Edge Security Acceleration:Managed transforms

Overview

After you enable managed transforms, ESA adds a set of common origin request headers and security response headers at points of presence (POPs). The workflow is as follows:

• HTTP request headers (Client → ESA → Origin server): When a POP receives a client request, it adds specific HTTP request headers based on your configuration before forwarding the request to the origin server. These headers include the following:

  Type	Included headers	Description
  Add real client IP Header	ali-real-client-ip	Records the originating IP address of the client that established the TCP connection. This header is added by ESA at the POP and is more reliable than the X-Forwarded-For header, which can be forged by the client.
  Add visitor location header	ali-ip-country ali-ip-city	Queries the IP geolocation database based on the originating IP address of the client and adds the corresponding country/region and city codes as header values. The header value is a two-letter Alpha-2 country/region code defined in ISO 3166-1. For example, ali-ip-country=cn indicates that the client is located in the Chinese mainland.
  Add security request header	Tls-Hash Tls-Ja3 Tls-Ja4	Analyzes the client's TLS handshake information to generate JA3 and JA4 fingerprints. These fingerprints are used to identify client types or detect bots. The headers include Tls-Hash, Tls-Ja3, and Tls-Ja4. The TLS fingerprint headers have values only for sites on the Enterprise plan.

• HTTP response headers (ESA → Client): When ESA receives a response from the origin server, it adds a set of standard security response headers based on your configuration before returning the response to the client.

  Note

  If the origin server's response already contains a security header with the same name, ESA overwrites the header value from the origin server by default. This ensures policy consistency.

  Type	Included headers	Description
  Add security response headers	x-content-type-options: nosniff	Protects against Multipurpose Internet Mail Extensions (MIME) type confusion attacks. It requires the browser to strictly follow the type declared in the Content-Type response header. The nosniff value activates strict mode.
  	x-xss-protection: 1; mode=block	Protects against reflected cross-site scripting (XSS) attacks, where malicious scripts are injected through URL parameters. The value 1 enables XSS filtering. The value mode=block prevents the page from rendering if an attack is detected.
  	x-frame-options: SAMEORIGIN	Restricts page embedding permissions to protect against clickjacking attacks. The SAMEORIGIN value allows a page to be embedded only by pages from the same origin. For example, a page from example.com can only be nested within other pages from example.com.
  	referrer-policy: same-origin	Controls the leakage of Referer header information. This prevents the user's behavior path from being exposed during cross-origin requests. The same-origin value sends the full Referer only for same-origin requests. The Referer is not sent for cross-origin requests.
  	expect-ct: max-age=86400, enforce	Used to detect abnormal certificates. The value max-age=86400 sets the policy validity period to 24 hours. The value enforce forces the browser to reject connections that do not meet Certificate Transparency requirements.

Configure client information for request analysis

You can automatically add HTTP headers that contain the client's originating IP address, geolocation, and TLS fingerprint to origin requests. This allows your origin application to obtain more context about the client.

Configure security response headers to enhance client security

You can automatically add a set of standard security headers to client responses to protect against attacks such as cross-site scripting (XSS) and clickjacking. This enhances the security of your web application.