, 2021: Downward API environment variables

In the StackPath Control Portal, the process to create a container-based workload has changed. Specifically, there is now the option to add Downward API Environment Variables. You can use this option to expose application information to the workload and other instances in the same workload.

Additionally, there is a Commands field where you can specify a command that will execute when the instance starts.

 

To learn how to create a container-based workload with downward API environment variables, see Create and Manage Virtual Machines, Containers, and Workloads.

---

CDN

May 12, 2021 - Updated Process to Create a Site

In the StackPath Control Portal, the process to create a site has been updated to improve user experience. Specifically, there is a step-by-step workflow in the portal to guide you through the process to create, configure, and complete a new site.

Previously, to create a site, you needed to navigate to different screens and sections of the portal. With this release, you can stay on the same page as prompts help you to move forward in the creation process. 

This update applies to both full site and static asset site creation.

To create a site:

1. In the StackPath Control Portal, in the left-side navigation, click Sites. 
2. Click Create Site. 
3. Select Full Site Integration or Static Asset Integration, and then follow the on-screen prompts to create a new site. 

After you create a site, StackPath recommends that you verify the integration, as well as configure specific settings. To learn more, see Create and Configure a Site.

November 30, 2020: Updates to free SSL certificates 

In the StackPath Control Portal, the process to obtain a free SSL certificate has been updated to improve user experience. Specifically, the previous Validation and Validation Method sections have been merged and renamed to Verify Domain Ownership. With this update, the step to select a validation method has been removed; by default, both validation options will display.

For API users, the APIs below have been updated. Specifically, the response now includes a statusDetail entry that displays details about the certificate's status, including a list of verification failure reasons.

• Get verification details (CDN SSL)
• Get sites associated with a certificate (WAF SSL)
• Get a certificate (SSL)
• Get a certificate’s latest version (SSL)

Additionally, for SSL API calls, there are new certificate statuses:

• Ready
  • This status indicates that the certificate has issued, but has not been downloaded yet.
• Revoked
  • This status indicates that the certificate has been revoked by the SSL provider.

To learn more about SSL certificates, see Create and Manage SSL Certificates.

---

WAF

November 22, 2022 - DDoS Visibility

DDoS analytics are now available, providing you with the ability to review data related to DDoS attacks against your WAF sites.

StackPath provides valuable information regarding this harmful traffic such as the date and time of the attack, IPs, response codes, targeted URLs and user agents. This information can be used to help you make informed decisions regarding the creation of additional WAF Rules. 

For more information, please refer to our View and Understand DDoS Analytics article.

September 27, 2022 - IP Spotlight

IP Spotlight is now available for WAF Essential, Professional, and Enterprise customers. This feature allows users to get more detailed information about the IP addresses that are making requests to their WAF-protected sites including Whois information and known attack activity.

Each IP address you choose to analyze will populate the interactive dashboard with reputation information including a risk assessment score that was formulated by analyzing StackPath's wide array of end-user traffic.

To learn more about this feature please refer to our IP Spotlight article.

August 2, 2022 - WAF Rules Updates

Tag generating rules are now available for use in custom WAF rules. Tag generating rules allow you to create your own custom tags (user defined tags) that can be used to further customize your tag based rules.

Tag generating rules and user defined tags are great for troubleshooting, controlling logged-in users' access, and can even ease the management of your other WAF rules.

Tag generating rules are included in our Custom Rules Extension, a feature that is included in our WAF Professional and Enterprise packages.

For more information, please refer to our Understanding Tag Based Rules article.

July 21, 2022 - WAF Custom Pages

StackPath has released a new feature, Custom Page Sets, which provides you with the ability to create and customize WAF sanction screens that are shown to your end-users.

This feature lets you customize our 6 sanction screen types, which are then shown to your end-users in place of the StackPath default sanction screens.

For more details on this feature, please see our Custom Pages article.

Custom Page Sets are available to our WAF Professional and Enterprise users, and the number of allotted page sets will vary based on your selected WAF package, so please be sure to visit our WAF Package Offerings page for more details.

May 17, 2022 - Updated WAF Packages

StackPath now offers three all new self-service WAF packages, WAF Essentials, WAF Professional and WAF Enterprise.

All packages provide protection for your web applications, websites and APIs against common vulnerabilities such as L7 DDoS attacks, OWASP Top 10 threats, bots and more.

Each package offers different monthly usage allowances and advanced features to suit your needs. 

• WAF Essentials - Our most basic package that is perfect for smaller sites.
• WAF Professional - Our mid-level package, offering additional features such as a Custom Rules Extension and Custom Sanction Screens.
• WAF Enterprise - Our highest-level package, offering additional features such as Advanced Rules Access.

Please visit our WAF Package Offerings article for more details, in addition to our blog and press release posts.

In addition, the following new WAF features are now available as well, with quantities that vary depending on the selected package:

• Tag Based Rules
• Advanced Rules
• Custom Sanction Screens

For existing customers wishing to upgrade your current WAF package, you may refer to this guide for instructions on how to upgrade your subscription, or you can reach out to our Sales team at sales@stackpath.com.

April 18, 2022 - WAF Policy Updates

Updates were made to the following existing WAF policies:

• The "XSS Attack" policy has been updated to improve protection against additional attack vectors.
• The "Traffic from Hosting Services" policy has been updated to include additional hosting services.

March 22, 2022 - WAF Policy Updates

A new policy is now available in the WAF portal, "Traffic via CDNs". This policy will validate (JavaScript Validation) traffic from IP addresses originating from CDN companies.

Note: This policy is OFF by default for all existing customer domains and ON for new customers.

• See our IP Reputation article to learn more about these common threats.

March 9, 2022 - Bug Fixes

The "Regular Visitor" tag is no longer available as part of tag based rules. See our article on Tags and Descriptions to see which tags are currently available.

March 6, 2022 - WAF Rules Updates

WAF custom rules now support defining Tags when creating a rule.

As part of the WAF Enterprise Package, customers are now able to create Advanced Rules using APIs. For more information, see our Advanced Rules Editor help center article to learn more.

January 18, 2022 - Rules & Heuristics Monitoring system

Included in WAF is an active monitoring system that will be able to detect and alert issues with the heuristics code execution and products (tags, flags) and the same for the shield rules execution and products.

• Monitoring for TACT & shield would fall into the current NOC/SRE processes.

August 22, 2021 - Added API DDoS Layer 2 protection

WAF now supports DDoS protection for APIs and has implemented a scaleable machine learning algorithm to protect customer sites.

• Ability to predict location of where normal traffic arrives and blocks the traffic that doesn't fit this model.
• Ability to use SDK to differentiate API calls from authenticated clients and foreign ones.

June 10, 2021 - Updated WAF product

In the StackPath Control Portal, the WAF product offering has been converted into 2 separate offerings called WAF Standard and WAF Enterprise.

Current WAF users have already been converted to the new product offering. Specifically, WAF10 users are now WAF Standard users.

Additionally in this release, StackPath will maintain DDoS settings for WAF Standard users; WAF Enterprise users can update their DDoS settings via a support ticket.

Note:

If you previously made changes to your DDoS settings, then those changes are still in place.

Note:

DDoS settings are a fairly technical, and sometimes confusing feature. Based on user feedback, StackPath decided to maintain DDoS settings to prevent potential problems with improperly configured DDoS settings on user sites.

Also in this release, to upgrade your WAF product, you must now contact StackPath to determine which WAF offering is best for you.

To view your WAF offering:

1. In the StackPath Control Portal, in the left-side navigation, click Sites.
2. Locate and select the desired site.
   • This action will refresh the portal.
3. In the left-side navigation, click WAF.
4. Review the label next to WAF Settings, which will display Standard or Enterprise.

To learn more about the WAF, see Obtain or Upgrade WAF on an Existing Site.

---

May 19, 2021 - WAF changelog

In the StackPath Developer Portal, a WAF-specific changelog has launched.

You can use this changelog to stay informed with the latest WAF changes.

Note:

While WAF releases take place on Tuesdays, a release may not take place every Tuesday.

Additionally, the WAF team may make emergency updates outside of the Tuesday release date.

To view the changelog, see WAF changelog.

---

May 12, 2021 - Updated WAF policies

In the StackPath Control Portal, new policies have been added to the WAF screen of the Sites section:

Policy	Description
External Reputation Block List Data Bases	Validate traffic from any known spammer or abuser, based on data from multiple services.
Traffic From Suspicious NAT Ranges	Challenge traffic from high-risk NAT ranges, based on historical web behavior detected by a machine learning classifier.

 

Additionally:

• The Traffic From Scanner policy has been merged into the Convicted Bot Traffic policy.
• The Automation Escalation policy has been merged into the Challenge Automate Clients policy
• The WordPress Ruleset policy has been renamed to Wordpress WAF Ruleset. Additionally, this policy has been moved from the WAF & OWASP Top Threats section to the CMS Protection section.

This release includes additional minor updates and bug fixes.

To learn more about WAF policies, see CDN & WAF Site Settings Overview.

---

May 11, 2021 - Updated WAF screens

In the StackPath Control Portal, the WAF section of the Analytics screen has been updated. Specifically, in the Web Application Firewall Requests graph, when you click on a specific plot, the Requests table will filter data for that particular selection. The table will display the date and time, as well as the corresponding Traffic Type. When you click on a plot, the Requests table will refresh and remove previously selected filters that do no relate to the selected plot.

 

Additionally, the Overview section of the Analytics screen now displays the Status Codes graph. Previously, this graph was located in the CDN section of the Analytics screen.

To learn more, see View WAF Analytics.

---

May 11, 2021 - Updated cookie settings

In the StackPath Control Portal and the WAF, cookie settings for UTGv2 have been updated. With this release, UTGv2 cookies will expire after 180 days.

Previously, UTGv2 cookies expired after 365 days.

To learn more about StackPath’s cookie settings, see Cookie Preferences.

---

April 29, 2021 - Updated WAF policies

In the StackPath Control Portal, new policies have been added to the WAF screen of the Sites section:

Policy name	Description
Automations Escalation (under Anti-Automation & Bot Protection)	Challenge or block clients that use or maybe using automation tools, based on static and behavioral indications.
Traffic From Scanner (under Traffic Sources)	Challenge traffic from any known scanners' IP address to block bots and devices. Malicious users may use scanners for reconnaissance purposes.
Whitelist PimCore admins logged-in users (under CMS Protection)	Enable whitelist PimCore admin logged-in users.

 

Additionally, the existing Force Browser Validation on traffic anomalies policy has been updated with new rules (Block Clients With Invalid SP Cookie and Challenge Clients With Invalid Cookies).

To learn more about other WAF policies, see CDN & WAF Site Settings Overview.

---

April 6, 2021 - Updated DDoS configuration

In the StackPath Control Portal, in the WAF Settings screen, DDoS configurations have been updated. Specifically, the default value for Burst Threshold has been updated to 500.

Previously, the default value was 110.

If you have updated this value, then you are not affected by this change.

To learn more about DDoS configurations for WAF, see Learn about Edge Computing and Serverless Scripting.

---

March 18, 2021 - New WAF policies

In the StackPath Control Portal, 3 new policies have been added, specifically to the WAF & OWASP Top Threats section.

• Open Redirect
  • Use this policy to block requests that are open redirect attacks.
  • This attack exploits vulnerabilities in a web application to redirect a user to a new website without any validation of the target.
• Shell Injection
  • Use this policy to block requests that are shell injection attacks.
  • This attack executes arbitrary operating system commands on the server that is running an application with the purpose of compromising the application and data.
• Code Injection
  • Use this policy to block requests that are code injection attacks.
  • This attack injects code that the application will execute.

To learn more about other WAF policies, see CDN & WAF Site Settings Overview.

---

March 18, 2021 - Updated WAF Analytics screen

In the StackPath Control Portal, the WAF section of the Analytics screen has been updated with the following changes:

• In the Web Application Firewall Requests graph, the filters have been updated with the term Blocked to better describe the displayed data.
• The Security Events table has been renamed to Requests.
  • Previously, this table only displayed security events. With this release, the table displays additional request types.
• The Requests table has been updated with more detailed filters to better customize the displayed data.
• The Top Threat Origins table has been updated to include a geographical view to display the location for your top threat origins.

To learn more about WAF analytics, see View WAF Analytics.

---

March 17, 2021: Updated virtual machine images

In the StackPath Control Portal, StackPath now supports the following virtual machine images:

• ubuntu-1804-bionic-v202103030924 based on Ubuntu 18.04.5
• debian-10-buster-v202103021354 based on Debian 10.8.0
• debian-9-stretch-v202103021322 based on Debian 9.13.0
• centos-8-v202103021256 based on CentoOS 8.3.2011
• centos-7-v202103021226 based on CentOS 7.9-2009
• ubuntu-2010-groovy-v202103041602 based on ubuntu 20.10

Additionally, the following images are deprecated and will be obsolete on June 1, 2021:

• Ubuntu 1904
• Ubuntu 1910

To learn more about images, see Create, Manage, and Access Virtual Machine Images.

To see a current list of supported images:

1. In the StackPath Control Portal, in the left-side navigation, click Edge Compute.
2. In the left-side navigation, click Images.
3. Under StackPath Images, review the list of images.

---

November 12, 2020: Updates to WAF services

Overview

On November 12, 2020, StackPath replaced WAF Events with WAF Requests in the StackPath Control Portal (SP2) platform, as well as the corresponding StackPath API system.

At a high level, compared to WAF Events, WAF Requests capture more data, including expanded user agent information and details about the origin's response to the user. Similarly, WAF Requests are easier to search and process.

---

Which users are affected by this update?

This update applies if you use the StackPath Control Portal with an active WAF service.

This update does not relate if you use the MaxCDN, Highwinds, or legacy StackPath platforms.

---

Will the StackPath Control Portal change?

Yes. In the Security Events table, you can now filter requests based on the triggered rule type:

• To filter requests that triggered StackPath's predefined rules, select Policy.
• To filter requests that triggered custom rules created by users on your account, select Custom Rules.

 

Additionally, the name of the main WAF-related graph has been updated to display the term requests.

 

---

Do I need to update anything to prepare for this change?

If you use the StackPath API system, you must update your code to replace the soon-to-be deprecated event-related calls with the newly created request-equivalent calls.

Starting on November 12, 2020, for 30 days both the event-related calls and the request-related calls will be available; however, after 30 days, the event-related calls will be formally removed. As a result, StackPath recommends that you replace the calls as soon as possible.

Review the following calls to replace:

Get Request Statistics

Replace the old call with the new call to get request statistics:

Old call:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/event_stats`](https://stackpath.dev/reference/events#geteventstatistics)

New call:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/request_stats`](https://stackpath.dev/reference/events#getrequeststatistics)

For this call, only the call's URL has changed. The inputs and outputs are the same.

---

Get All Requests

Replace the old call with the new call to get all WAF requests:

Old:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/events`](https://stackpath.dev/reference/events#searchevents)

New:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests`](https://stackpath.dev/reference/requests#getrequests)

In addition to the new URL and response structure, this call's inputs have changed to use StackPath's standard pagination, sorting, and filter input.

---

Get an Individual Request

Replace the old call with the new calls to get individual WAF event information:

Old:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/events/:event_id`](https://stackpath.dev/reference/events#getevent)

New:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests/:request_id`](https://stackpath.dev/reference/requests#getrequest)

New:

  [`GET /waf/v1/stacks/:stack_id/sites/:site_id/requests/:request_id/details`](https://stackpath.dev/reference/requests#getrequestdetails)

The first new call retrieves an event summary.

The second new call returns a full event object.

---

Get WAF Traffic Report

Replace the old call with the new call to get WAF traffic reports:

Old:

  [`GET /waf/v1/stacks/:stack_id/traffic`](https://stackpath.dev/reference/traffic#gettraffic)

New:

  [`GET /waf/v2/stacks/:stack_id/traffic`](https://stackpath.dev/reference/traffic#gettrafficv2)

The new call's inputs have an additional DAILY resolution, as well as a simplified output structure.

---

To learn more about the StackPath WAF in the portal, see WAF.

To learn more about the Stack API system for WAF, see Requests.

---

Portal

July 7, 2023 - User and Access Management (IAM Policies)

Account and Stack Identity and Access Management (IAM) policies are now available in the StackPath Control Portal. Easily manage your account's members, roles and service accounts via the new IAM policy sections in the Portal.

To learn more, please see User and Access Management.

May 11, 2021 - Updated cookie settings

In the StackPath Control Portal and the WAF, cookie settings for UTGv2 have been updated. With this release, UTGv2 cookies will expire after 180 days.

Previously, UTGv2 cookies expired after 365 days.

To learn more about StackPath’s cookie settings, see Cookie Preferences.

---

February 10, 2021: Updates to notifications

In the StackPath status page, you can now subscribe to outages via a Slack notification. 

To learn how to subscribe to an outage, see Contact StackPath Support.

To visit the StackPath status page, see https://status.stackpath.com/#.