media.example.comonly allows H5 clients and browsers to obtain site content, and all legal clients support
Cookies. Therefore, clients that do not support
Cookiesneed to be intercepted, including crawlers that have hijacked other visitors' sessions. For clients that maliciously tamper with
Cookies, use the silent mode to counteract, maintain the connection but no longer respond to requests.
/*, and the request method is equal to GET.
Update Cookie and verify: For requests that do not carry valid session information or have expired session information, EdgeOne will create a session in the response with the Set-Cookie header and continuously update the session information. It is recommended to use this verification method for paths accessed by GET.
Only verify: EdgeOne only verifies whether the session information carried in the request is legal. When the session information in the request expires or the request does not carry valid session information, it will not create a new session by updating the Cookie. It is recommended to use the only verification method for APIs accessed by POST (such as: registration, login, add to cart, etc.).
For requests that have failed the Cookie verification, the processing can be done according to the check result as follows:
No Cookie or expired Cookie: The session information carried in the Cookie header has a time limit and is only valid for a certain period of time. If the request does not carry valid session information or the session information has expired, the session information needs to be updated to pass the Cookie verification. When the client frequently uses requests without session information to access, there may be a risk of harvesting Cookies and hijacking sessions. You can choose to dispose of requests from the request sources (client IP) that do not carry valid session information when the session information is not carried at a specified rate.
Trigger threshold: You can configure the upper limit of the number of sessions that can be created without carrying a Cookie or an expired Cookie within a certain period of time, and limit the initiation rate of new sessions. When the trigger threshold is exceeded, it will be processed according to the configured action.
Invalid cookie: The session information issued by EdgeOne has encryption verification capabilities, and tampering with session information often means malicious requests. You can choose to dispose of requests with tampered session information.
Session rate and Periodic feature verification
Requests that pass the Cookie verification are divided into high-risk, medium-risk, and low-risk categories according to the specified rate features. You can configure different actions for each risk level to more effectively identify and mitigate malicious behaviors:
High risk: In a single session (corresponding to the same EO-Bot-SessionId value in the Cookie header), more than 1000 requests in each 5-minute statistics window. When client behavior verification is enabled, also verify that the same client verification token (corresponding to the same EO-Bot-Token value in the Cookie header) is used more than 200 times in 1 minute.
Medium risk: In a single session (corresponding to the same EO-Bot-SessionId value in the Cookie header), more than 500 requests in each 5-minute statistics window. When client behavior verification is enabled, also verify that the same client verification token (corresponding to the same EO-Bot-Token value in the Cookie header) is used more than 100 times in 1 minute.
Low-risk: In a single session (corresponding to the same EO-Bot-SessionId value in the Cookie header), more than 100 requests in each 5-minute statistics window. When client behavior verification is enabled, also verify that the same client verification token (corresponding to the same EO-Bot-Token value in the Cookie header) is used more than 20 times in 1 minute.
/api/password_resetof the e-commerce site
shop.example.comhas a large number of failed reset requests from a large amount of IPs with low frequency and no obvious
User-Agentor header aggregation. Therefore, the active detection function is used to strengthen the bot protection rules for the password reset API
/api/password_resetand the password reset page
/account/forgot_password.html, using silent mode to combat against automated bulk password reset tools.
text/html, and other requests will be disposed of based on the current verification result.
Client behavior verification supports adjusting the strength of proof of work verification. By adjusting the strength, the balance between the client's computational load and the identification effect on bots can be achieved.