Edge Security Acceleration:Managed transforms

HTTP request headers

Add the "ali-real-client-ip" header

If you enable Add "ali-real-client-ip" Header, ESA includes the custom header ali-real-client-ip in origin requests to specify the real client IP addresses.

Add visitor location headers

If you enable this switch, ESA retrieves content from the origin server with the custom header ali-ip-country included. This header specifies the geographical location of the client.

When you set the value of the header, you must specify 2-letter alpha-2 country or region codes that follow the ISO 3166-1 standard. For example, if you set the value of the ali-ip-country header to sg, the client is located in Singapore.

Add security request headers

If you enable this switch, ESA adds bot-related HTTP headers to origin requests. The headers can specify whether a request comes from a verified bot and may contain a TLS fingerprint.

HTTP response headers

Add security response headers

If you enable this switch, ESA adds the following security HTTP response headers for cross-site scripting (XSS) protection when responding to clients:

• x-content-type-options: nosniff

• x-xss-protection: 1; mode=block

• x-frame-options: SAMEORIGIN

• referrer-policy: same-origin

• expect-ct: max-age=86400, enforce

Configure a managed transform rule

1. In the ESA console, choose Websites and click the website name you want to manage.

2. In the left-side navigation pane, choose Rules > Transform Rules.

3. Click the Managed Transforms tab.

4. Enable the following options as needed:

   • Add "ali-real-client-ip" Header

   • Add Visitor Location Headers

   • Add Security Request Headers

   • Add Security Response Headers