General Policies

Overview

A browser is able to load a website using a set of rules called protocols. The General Policies found in your WAF settings focus on the HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS). These protocols are used by clients to request webpage contents from the website's origin server.

The StackPath Protocol Validation rules within the General Policies section cover the compliance of official protocols as part of the request and either allow or block the transaction.

All three of these rules are enabled by default. To enable or disable a protection vector, simply click on the toggle switch to turn it off or on.

User Agents Explained

Most browsers provide user agent information across the network to validate a client's authenticity and purpose.

User agent strings typically follow the below syntax:

User-Agent: <product> / <product-version> <comment>

The following is the common format of a user agent generated by a web browser:

User-Agent: Mozilla/5.0 (<system-information>) <platform> (<platform-details>) <extensions>

Below  is an example of a user agent generated by a Windows XP user browsing a website via Google Chrome:

Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome.46.0.2490.71 Safari/537.36

The Invalid User Agent and Unknown User Agent WAF polices work together to identify and block requests missing a standard user agent, as that can indicate an illegitimate client is being used.

HTTP Methods Explained

Client requests use HTTP methods to help communicate to the website's origin server what action to perform on the requested resource.

Below is a list of the 9 standard HTTP methods that the WAF looks for when validating traffic, along with a brief description: