What's New
  • 10 Nov 2023
  • Dark

What's New

  • Dark

Article Summary

Version 9.1.0

Released 2023-08-16

  • Updated block page for improved mobile support
  • Added risk activity fields to async activities for improved detection and aligned field names and types
  • Changed names for internal headers IP (x-px-socket-ip) and client UUID (x-px-client-uuid)
  • Changed px_custom_activity_headers format to align with new activity header format
  • Fixed a small bug which prevented the px_backend_url from being configured properly

Version 9.0.0

Released 2023-07-24

  • Important change! Async activities are sent via HTTPS instead of syslog. This necessitates a change to the async activities logging endpoint.
  • Aligned Risk API and async activity field names and formatting

Version 8.8.0

Released 2023-06-05

  • Added custom function px_custom_first_party_response_modifier
  • Removed custom function px_custom_first_party_access_control_allow_origins_whitelist which was never executed

Version 8.7.2

Released 2023-05-03

  • Fixed CI `v2` normaliazation process

Version 8.7.1

Released 2023-05-03

  • Added support extracting numeric user id from JWT token

Version 8.7.0

Released 2023-04-23

  • Added support CI `v2` protocol
  • Addedsupport CI `both` protocol
  • Added support CI protocol per endpoint
  • Added credentials_compromised field on async activities
  • Excluded credentials hashing of empty strings and null objects 

Version 8.6.0

Released 2023-03-21

  • Added Support for CORS preflight requests and CORS headers in block responses

Version 8.5.0

Released 2023-03-15

  • Added custom subroutine px_custom_cookie_header_value with default return value req.http.x-px-cookies
  • Cookie processing considers both px_custom_cookie_header_value and cookie header value 
  • px_custom_cookie_header_enabled configuration and px_custom_cookie_header subroutine deprecated      

Version 8.4.7

Released 2023-02-09

Version 8.4.6

Released 2022-12-20

  • bugfix: now first party resources are automatically compressed via gzip regardless the default policy

Version 8.4.5

Released 2022-12-16

  • Added HUMANHD cookie to risk request for improved detection.
  • Fixed bugs in JWT token decoding and parsing such that the user_id field is extracted and reported properly.

Version 8.4.4

Released 2022-12-07

  • Added support for server info related fields on RiskAPI to improve detection
  • Added to Credentials Intelligence support adding to the request an indication of compromised credentials in the form of a query string
  • Added to Credentials Intelligence support modifying the status code of a successful login response which was made with compromised credentials
  • Added to Credentials Intelligence support PUT method in the extraction of the Credentials Intelligence details

Version 8.4.2

Released 2022-11-29

  • Fixed px_shield snippet bug that deactivated shielding for certain requests while in monitor mode.

Version 8.4.1

Released 2022-10-30

  • GraphQL query parsing ignores whitespace and \n at the beginning of the string

Version 8.4.0

Released 2022-10-11

  • Added JA3 fingerprint to enforcer activities for detection improvement
  • Added request cookie names to page_requested and block activities for detection improvement
  • Fixed custom block page default template compilation issue
  • Fixed request cookie names unnecessary spaces issue
  • Rearranged the code slightly so more fields on the request are accessible in the custom parameters subroutine

Version 8.3.1

Released 2022-08-23

  • Improved validation of pxvid cookie.

Version 8.3.0

Released 2022-07-28

  • Added support for User identifiers feature - extract application user id and additional fields from JWT token.
    enables Account defender support on Fastly Enforcer.
  • Fixed send redundant page_requested in addition to block activity on sensitive routes on specific cases bug.

Version 8.2.0

Released 2022-06-30

  • Added configurable first party sensor endpoint to circumvent adblockers that prevent requests to the default init.js endpoint. The default init.js endpoint remains active even when a custom endpoint is configured. Note that the sensor endpoint must be changed to use the custom endpoint in the JS snippet as well.

Version 8.1.0

Released 2022-04-10

  • Added Custom logo in block JSON response
  • Updated block page to use new template

Version 8.0.2

Released 2022-03-14

  • Credential Intelligence - added ci_version, sso_step, credentials_compromised fields to block activity for complete visibility for the CI feature on HUMAN's portal.
  • Improved custom block page code structure and code separation for in PX_CUSTOM.vcl and Internal code.

Version 8.0.1

Released 2022-02-15

  • Improved upgradability
  • Updated px_metadata.json
  • Removed redundant default values assignments from px_configs table

Version 8.0.0

Released 2022-02-03

  • Added Sensitive GraphQL operation support, in order to distinguish between GraphQL operations that are sensitive and require RISK validation, support for GraphQL detection enhancement.
  • Added Additional Activity Handler support - customizable callback The Enforcer runs after sending page_requested or block_activity.
  • Added Filter by HTTP method, user agent, route and IP - customizable callbacks that can skip Enforcer validation flow based on rules of the request HTTP method, user agent, route or IP.
  • Added Support First Party Gzip Compression - Allowing compression of first party content such as HUMAN's sensor.
  • Core refactor - The enforcer is now support automatic update.
  • Minor bug fixes and improvements

Version 7.2.0

Released 2022-01-23

  • Added Support for credentials intelligence protocols v1 and multistep_sso
  • Added Support for login successful reporting methods header, status, and custom
  • Added Support for automatic sending of additional_s2s activity
  • Added Support for manual sending of additional_s2s activity via request header
  • Added Support for sending raw username on additional_s2s activity
  • Added Support for login credentials extraction via custom callback
  • Added New request_id field to all enforcer activities
  • Added Login credentials extraction handles body encoding based on Content-Type request header (supports application/json and application/x-www-form-urlencoded)
  • Added Successful login credentials extraction automatically triggers risk_api call without needing to enable sensitive routes
  • Fixed the bug of Unset X-PX-uuid header before sending request to customer's origin

Version 7.1.6

Released 2022-01-17

  • Fixed the bug of Fastly WAF is called twice on some requests due to restart caused by the Enforcer.

Version 7.1.5

Released 2021-12-29

  • Added server_info_origin to all Enforcer activities - indicates which CDN POP/Datacenter the request hit.

Version 7.1.4

Released 2021-10-25

  • Added Compromised credentials header support - indicates the origin of that a compromised credentials was detected by HUMAN.
  • Added CDN Deploy Tool installation support - support for clean/install of the enforcer using automated tool.

Version 7.1.3

Released 2021-07-01

  • Changed initial, threshold, and window configs for backend health check to align with Fastly new limitations and avoid requests timeouts.

Version 7.1.2

Released 2021-06-28

  • increased timeout for backend health check to align with Fastly new limitations and avoid requests timeouts.

Version 7.1.1

Released 2021-06-03

  • Added support for login credentials extraction - This feature extracts credentials (hashed username and password) from requests and sends them to HUMAN as additional info in the risk api call. The feature can be toggled on and off, and may be set for any number of unique paths.

Version 7.1.0 (REMOVED)

Released 2020-11-26

  • Added tier 2 for CSP report only policy
  • Moved to user subroutines instead of vcl snippets in main.vcl to enforce code order on Main.vcl file.
  • Moved to using px_shield snippet instead of do_shield subroutine.
  • Updated main.vcl base file to be aligned with Fastly's new boilerplate format.
  • Fixed the issue of missing vid in risk_api activity when call reason is cookie_expired
  • Fixed the issue of missing risk_rtt field in block activity

Version 6.1.1

Released 2020-08-12

  • Fixed the issue of module version is sent without version number

Version 6.1.0

Released 2020-08-10

  • Added Send page_response activity
  • Code optimization to reduce memory usage

Version 6.0.0

Released 2020-07-21

  • Added support for remote data
  • Added CSP module (Content Security Policy)

Version 5.0.10

Released 2020-06-18

  • Fixed the issue of invalid cookies by limit cookie characters to a specific range of characters
  • Added px_orig_cookie field on page_requested and block to contain the original cookie value

Version 5.0.9

Released 2020-06-17

  • Fixed cookie with non-printable characters fix may cause being mishandled.

Version 5.0.8

Released 2020-05-20

  • Fixed Telemetry Json formatting

Version 5.0.7

Released 2020-04-22

  • Added support for HUMANHD cookie secure mode via config

Version 5.0.6

Released 2020-03-10

  • Fixed Handle header size overflow. Fail-Open or Fail-Close is configurable in such case.

Version 5.0.5

Released 2020-02-20

  • Removed hard-coded tokens that required Fastly Deploy Tool to be used
  • Detect edge better to prevent attacks

Version 5.0.4

Released 2020-01-28

  • delete x-px-cookie-data header
  • Header px-orig-cookie to include the original cookie in case of decryption failed
  • Added utf-8 validation before requesting px backend to prevent s2s_error

Version 5.0.3

Released 2019-12-08

  • Fixed the issue of page_requested not being sent due to redundant spaces

Version 5.0.0

Released 2019-11-28

  • Added support for single or multiple (4) backends to work with HUMAN 
  • Decreased number of headers being used on HUMAN module.
  • Fixed the issue of expired cookie with year of 1990 and below was not parsed well.

Was this article helpful?