All Products
Search

This Product

    Edge Security Acceleration:Managed transforms

    Document Center

    Edge Security Acceleration:Managed transforms

    Last Updated:Jun 20, 2025

    You can use the managed transforms feature of Edge Security Acceleration (ESA) to adjust HTTP request and response headers. This feature is suitable for transmitting client information and enhancing security.

    HTTP request headers

    Add HTTP Header

    If you enable this switch, ESA includes the custom header, which is ali-real-client-ip by default, in origin requests to specify the real client IP addresses.

    Note

    You can view the real IP addresses of clients in access and origin logs.

    Add Visitor Location Headers

    If you enable this switch, ESA includes the custom header ali-ip-country in origin requests to specify the location (country or region) of a client.

    When you set the value of the header, you must specify 2-letter alpha-2 country or region codes that follow the ISO 3166-1 standard. For example, if you set the value of the ali-ip-country header to cn, the client is located in the Chinese mainland.

    Add Security Request Headers

    If you enable this switch, ESA includes bot-related HTTP headers (TLS fingerprints) in origin requests to specify client types.

    Note

    A TLS fingerprint is a unique identifier that is generated by capturing the parameters and behavior of a client during a TLS/SSL connection. It can be used to identify clients.

    HTTP response headers

    Add Security Response Headers

    If you enable this switch, ESA adds the following security HTTP response headers when responding to clients:

    • x-content-type-options: nosniff

    • x-xss-protection: 1; mode=block

    • x-frame-options: SAMEORIGIN

    • referrer-policy: same-origin

    • expect-ct: max-age=86400, enforce

    These response headers enhance web page security and protect your website from cross-site scripting (XSS) and clickjacking attacks.

    Configure a managed transform rule

    1. In the ESA console, choose Websites and click the name of the website you want to manage.

    2. In the left-side navigation pane, choose Rules > Transform Rules.

    3. Click the Managed Transforms tab.

    4. Enable the following options as needed:

      • HTTP Request Headers

        Enable Add HTTP Header, Add Visitor Location Headers, and Add Security Request Headers.

      • HTTP Response Headers

        Enable Add Security Response Headers.