Overview
A browser is able to load a website using a set of rules called protocols. The General Policies found in your WAF settings focus on the HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS). These protocols are used by clients to request webpage contents from the website's origin server.
The StackPath Protocol Validation rules within the General Policies section cover the compliance of official protocols as part of the request and either allow or block the transaction.
All three of these rules are enabled by default. To enable or disable a protection vector, simply click on the toggle switch to turn it off or on.
User Agents Explained
Most browsers provide user agent information across the network to validate a client's authenticity and purpose.
User agent strings typically follow the below syntax:
User-Agent: <product> / <product-version> <comment>
- <product>
-
A product identifier — its name or development codename.
- <product-version>
-
Version number of the product.
- <comment>
-
Zero or more comments containing more details. For example, sub-product information.
The following is the common format of a user agent generated by a web browser:
User-Agent: Mozilla/5.0 (<system-information>) <platform> (<platform-details>) <extensions>
Below is an example of a user agent generated by a Windows XP user browsing a website via Google Chrome:
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome.46.0.2490.71
Safari/537.36
The Invalid User Agent and Unknown User Agent WAF polices work together to identify and block requests missing a standard user agent, as that can indicate an illegitimate client is being used.
HTTP Methods Explained
Client requests use HTTP methods to help communicate to the website's origin server what action to perform on the requested resource.
Below is a list of the 9 standard HTTP methods that the WAF looks for when validating traffic, along with a brief description:
Name | Description |
GET | Retrieve a URI |
HEAD | Retrieve a URI without the response body |
POST | Submit data to a resource and create a new entity |
PUT | Update all data in a resource entity |
DELETE | Remove a resource |
CONNECT |
Establishes a connection to a resource |
OPTIONS |
Requests information on the communication options associated with a resource |
TRACE | Echos a request back to the client, mainly for debugging purposes |
PATCH | Update some data in a resource entity |