All Products
Search

This Product

    Edge Security Acceleration:Custom rules

    Document Center

    Edge Security Acceleration:Custom rules

    Last Updated:Oct 12, 2025

    You can use custom rules to customize access policies for your site. You can set request matching conditions to control user requests with actions such as Block and Monitor. This helps you flexibly restrict the content that users can access.

    Configure a custom rule

    1. In the ESA console, choose Websites. In the Website column, click the target site.

    2. In the navigation pane on the left, choose Security > WAF.

    3. Click the Custom Rules tab. On the Custom Rules tab, click Create Rule.

      • Enter a Rule Name.

      • In the If requests match... section, set the conditions for matching requests. For more information, see Components of a rule expression.

      • In the Then execute... section, set the protection action to take when a request hits the rule. For more information, see Action descriptions.

    4. Click OK.

    Action descriptions

    • Block: Blocks requests that hit a rule and returns a block response page to the client.

      Note

      For more information, see Configure custom pages.

    • Monitor: Does not block requests that hit a rule. Instead, it only logs the event. You can query WAF logs to find requests that hit the rule and analyze its effectiveness, for example, to check for false positives. Monitor mode is useful for testing newly configured rules. After you confirm that the rule does not cause false positives, set the action to Block.

      Note

      You must activate Simple Log Service to use the log query feature.

    • JavaScript Challenge: WAF returns a piece of JavaScript code that a standard browser can automatically execute. If the client executes the JavaScript code correctly, WAF allows all subsequent requests from that client for a period of time (30 minutes by default) without another challenge. Otherwise, WAF blocks the request.

    • Slider CAPTCHA: WAF returns a slider verification page to the client. If the client successfully completes the slider verification, WAF allows all subsequent requests from that client for a period of 30 minutes by default. Otherwise, WAF blocks the request.

      Note

      • If the verification is successful (a user successfully completes the slider challenge), the traffic is counted. If the verification fails, the traffic is not counted.

      • The JavaScript Challenge and Slider actions for WAF custom rules and rate limiting rules apply only to static pages. To support asynchronous API responses such as XMLHttpRequest and Fetch, enable JavaScript Challenge and Slider in Bot Management. After you enable them, when a request hits a rule, ESA initiates a JavaScript Challenge or Slider verification for the client. After the client passes the verification, ESA adds the Cookie acw_sc__v2 and acw_sc__v3 headers to the HTTP message, respectively. These headers indicate that the client has been authenticated.

    Configuration example

    • Security scenario: You use security analytics or Event Analysis and discover that a client with the IP address 193.xx.xx.xx has sent abnormal requests to the host dns.example.com.image

    • Example custom rule configuration:

      • Rule expression: Hostname equals www.example.com AND Client IP equals 192.xx.xx.xx.

      • Action: Set the operation to Block and use the Default Error Page.

      image

    Supported editions

    Feature

    Entrance

    Pro

    Premium

    Enterprise

    Number of custom rules

    5

    20

    100

    100

    References

    Rule-related features differ in terms of effective priority, re-entrancy, and granularity. For more information, see Feature descriptions for rules.