On the security settings page, you can define how ESA identifies client IP addresses, adjust the global security level for threat challenges, and configure the request body detection limit for security rule matching.
Client IP definition
Specify which IP address ESA treats as the client IP when evaluating WAF and bot management rules. By default, ESA uses the connecting IP as the client IP. You can also specify a custom header to identify the client IP.
Using Edge Security Acceleration (ESA) as a proxy typically improves your website's performance and security. Without other proxy services, clients connect directly to an ESA point of presence (POP), as shown in the following figure. In this scenario, ESA can identify the real client IP:
However, if a third-party reverse proxy (such as an external WAF, a DDoS protection service, or a site with edge functions enabled) sits between the client and ESA, the proxy connects to the ESA POP instead of the client. As a result, the connecting IP that ESA sees is the proxy's IP, not the real client IP. To address this, configure a custom header that carries the real client IP, and ensure the upstream proxy writes the client IP into that header.
The custom header (for example, the one containing 192.168.0.1 in the figure) only affects WAF and bot rule evaluation. The actual connecting IP (for example, 10.10.10.10 in the figure) is still recorded in security analysis, event analysis, traffic analysis, offline logs, and real-time logs.
Procedure
On the ESA console, select Websites. In the Website column, click the target site.
In the left-side navigation pane, choose .
In the Client IP Definition section, click Configure and select a method for identifying the client IP.
Connect IP (Default): The IP address that connects directly to the ESA point of presence (POP).
Custom Header: Specify one or more custom headers to identify the client IP. You can enter up to five headers, separated by commas.
Click OK.
Security level
ESA uses a massive threat intelligence database to identify threatening requests. Based on the configured security level, ESA challenges requests from IP addresses with different threat levels. Only requests that pass the challenge receive a normal response. The security levels are as follows:
Security level | Description |
Low (Default) | Challenges only IP addresses with the highest threat score. This default level is recommended if your site has no history of attacks or volumetric traffic abuse. |
Medium | Challenges IP addresses with a high threat score. Recommended for sites that require enhanced security or have a history of volumetric traffic abuse. |
High | Challenges any IP address that exhibits suspicious behavior. Recommended only during periods that require critical protection, if your site has a history of attacks, or if it is currently under attack. |
I'm Under Attack | Challenges all visitors. Use this option only when your site is actively under attack. |
Essentially Off | Retains only the minimum ESA platform protection policy. ESA still challenges high-risk requests to ensure platform security. Use this level only when severe false positives occur. |
Off (Available in Enterprise Plans) | Completely disables security protection. This option is available only for Enterprise plans. Use only in cases of severe false positives. |
Choosing a higher security level may impact legitimate visitors. Adjust the level based on your security needs at different times.
If legitimate IP addresses or API requests are blocked incorrectly, create whitelist rules to allow them.
The security level and WAF rules are independent features. The security level setting uses ESA's threat intelligence to challenge visitors, while WAF rules let you create custom rules to do the same.
Procedure
On the ESA console, select Websites. In the Website column, click the target site.
In the left-side navigation pane, choose .
In the Security Level section, select the appropriate Security Level.
Click OK.
Request body check limit
When security rules need to inspect the request body, ESA reads only the first 8 KB by default. If the request body exceeds 8 KB and no blocking rules match within the first 8 KB, the request is allowed through. To increase this limit, go to Security > Settings > Request Body Check Limit.