Introduction to rule templates - Edge Security Acceleration

ESA offers a suite of pre-configured protection templates designed to defend against common attack types and scenarios. These standardized templates allow you to quickly deploy effective mitigation policies by configuring only a few parameters, simplifying WAF setup and making your security operations more efficient.

Template details

Region-based blacklist

This template leverages a high-precision IP geolocation database to identify the geographic origin of incoming requests and automatically block traffic from specified countries or regions.

Use cases

Mitigate international attacks: Quickly create geo-fencing policies for regions identified as attack sources in historical logs.
Compliance & data sovereignty: Block unauthorized access from jurisdictions where data residency regulations apply.
Optimize business performance: During high-traffic events (such as e-commerce sales), temporarily block traffic from high-latency regions to reduce server load.

Block requests with empty Referer header

This template inspects the Referer header in HTTP requests and blocks those with an empty value.

Use cases

Block simple crawlers: Many automated tools (such as Scrapy and Python requests) omit the Referer header or send headers={"Referer": ""} to bypass detection.
Prevent resource hotlinking: Stop third-party websites from embedding your images, CSS, or JS files, which consumes bandwidth and affects performance.

IP-based rate limiting

This template lets you dynamically manage the access frequency of individual IP addresses. If the same source IP sends more than 20 HTTP requests to a specified domain name within 10 seconds, the block mechanism is automatically triggered. The IP is added to a temporary blacklist and blocked for one hour. You can also adjust the access frequency threshold (for example, from 20 requests/10 seconds to 40 requests/15 seconds) and the block duration to suit different business scenarios.

Use cases

DDoS defense: Mitigate low-volume DDoS attacks involving high-frequency GET requests.
Crawler limiting: Suppress directory brute-forcing or data scraping tools. For example, a crawler tool might access the /products/ path at a frequency of 20 requests per 10 seconds.
API abuse protection: Prevent abuse of public APIs, such as flooding a text message CAPTCHA endpoint.

Dynamic request rate limiting

Applies rate limiting selectively to origin-fetch requests that bypass cache and hit the origin server. This protects backend resources while allowing cached traffic to flow freely.

Use cases

API abuse protection: A SaaS platform limits access to /data/export API to prevent data scraping.
Resource exhaustion defense: A video platform enables dynamic rate limiting during a live stream to prevent CPU overload.
Crawler suppression: Tiered limits are applied to /search API calls (such as > 200 requests/sec) to reduce server load.

Scanning protection

Uses behavior analysis and pattern recognition to detect and block web directory scanning tools (such as dirsearch and gobuster). Automatically blacklists IPs that repeatedly request non-existent paths (404 responses).

Use cases

Vulnerability scanning defense: A financial platform blocks dirsearch from brute-forcing /config/, stopping 12,000 scan attempts in one day.
Sensitive file protection: An e-commerce website detects and blocks attempts to access .git/ to prevent source code theft.

Brute force attack protection

Analyzes the frequency of managed rule triggers to identify suspicious behavior. Automatically blocks clients that repeatedly trigger basic security rules (such as login attempts).

Use cases

Account brute-force defense: A bank's payment platform blocks automated login attempts via the /login interface.
API protection during promotions: An e-commerce site stops bots from spamming /api/coupon to claim discounts.

Allow specified IPs

Creates an IP whitelist to allow trusted sources to bypass WAF or Bot protection entirely and reach the backend directly.

Use cases

Internal system trust: Whitelist internal IPs (such as 192.0.XX.XX) for seamless communication between OA and ERP systems.
Partner access: Whitelist a payment gateway's IP (such as 192.0.XX.XX) to ensure low-latency transaction processing.

Allow static requests

Identifies static resource requests (such as images, CSS, and JS) and applies a pass-through policy, bypassing WAF or Bot checks. Only dynamic origin-fetch requests are protected.

Use cases

High-concurrency events: During a flash sale, an e-commerce site handles 100,000 image requests per second without triggering origin rate limits.
Hybrid cloud optimization: Static assets in /public/ are allowed to pass through; only /api/ requests are protected, reducing inspection costs.

Whitelist specified path

Uses exact URL path matching to bypass WAF or Bot protection for specific endpoints.

Use cases

Code repository uploads: An open-source platform whitelists /git/repo/submit to prevent WAF from blocking developer submissions.
File upload interfaces: A company whitelists /file/upload to avoid rate limiting during large file transfers.
Third-party integration testing: A payment gateway whitelists /partner/test to simplify joint API testing.

Configuration example

An online advertising platform detected fraudulent click traffic that increased bandwidth costs by 30%. Analysis revealed attackers were simulating clicks using requests with an empty Referer header with over 150,000 such requests per day.

Solution: Block empty referer requests

In the ESA console, choose Websites, and then click the target website in the Website column.
In the navigation pane on the left, choose Security > WAF.
On the Overview tab, click Create in the Block Empty Referer Requests section.
Enter a Rule Name. Keep the default settings in the If requests match... and Then execute... sections. Then, click OK.
Result: Requests with empty Referer headers are now blocked.