Configuration Options
  • 12 Jul 2024
  • Dark
    Light

Configuration Options

  • Dark
    Light

Article summary

PII (Personally Identifiable Information) Anonymization

Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify a single person, or to identify an individual in context.

It is important for us to keep personal private information out of our servers. Therefore, by default, we do not send the request body and cookies to HUMAN backend servers, the entire communication is based on headers data.

PII is not a recommended setting. If PII is essential for your organization, contact HUMAN Support.

When PII is enabled, HUMAN does not store a client’s full IP information (Client IP, HTTP Headers). In IPv4 this is done by zeroing 4th IP octet (for example, the IP 1.2.3.4 will be stored as 1.2.3.0). In IPv6 this is done by zeroing the last four (4) octets (for example, the IP 1:2:3:4:1:2:3:4 will be stored as 1:2:3:4:1:2:3:0).
Removing the IP's last octet can result small reduction of detection capability, usually for the models and signatures that are based on IPs.

Module Enabled

A boolean flag to enable/disable the HUMAN worker.

Default: true

Module Mode

Sets the working mode of the Enforcer.

Monitor mode - Use this mode to fine-tune and test your system. When in the Monitor mode, the Enforcer will pass through requests that would otherwise be blocked based on their score. See Blocking Score.

'Active Blocking mode - Switch to this mode after making sure the Enforcer is operating properly in the Monitor mode. The Enforcer will block requests, if their score is equal to or higher than the set value.

v21.0.0 and up
Name: px_module_mode
Values:

  • monitor - Monitor mode (default)
  • active_blocking - Active Blocking mode

v20.3.1 and below
Name: module_mode
Values:

  • 0 - Monitor mode (default)
  • 1 - Active Blocking mode

Blocking Score

Sets the minimum blocking score of a request.

Possible values:

  • Any integer between 0 and 100.

Default: 100

Monitor Specific Routes

Available from v21.0.0

When in the Active Blocking mode, use this feature to define an array of trusted routes to be monitored only. Such routes will be treated, as if the Enforcer were in the Monitor mode.

For example, you can put newly introduced routes in the Monitor mode to fine-tune them, while continuing to actively protect the rest of your assets.

For more on the difference between the modes, see Module Mode.

Default: Empty

Use commas to separate between monitored routes in the string: /profile, /test, /login.

Monitor Specific Routes Regex

Available from v21.0.0

When in the Active Blocking mode, use this feature to define regular expressions of trusted routes to be monitored only. Such routes will be treated, as if the Enforcer were in the Monitor mode.

For example, you can put newly introduced routes in the Monitor mode to fine-tune them, while continuing to actively protect the rest of your assets.

For more on the difference between the modes, see Module Mode.

Default: Empty

Use commas to separate between regular expressions in the string: /^profile.? , /login.*

Enforced Specific Routes

Available from v21.0.0

You may want certain requests to be enforced by HUMAN, even when the Enforcer is in the Monitor mode. Requests for predefined route prefixes will go through the full enforcement workflow, and may be blocked based on their score.

Default: Empty

Use commas to separate between enforced routes in the string: /profile, /test, /login

Enforce Specific Routes Regex

Available from v21.0.0

You may want certain requests to be enforced by HUMAN, even when the Enforcer is in the Monitor mode. Requests for predefined regular expressions will go through the full enforcement workflow, and may be blocked based on their score.

Default: Empty

Use commas to separate between regular expressions in the string: /^profile.? , /login.*

User ID Retrieval

Allows retrieving user IDs from the SalesForce database using an API. Enable this feature, if you are using HUMAN Account Defender.

Default: Disabled

First Party Enabled

Enables the module to send/receive data to/from the sensor, acting as a "reverse-proxy" for client requests and sensor activities.

To setup first party support, follow the Setting Up First Party section.

First Party Mode may also require additional changes on the sensor snippet. For more information, refer to the portal.

Possible values:

  • true
  • false

Default: false

Send Block Activities

A boolean flag to enable/disable sending block activities to HUMAN with each request.

Default: true

Send Page Activities

A boolean flag to enable/disable sending activities and metrics to HUMAN for each page request. Enabling this feature provides data that populates the HUMAN portal with valuable information such as the number of requests blocked and API usage statistics.

Default: true

Logger Severity

Sets the Logger Severity mode of the Enforcer.

v21.0.0 and up
Name: px_logger_severity
Values:

  • error (default) - The Enforcer logs only errors and fatal events (e.g., exceptions).
  • debug - The Enforcer logs all debugging events.

v20.3.1 and below
Name: debug_mode
Values:

  • false (default) - The Enforcer logs only errors and fatal events (e.g., exceptions).
  • true - The Enforcer logs all debugging events.

Once enabled, HUMAN debug messages are sent in the following template:

[PerimeterX - DEBUG][APP_ID] - MESSAGE - for debug messages

[PerimeterX - ERROR][APP_ID] - MESSAGE - for error messages

Log example of a valid request:

[2017-12-04 14:02:48.170 GMT] DEBUG PipelineCallServlet|9502992|Sites-SiteGenesis-Site|Default-Start|PipelineCall|jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== custom Sites-SiteGenesis-Site STOREFRONT jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== k1OX8IhVJVpqAAAK-0-00 9135655695325170688 - [PerimeterX - DEBUG][APP_ID] - Starting request verification
[2017-12-04 14:02:48.171 GMT] DEBUG PipelineCallServlet|9502992|Sites-SiteGenesis-Site|Default-Start|PipelineCall|jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== custom Sites-SiteGenesis-Site STOREFRONT jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== k1OX8IhVJVpqAAAK-0-00 9135655695325170688 - [PerimeterX - DEBUG][APP_ID] - Request context created successfully
[2017-12-04 14:02:48.171 GMT] DEBUG PipelineCallServlet|9502992|Sites-SiteGenesis-Site|Default-Start|PipelineCall|jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== custom Sites-SiteGenesis-Site STOREFRONT jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== k1OX8IhVJVpqAAAK-0-00 9135655695325170688 - [PerimeterX - DEBUG][APP_ID] - No Captcha cookie present on the request
[2017-12-04 14:02:48.171 GMT] DEBUG PipelineCallServlet|9502992|Sites-SiteGenesis-Site|Default-Start|PipelineCall|jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== custom Sites-SiteGenesis-Site STOREFRONT jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== k1OX8IhVJVpqAAAK-0-00 9135655695325170688 - [PerimeterX - DEBUG][APP_ID] - Cookie V3 found, Evaluating
[2017-12-04 14:02:48.394 GMT] DEBUG PipelineCallServlet|9502992|Sites-SiteGenesis-Site|Default-Start|PipelineCall|jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== custom Sites-SiteGenesis-Site STOREFRONT jLvMauivMBL8z7l1SRVBheAkTSR3zoHdk6G72IQQfr5SJs_uahpfrS7tfVKTaEHaVRs_WVcLLZMobrW6ugEcwA== k1OX8IhVJVpqAAAK-0-00 9135655695325170688 - [PerimeterX - DEBUG][APP_ID] - Cookie evaluation ended successfully, risk score: 0

Sensitive Routes

A comma separated list of route prefixes that trigger a server call to HUMAN servers every time the page is viewed, regardless of viewing history.

Default: Empty

Sensitive Headers

A comma separated list of headers that are not sent to HUMAN servers on API calls.

Default: 'cookie', 'cookies'

Path Whitelist

A comma separated list of paths to filter.

For example: /Sites-Site/, /PXRedirect

Default: Empty

Allow by IP/CIDR

A comma separated list of IPs or CIDRs to allow.

For example: 192.168.0.100, 192.168.100.0/24

Default: Empty

IP Headers

A comma separated list of comma separated trusted headers that specify an IP to be extracted. If the list is empty, the default IP header cf-connecting-ip is used.

Default: Empty

CSS Ref

Modifies a custom CSS by adding the CSSRef directive and providing a valid URL to the CSS.

Default: Empty

JS Ref

Adds a custom JS file by adding JSRef directive and providing the JS file that is loaded with the block page.

Default: Empty

Custom Logo

The logo is displayed at the top of the the block page.
Max-height = 150px, Width = auto.

Default: Empty

Custom Block Page Template

The template name to use to render a block page.

Default: block_template (the default block page template)

If you want to customize the Block page, follow the instructions on this page Customized Block Page.

Enrich Custom Parameters

With the enrichCustomParams function you can add up to 10 custom parameters to be sent back to HUMAN servers. When set, the function is called before setting the payload on every request to HUMAN servers. The parameters should be passed according to the correct order (1-10).

This property cannot be set using Business Manager but can only be added directly to the pxConfig.js file. The function receives an array of custom parameters (customParams) and must return it once set.

Default: Empty

Example:

...
pxConfig["enrichCustomParameters"] = function(customParams) {
    customParams["custom_param1"] = "yay, test value";
    return customParams;
}
...

Test Block Flow on Monitoring Mode

Allows you to test an enforcer’s blocking flow while you are still in Monitor Mode.

When the header name is set(eg. x-px-block) and the value is set to 1, when there is a block response (for example from using a User-Agent header with the value of PhantomJS/1.0) the Monitor Mode is bypassed and full block mode is applied. If one of the conditions is missing you will stay in Monitor Mode. This is done per request.
To stay in Monitor Mode, set the header value to 0.

The Header Name is configurable using the Bypass Monitor Mode Header property.

Default: Empty

Credentials Intelligence

The Credentials Intelligence feature allows you to safeguard your users login information by leveraging HUMAN's database of compromised credentials.

TO enable this feature:

  1. Change the PX_loginCredentialsExtractionEnabled value to true. Default: false
  2. In PX_loginCredentialsExtraction, add unique login extraction paths by defining an array of credential extraction definition objects. Each of these represents a particular type of request, from which to extract credentials. You need to define the following fields:

Field

Supported Values

path

Any string. Must start with "/".

method

get, post, put

sent_through

body, header, query-param

path_type

regex, exact

user_field

Any string

pass_field

Any string

Below is an example of a valid array that lists three different login endpoints, from which credentials should be extracted:

[{
    "method": "get",
    "path_type": "exact",
    "path": "/login/query",
    "sent_through": "query-param",
    "pass_field": "password",
    "user_field": "username"
}, {
    "method": "post",
    "path_type": "exact",
    "path": "/login-nested-object",
    "sent_through": "body",
    "pass_field": "nested.password",
    "user_field": "nested.username"
}, {
    "method": "post",
    "path_type": "regex",
    "path": "^/user/[A-Za-z0-9]{8,12}/session$",
    "sent_through": "body",
    "pass_field": "password",
    "user_field": "username"
}]
  1. In PX_ciVersion, select either the single step (v2), or multi-step login (multistep_sso). Default: v2.
  2. In PX_sendRawUsernameOnAdditionalS2SActivity, select whether the original username used for the login attempt should be sent to HUMAN to aid in detection. Default: false.

Additional S2S Activity
To enhance detection on login credentials extraction endpoints, the following additional information is sent to HUMAN via an additional_s2s activity:

Login Success - A boolean flag indicating whether the login attempt was successful.

To allow HUMAN to send this activity, add the following to your code, and pass an object that contains the login success indication and the status code as a parameter:

var HookManager = require('dw/system/HookMgr');

 HookManager.callHook('app.scripts.additionalS2SHandling', 'additionalS2SHandling', {
     login_successful: <isLoginSuccessful>,
     status_code: <statusCode>
});

If the request contains credentials, the variable session.private.PXCompromised will be populated after enforcement with a boolean flag indicating whether the credentials are compromised.


Was this article helpful?

What's Next