tencent cloud

Tencent Cloud EdgeOne

DocumentationTencent Cloud EdgeOneGeneral ReferenceConfiguration SyntaxConfiguration Group Syntax Explanation

Configuration Group Syntax Explanation

Download
Focus Mode
Font Size
Last updated: 2026-06-03 17:06:37
This document is a detailed syntax explanation of the module configuration group structure in version management. Among them, the Condition structure and variable definition details can be further checked in the corresponding document chapter, with the link as follows:
Nesting rules and syntax details for conditional expressions: Condition.
Dynamic extraction rules for request data: Variable.

Common Unit Standard

All time value units must be in seconds (s), all file size units must be in bytes (B), and the value must be pure digits.
Unit Type
Configuration Example and Description
Time (seconds)
Set a 30-minute cache: 30 * 60 = 1800
Size (bytes)
Set a 10 MB size limit: 10 * 1024 * 1024 = 10485760

Configuration Group Overview

The version file for each site contains the following fields, with descriptions as follows:
Configuration Field
Type
Required
Corresponding Configuration Group
Description
FormatVersion
String
Yes
Global Configuration
Syntax version, defaults to 1.0. Input other value error will be reported.
ZoneConfig
No
Site Acceleration Configuration Group
Site-level configuration includes all configuration items in Site Acceleration, and all are required unless the configuration is invalid.
Rules
Array of Rules
No
Site Acceleration Configuration Group
Rule-level configuration includes all rules in the rule engine, and the array can be empty, indicating no rules are enabled.
WebSecurity
No
Web protection configuration group
Web security protection settings, supported features in the corresponding console under "Security Protection - Web Protection". For details, see WebSecurity.

Data Types

AccelerateMainlandParameters

Accelerate optimization and configuration in mainland China.
Name
Type
Required
Description
Switch
String
No
Switch for Chinese mainland acceleration optimization. Valid values:
on: Enable.
off: Disable.

AccessURLRedirectParameters

Access URL redirection configuration parameters.
Name
Type
Required
Description
StatusCode
Integer
No
Status code, value is one of 301, 302, 303, 307, 308.
Protocol
String
No
Target request protocol, values as follows:
http: target request protocol http.
https: target request protocol HTTPS.
follow: Follow request.
HostName
No
Target HostName.
Note: This field may return null, indicating no valid value.
URLPath
No
Target path.
Note: This field may return null, indicating no valid value.
QueryString
No
Query string.
Note: This field may return null, indicating no valid value.

AccessURLRedirectQueryString

Access URL redirection configuration parameters.
Name
Type
Required
Description
Action
String
No
Execution action. The values are as follows:
full: retain all.
ignore: ignore all.

AdaptiveFrequencyControl

adaptive frequency control
Name
Type
Required
Description
Enabled
String
Yes
Whether adaptive frequency control is enabled. Valid values:
on: Enable.
off: Disable.
Id
String
No
The rule ID of adaptive frequency control, only returned in output.
Sensitivity
String
No
The restriction level of adaptive frequency control. This field is required when Enabled is on. Valid values:
Loose: Loose.
Moderate: Moderate.
Strict: Strict.
Action
No
The handling method of adaptive frequency control. This field is required when Enabled is on. SecurityAction Name supports:
Monitor: Monitor.
Deny: Block.
Challenge: Challenge. For the ChallengeActionParameters.Name parameter, only JSChallenge is supported.

AICrawlerDetection

Specific configurations for AI crawler detection.
Name
Type
Required
Description
Enabled
String
No
Whether AI crawler detection is enabled. Values are as follows:
on: Enable.
off: Disable.
Action
No
The execution action for AI crawler detection. This field is required when Enabled is on. SecurityAction Name supports only the following values:
Deny: Block.
Monitor: Monitor.
Allow: Allow.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports only JSChallenge and ManagedChallenge.

AllowActionParameters

Web security Allow additional parameter
Name
Type
Required
Description
MinDelayTime
String
No
Minimum latency response time. When set to 0s, it indicates an immediate response without delay. Supported measurement units:
s: seconds, value ranges from 0 to 5.
MaxDelayTime
String
No
Maximum latency response time. Supported measurement units: s: seconds.
s: seconds, value ranges from 5 to 10.

AuthenticationParameters

Token authentication configuration parameters.
Name
Type
Required
Description
AuthType
String
No
Authentication type. Valid values:
TypeA: authentication method a type, for specific meaning please refer to Authentication Method A.
TypeB: authentication method b type, for specific meaning please refer to, see Authentication Method B.
TypeC: authentication method c type, for specific meaning please refer to Authentication Method C.
TypeD: Authentication method type D. For specific meaning, see Authentication Method D.
TypeVOD: Authentication method type V. For specific meaning, see Authentication Method V.
SecretKey
String
No
Primary authentication key, consisting of 6–40 uppercase/lowercase letters or numbers, cannot contain " and $.
Timeout
Integer
No
Valid duration of the authentication URL, in seconds, value: 1–630720000. Used to judge if the client access request is expired.
If the current time exceeds "timestamp + validity period", it is an expired request, and a 403 is returned directly.
If the current time does not exceed "timestamp + validity period", the request is not expired, and the MD5 string continues to be validated.
Note: when authtype is one of typea, typeb, typec, or typed, this field is required.
BackupSecretKey
String
No
Backup authentication key, consisting of 6–40 uppercase/lowercase letters or numbers, cannot contain " and $.
AuthParam
String
No
Authentication parameter name. The node will validate the corresponding value of this parameter name. It consists of 1–100 uppercase/lowercase letters, numbers, or underscores.
Note: this field is required when authtype is either typea or typed.
TimeParam
String
No
Authentication timestamp, which cannot be the same as the field value of AuthParam.
Note: this field is required when authtype is typed.
TimeFormat
String
No
Authentication time format. Valid values:
dec: decimal.
hex: hexadecimal.
Note: this field is required when authtype is typed. the default is hex.

BandwidthAbuseDefense

Specific configuration for traffic anti-scraping (applicable only to the Chinese mainland).
Name
Type
Required
Description
Enabled
String
Yes
Whether bandwidth abuse protection (applicable only to Chinese mainland) is enabled. Valid values:
on: Enable.
off: Disable.
Id
String
No
The rule ID of traffic anti-fraud, only returned in output.
Action
No
The handling method of Traffic Anti-Fraud (applicable only to Chinese mainland). This field is required when Enabled is on. SecurityAction Name supports:
Monitor: Monitor.
Deny: Block.
Challenge: Challenge. For the ChallengeActionParameters.Name parameter, only JSChallenge is supported.

BasicBotSettings

The basic configuration for Bot management takes effect for all domains associated with the policy. You can perform fine-grained customization via CustomRules.
Name
Type
Required
Description
SourceIDC
No
Configuration for the source IDC of client IPs, used to handle access requests from client IPs in IDCs (data centers). Such source requests are not directly accessed by mobile or browser clients.
SearchEngineBots
No
Configuration for search engine bots, used to handle requests from search engine bots. The IP address, User-Agent, or rDNS results of such requests match known search engine bots.
KnownBotCategories
No
Configuration for User-Agent characteristics of commercial or open-source tools (formerly UA characteristic rules), used to handle access requests from known commercial or open-source tools. The User-Agent header of such requests matches the characteristics of known commercial or open-source tools.
IPReputation
No
Configuration for the IP threat intelligence library (formerly client Profile Analytics), used to handle client IP addresses whose recent access behavior exhibits specific risk characteristics.
BotIntelligence
No
Specific configuration for Bot intelligence analysis.

BlockIPActionParameters

Web security IP block additional parameter
Name
Type
Required
Description
Duration
String
Yes
The penalty duration for blocking an IP address. Supported units include:
s: seconds, value ranges from 1 to 120.
m: minutes, value ranges from 1 to 120.
h: hr, value ranges from 1 to 48.

BotIntelligence

Specific configurations for Bot intelligent analysis.
Name
Type
Required
Description
Enabled
String
No
The specific configuration switch for Bot intelligence analysis. Valid values are:

on: enable;
off: disable.
Id
String
No
The rule ID for Bot intelligence analysis, only returned as an output parameter.
BotRatings
No
Based on client and request characteristics, classifies request sources into human-originated requests, legitimate Bot requests, suspected Bot requests, and high-risk Bot requests, and provides request handling options.

BotManagement

Web security Bot rule structure.
Name
Type
Required
Description
Enabled
String
No
Whether Bot management is enabled. Valid values:
on: Enable.
off: Disable.
CustomRules
No
Custom rules for Bot management. They combine various crawler and request behavior characteristics to precisely define bots and configure customized handling methods.
BasicBotSettings
No
Basic configuration for Bot management. It takes effect on all domains associated with the policy. You can perform fine-grained customization via CustomRules.
ClientAttestationRules
No
Definition list of client authentication rules. feature in beta test. Submit a ticket if needed.
BrowserImpersonationDetection
No
Configures browser impersonation detection rules (formerly active feature identification rules). Sets the response page range for JavaScript injection, browser verification options, and handling methods for non-browser clients.

BotManagementActionOverrides

Specific configurations for Bot rule items, used to override the default configurations at the upper level.
Name
Type
Required
Description
Ids
Array of String
No
Specific items under the Bot managed rule group, used to rewrite the configuration content of this single rule. For specific information corresponding to the Ids, see the information returned by the DescribeBotManagedRules API.
Action
No
Specify the handling action for the Bot rule item in Ids. The Name of SecurityAction supports the following values:
Deny: Block.
Monitor: Monitor.
Disabled: Not enabled, disable specified rule.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
Allow: Pass (only applicable to Bot basic feature management).

BotManagementCustomRule

Web security Bot custom rules.
Name
Type
Required
Description
Id
String
No
Bot custom rule ID.
Different rule configurations can be supported through the rule ID:
Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the Rules list of the BotManagementCustomRules parameter will be deleted.
Name
String
No
Bot custom rule name.
Enabled
String
No
Whether the Bot custom rule is enabled. Valid values:
on: Enable.
off: Disable.
Priority
Integer
No
Priority of Bot custom rules, ranging from 1 to 100. Default is 50.
Condition
String
No
The content of the Bot custom rule must comply with expression grammar. For detailed specifications, refer to the product documentation.
Action
No
Action for Bot custom rules. Valid values:
Monitor: Monitor.
Deny: Block. Within DenyActionParameters, the Name parameter supports Deny and ReturnCustomPage.
Challenge: Challenge. Within ChallengeActionParameters, the Name parameter supports JSChallenge and ManagedChallenge.
Redirect: Redirect to URL.

BotManagementCustomRules

Configuration of Bot custom rules.
Name
Type
Required
Description
Rules
Array of BotManagementCustomRule
No
List of Bot custom rules. When ModifySecurityPolicy is used to modify the Web protection configuration:
If the Rules parameter in SecurityPolicy.BotManagement.CustomRules is not specified or has a length of zero: Clear all Bot custom rule configurations.
If the CustomRules parameter value is not specified in the SecurityPolicy.BotManagement parameter: Retain the existing Bot custom rule configurations without modification.

BotManagementLite

Web security basic BOT rule structure.
Name
Type
Required
Description
CAPTCHAPageChallenge
No
Specific configuration for the CAPTCHA page.
AICrawlerDetection
No
Specific configuration for AI crawler detection.

BotRatings

Based on client and request characteristics, it categorizes request sources into human requests, legitimate Bot requests, suspected Bot requests, and high-risk Bot requests, and provides request handling options.
Name
Type
Required
Description
HighRiskBotRequestsAction
No
Handling action for malicious Bot requests. The Name of SecurityAction supports the following values:
Deny: Block.
Monitor: Monitor.
Allow: Allow.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
LikelyBotRequestsAction
No
Handling action for suspected Bot requests. The Name of SecurityAction supports the following values:
Deny: Block.
Monitor: Monitor.
Allow: Allow.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
VerifiedBotRequestsAction
No
Handling action for friendly Bot requests. The Name of SecurityAction supports the following values:
Deny: Block.
Monitor: Monitor.
Allow: Allow.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
HumanRequestsAction
No
Handling action for normal Bot requests. The Name of SecurityAction supports the following values:
Allow: pass.

BotSessionValidation

Specific configuration for Cookie validation and session tracking behavior.
Name
Type
Required
Description
IssueNewBotSessionCookie
String
No
Whether to update and verify the Cookie. Values are as follows:
on: Update and validate the Cookie.
off: Validate only.
MaxNewSessionTriggerConfig
No
The trigger threshold for updating and verifying the Cookie. It takes effect only when IssueNewBotSessionCookie is on.
SessionExpiredAction
No
The execution action for requests without a Cookie or with an expired Cookie. Supported Name values for SecurityAction:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
SessionInvalidAction
No
The execution action for invalid Cookies. Supported Name values for SecurityAction:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
SessionRateControl
No
Specific configuration for session rate and periodic characteristic verification.

BrowserImpersonationDetection

Configuration for browser spoofing detection rules (formerly known as active signature detection rules).
Name
Type
Required
Description
Rules
No
List of browser impersonation detection rules. Use ModifySecurityPolicy to modify Web protection configuration:
If the Rules parameter in SecurityPolicy.BotManagement.BrowserImpersonationDetection is not specified or has a length of zero: Clear all browser spoofing detection rule configurations.
If the BrowserImpersonationDetection parameter is not specified within SecurityPolicy.BotManagement: Retain the existing browser spoofing detection rule configurations without modification.

BrowserImpersonationDetectionAction

The Action for Bot browser verification rules (formerly known as active signature detection rules).
Name
Type
Required
Description
BotSessionValidation
No
Cookie validation and session tracking configuration.
ClientBehaviorDetection
No
Client behavior validation configuration.

BrowserImpersonationDetectionRule

Browser spoofing detection rules (formerly known as active signature detection rules).
Name
Type
Required
Description
Id
String
No
ID of the browser impersonation detection rule.

Different rule configurations can be supported through the rule ID:

Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the Rules list of the BrowserImpersonationDetection parameter will be deleted.
Name
String
No
Name of the browser impersonation detection rule.
Enabled
String
No
Whether the browser impersonation detection rule is enabled. Valid values are:
on: Enable.
off: Disable.
Condition
String
No
Specific content of the browser impersonation detection rule. It only supports the configuration of the request method (Method), request path (Path), and request URL, and must comply with expression syntax. For detailed specifications, refer to the product documentation.
Action
No
Handling method for the browser impersonation detection rule, including Cookie verification, session tracking configuration, and client behavior verification configuration.

CacheConfigCustomTime

Node cache TTL custom cache time configuration parameters.
Name
Type
Required
Description
Switch
String
No
Custom cache time switch, valid values:
on: Enable.
off: Disable.
CacheTime
Integer
No
Custom cache time value, unit: seconds. value range: 0-315360000.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

CacheConfigParameters

Node cache TTL config.
Name
Type
Required
Description
FollowOrigin
No
Follow the origin site cache config. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.
NoCache
No
No cache configuration. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.
CustomTime
No
Custom cache time configuration. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.

CacheKeyConfigParameters

Cache key configuration.
Name
Type
Required
Description
FullURLCache
String
No
Whether full path cache is enabled, values as follows:
on: Enable full path cache (ignore parameter disabled).
off: Disable full path cache (ignore parameter enabled).
IgnoreCase
String
No
Whether case-insensitive cache is enabled, values as follows:
on: Ignore.
off: Do not ignore.
QueryString
No
The query string retention config. This field and FullURLCache must be set simultaneously but cannot both be on.

CacheKeyCookie

Custom Cache Key Cookie config.
Name
Type
Required
Description
Switch
String
No
Feature switch, values as follows:
on: Enable.
off: Disable.
Action
String
No
Cache action, values are as follows:
full: Retain all.
ignore: Ignore all.
includeCustom: Retain specified parameters.
excludeCustom: Ignore specified parameters.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.
Values
Array of String
No
Custom Cache Key Cookie name list.
Note: This field is required when Action is includeCustom or excludeCustom. When Action is full or ignore, it is not required. If filled, it does not take effect.

CacheKeyHeader

Custom Cache Key HTTP request header configuration.
Name
Type
Required
Description
Switch
String
No
Feature switch, values as follows:
on: Enable.
off: Disable.
Values
Array of String
No
Custom Cache Key HTTP request header list.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

CacheKeyParameters

Custom Cache Key configuration parameters.
Name
Type
Required
Description
FullURLCache
String
No
Retain all query strings switch, values as follows:
on: Enable.
off: Disable.
Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. This field and QueryString.Switch must be set simultaneously but cannot both be on.
QueryString
No
The query string retention config. This field and FullURLCache must be set simultaneously but cannot both be on.
Note: This field may return null, indicating no valid value.
IgnoreCase
String
No
Case-insensitive switch, values as follows:
on: Enable.
off: Disable.
Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie.
Header
No
HTTP request header configuration parameters. At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie.
Note: This field may return null, indicating no valid value.
Scheme
String
No
Request protocol switch, values as follows:
on: Enable.
off: Disable.
Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie.
Cookie
No
Cookie configuration parameter. At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie.
Note: This field may return null, indicating no valid value.

CacheKeyQueryString

Custom Cache Key query string configuration parameter.
Name
Type
Required
Description
Switch
String
No
Query string retain/ignore specified parameter switch, values as follows:
on: Enable.
off: Disable.
Action
String
No
Query string retain/ignore specified parameter action. Values are as follows:
includeCustom: Retain some parameters.
excludeCustom: Ignore some parameters.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.
Values
Array of String
No
List of parameter names to retain/ignore in the query string.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

CacheParameters

Node cache TTL config.
Name
Type
Required
Description
FollowOrigin
No
Follow the origin site cache. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.
NoCache
No
No cache. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.
CustomTime
No
Custom cache time. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on.
Note: This field may return null, indicating no valid value.

CachePrefreshParameters

Cache pre-refresh. Config.
Name
Type
Required
Description
Switch
String
No
Cache pre-refresh switch, values are as follows:
on: Enable.
off: Disable.
CacheTimePercent
Integer
No
The pre-refresh time is set to a percentage value of the node cache time, values: 1–99.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

CAPTCHAPageChallenge

Specific configuration for the human-machine verification page.
Name
Type
Required
Description
Enabled
String
No
Whether the CAPTCHA page is enabled. Valid values are:
on: Enable.
off: Disable.

ChallengeActionParameters

Web security Challenge additional parameter
Name
Type
Required
Description
ChallengeOption
String
Yes
Safe execution challenge action. The values are as follows:
InterstitialChallenge: Interstitial challenge.
InlineChallenge: Embedded challenge.
JSChallenge: JavaScript challenge.
ManagedChallenge: Managed challenge.
Interval
String
No
Time interval for repeated challenges. This field is required when Name is InterstitialChallenge/InlineChallenge. Default value is 300s. Supported units are as follows:
s: seconds, value ranges from 1 to 60.
m: minutes, value ranges from 1 to 60.
h: hr, value ranges from 1 to 24.
AttesterId
String
No
Client authentication method ID. This field is required when Name is InterstitialChallenge/InlineChallenge.

ClientAttestationRule

Client authentication rule
Name
Type
Required
Description
Id
String
No
Rule ID of the client authentication rule.
Different rule configurations can be supported through the rule ID:
Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the ClientAttestationRule list of BotManagement parameters will be deleted.
Name
String
No
Name of the client authentication rule.
Enabled
String
No
Whether the rule is enabled. Values as follows:
on: Enable.
off: Disable.
Priority
Integer
No
Rule priority. A smaller value indicates higher priority execution, ranging from 0 to 100. Default is 0.
Condition
String
No
The rule content must comply with expression grammar. For details, refer to the product document.
AttesterId
String
No
Client authentication Option ID.
DeviceProfiles
Array of DeviceProfile
No
Client device configuration. If the DeviceProfiles parameter value is not specified in ClientAttestationRules: Keep the existing client device configuration and do not modify it.
InvalidAttestationAction
No
Client authentication failed handling method. SecurityAction Name parameter supports:
Deny: Block.
Monitor: Monitor.
Redirect: Redirect.
Challenge: Challenge.
Default value: Monitor.

ClientAttestationRules

Client authentication configuration.
Name
Type
Required
Description
Rules
No
List of client authentication. Use ModifySecurityPolicy to modify Web protection configuration:
If the Rules parameter in SecurityPolicy.BotManagement.ClientAttestationRules is not specified or has a length of zero: Clear all client authentication rule configurations.
If the ClientAttestationRules parameter value is not specified in SecurityPolicy.BotManagement: Keep the existing client authentication rule configuration and do not modify it.

ClientBehaviorDetection

Client behavior verification
Name
Type
Required
Description
CryptoChallengeIntensity
String
No
Proof-of-work verification intensity. Values:
low: Low.
medium: Medium.
high: High.
CryptoChallengeDelayBefore
String
No
Execution method for client behavior validation. Values:
0ms: Execute immediately.
100ms: Execute after a delay of 100ms.
200ms: Execute after a delay of 200ms.
300ms: Execute after a delay of IIIms.
400ms: Execute after a delay of 400ms.
500ms: Execute after a delay of 500ms.
600ms: Execute after a delay of 600ms.
700ms: Execute after a delay of 700ms.
800ms: Execute after a delay of 800ms.
900ms: Execute after a delay of 900ms.
1000ms: Execute after a delay of 1000ms.
MaxChallengeCountInterval
String
No
Time window for threshold-triggered statistics. Valid values:
5s: Within 5 seconds;
10s: Within 10 seconds;
15s: Within 15 seconds;
30s: Within 30 seconds;
60s: Within 60 seconds;
5m: Within 5 minutes;
10m: Within 10 minutes;
30m: Within 30 minutes;
60m: Within 60 minutes.
MaxChallengeCountThreshold
Integer
No
Cumulative quantity for threshold-triggered statistics. Valid range: 1 to -100000000.
ChallengeNotFinishedAction
No
Execution action for when the client does not enable JS (detection not completed). Supported Name values for SecurityAction:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
ChallengeTimeoutAction
No
Execution action for when client detection times out. Supported Name values for SecurityAction:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
BotClientAction
No
Handling action for Bot clients. The Name of SecurityAction supports the following values:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.

ClientFiltering

intelligent client filter
Name
Type
Required
Description
Enabled
String
Yes
Intelligent client filtering is enabled or not. Values are as follows:
on: Enable.
off: Disable.
Id
String
No
The rule ID for intelligent client filtering, only returned as an output parameter.
Action
No
The handling method of intelligent client filtering. This field is required when Enabled is on. SecurityAction Name supports:
Monitor: Monitor.
Deny: Block.
Challenge: Challenge. For the ChallengeActionParameters.Name parameter, only JSChallenge is supported.

ClientIPCountryParameters

Carry regional information of the client IP in back-to-origin requests. The value format is ISO-3166-1 two-letter code.
Name
Type
Required
Description
Switch
String
No
Configuration switch, values as follows:
on: Enable.
off: Disable.
HeaderName
String
No
The request header name for storing regional information of the client IP. Valid when Switch=on. If empty, use the default value: EO-Client-IPCountry.

ClientIPHeaderParameters

Configuration for storing client request IP address header information.
Name
Type
Required
Description
Switch
String
No
Configuration switch, values as follows:
on: Enable.
off: Disable.
HeaderName
String
No
The request header name containing client IP during origin pull. When Switch is on, this parameter is required. X-Forwarded-For cannot be filled in.

CompressionParameters

Intelligent compression configuration.
Name
Type
Required
Description
Switch
String
No
Intelligent compression configuration switch, values as follows:
on: Enable.
off: Disable.
Algorithms
Array of String
No
Supported compression algorithm list. When Switch is on, this field is required, otherwise it is ineffective. Values are as follows:
brotli: the brotli algorithm.
gzip: the gzip algorithm.

ContentCompressionParameters

Content compression configuration.
Name
Type
Required
Description
Switch
String
Yes
Content compression configuration switch, values as follows:
on: Enable.
off: Disable.
When the Switch is on, it simultaneously supports the brotli and gzip compression algorithms.

CustomRule

Custom rules under the Web protection feature.
Name
Type
Required
Description
Name
String
Yes
Custom rule name.
Condition
String
Yes
The content of the custom rule must comply with expression grammar. For detailed specifications, refer to the product documentation.
Action
Yes
Execution action of the custom rule. Supported Name values for SecurityAction:
Deny: Block.
Monitor: Monitor.
ReturnCustomPage: Use the specified page to block.
Redirect: Redirect to URL.
BlockIP: IP block
JSChallenge: JavaScript challenge.
ManagedChallenge: Managed challenge.
Allow: pass.
Enabled
String
Yes
Whether the custom rule is enabled. Values as follows:
on: Enable
off: Disable
Id
String
No
Custom rule ID.
Different rule configurations can be supported through the rule ID:
Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the Rules list of CustomRules parameters will be deleted.
RuleType
String
No
Type of custom rule. Values include:
BasicAccessRule: basic access control
PreciseMatchRule: precise matching rule.
ManagedAccessRule: Expert-customized rule, supporting only output parameters.
Description: When RuleType is not specified, it defaults to PreciseMatchRule.
Priority
Integer
No
Priority of custom rules, ranging from 0 to 100. Default is 0. Only supports exact matching rules (PreciseMatchRule).

CustomRules

Custom rule structure for Web security
Name
Type
Required
Description
Rules
Array of CustomRule
No
Custom rule definition list.
Use ModifySecurityPolicy to modify Web protection configuration:
If the Rules parameter is not specified or has a length of zero: Clear all custom rule configurations.
If the CustomRules parameter value is not specified in SecurityPolicy: Keep the existing custom rule configuration and do not modify it.

CustomTime

Node cache TTL custom cache time parameter configuration.
Name
Type
Required
Description
Switch
String
No
Custom cache time switch, values are as follows:
on: Enable.
off: Disable.
IgnoreCacheControl
String
No
Ignore origin server CacheControl switch, values are as follows:
on: Enable.
off: Disable.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.
CacheTime
Integer
No
Custom cache time value in seconds, range: 0–315360000.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

DefaultDenySecurityActionParameters

Default blocking action configuration. When a security rule is matched and triggers a blocking action, if the SecurityAction specifies only the Name as Deny and does not specify DenyActionParameters, the default parameter configuration defined here is matched and used based on the feature module dimension:
ManagedRules default blocking action configuration for managed rules.
OtherModules default blocking action configuration for security protection rules other than managed rules (custom rules, rate limiting, and Bot management features).
Name
Type
Required
Description
ManagedRules
No
Configuration for the default blocking and handling action of managed rules. Supported configuration parameters for DenyActionParameters:
ReturnCustomPage: Whether to use a custom page.
ResponseCode: The status code for a custom page.
ErrorPageId: The PageId for a custom page.
OtherModules
No
Configuration for the default blocking and handling action of security rules other than managed rules (including custom rules, rate limiting, and Bot Management features). Supported configuration parameters for DenyActionParameters:
ReturnCustomPage: Whether to use a custom page.
ResponseCode: The status code for a custom page.
ErrorPageId: The PageId for a custom page.

DenyActionParameters

Additional parameter for safe execution action as ban.
Name
Type
Required
Description
BlockIp
String
No
Whether to extend the ban on the source IP. Values as follows:
on: Enable.
off: Disable.
Enabled, the client IP that triggers the rule will be continuously blocked. When this option is enabled, you must specify the BlockIpDuration parameter simultaneously.
Note: This option cannot intersect with the ReturnCustomPage or Stall option.
BlockIpDuration
String
No
When BlockIP is on, the ban duration for IP.
ReturnCustomPage
String
No
whether to use a custom page. values as follows:
on: Enable.
off: Disable.
Enabled, use custom page content to block requests. When this option is enabled, ResponseCode and ErrorPageId parameters must be simultaneously designated.
Note: This option cannot intersect with the BlockIp or Stall option.
ResponseCode
String
No
Status code of the custom page.
ErrorPageId
String
No
PageId of the custom page.
Stall
String
No
Whether to suspend the request source without processing. Values are as follows:
on: Enable.
off: Disable.
Enabled, it no longer responds to requests in the current connection session and does not actively disconnect. Used for crawler combat to consume client connection resources.
Note: This option cannot intersect with the BlockIp or ReturnCustomPage option.

DeviceProfile

Client device configuration
Name
Type
Required
Description
ClientType
String
Yes
Client device type. Values as follows:
iOS;
Android;
WebView;
WeChatMiniProgram.
HighRiskMinScore
Integer
No
The minimum value to determine a request as high-risk ranges from 1–99. The larger the value, the higher the request risk, resembling a request initiated by a Bot client. The default value is 50, corresponding to 51–100 as high-risk.
HighRiskRequestAction
No
Handling method for high-risk requests. SecurityAction Name parameter supports:
Deny: Block.
Monitor: Monitor.
Redirect: Redirect.
Challenge: Challenge.
Default value: Monitor.
MediumRiskMinScore
Integer
No
The minimum value to determine a request as medium-risk ranges from 1–99. The larger the value, the higher the request risk, resembling a request initiated by a Bot client. The default value is 15, corresponding to 16–50 as medium-risk.
MediumRiskRequestAction
No
Handling method for medium-risk requests. SecurityAction Name parameter supports:
Deny: Block.
Monitor: Monitor.
Redirect: Redirect.
Challenge: Challenge.
Default value: Monitor.

ErrorPage

Custom error page
Name
Type
Required
Description
StatusCode
Integer
Yes
Status code. Support scope: 400, 403, 404, 405, 414, 416, 451, 500, 501, 502, 503, 504.
RedirectURL
String
Yes
Redirect URL, need to be a complete jump path, such as https://www.test.com/error.html.

ErrorPageParameters

Custom error page configuration parameters.
Name
Type
Required
Description
ErrorPageParams
Array of ErrorPage
No
Custom error page configuration list.
Note: This field may return null, indicating no valid value.

ExceptionRule

Web security exception rule
Name
Type
Required
Description
Id
String
No
Exception rule ID.

Different rule configurations can be supported through the rule ID:

Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the Rules list of ExceptionRules parameters will be deleted.
Name
String
No
Exception rule name.
Condition
String
No
The exception rule content must comply with expression grammar. For details, refer to the product document.
SkipScope
String
No
Exception rule execution option, values are as follows:
WebSecurityModules: The security protection module that designates exception rules.
ManagedRules: Designate managed rules.
SkipOption
String
No
Skip request specific type, values are as follows:
SkipOnAllRequestFields: Skip all requests;
SkipOnSpecifiedRequestFields: Skip specified request fields.
Valid when SkipScope is ManagedRules.
WebSecurityModulesForException
Array of String
No
Security protection module with specified exception rules. Valid when SkipScope is WebSecurityModules. Valid values:
websec-mod-managed-rules: managed rules;
websec-mod-rate-limiting: rate limit;
websec-mod-custom-rules: custom rule;
websec-mod-adaptive-control: adaptive frequency control, intelligent client filter, slow attack protection, traffic theft protection;
websec-mod-bot: bot management.
ManagedRulesForException
Array of String
No
Specific managed rules for designated exception rules. Valid only when SkipScope is ManagedRules, and at this point, you cannot specify ManagedRuleGroupsForException.
ManagedRuleGroupsForException
Array of String
No
Managed rule groups for exception rules. Valid only when SkipScope is ManagedRules, and at this point, you cannot specify ManagedRulesForException.
RequestFieldsForException
No
Specify exception rules to skip specific request fields. Valid only when SkipScope is ManagedRules and SkipOption is SkipOnSpecifiedRequestFields.
Enabled
String
No
Whether the exception rule is enabled. Values as follows:
on: Enable
off: Disable

ExceptionRules

Web security exception rule
Name
Type
Required
Description
Rules
Array of ExceptionRule
No
Definition list of exception rules. Use ModifySecurityPolicy to modify the Web protection configuration:
If the Rules parameter is not specified or has a length of zero: Clear all exception rule configurations.
If the ExceptionRules parameter value is not specified in SecurityPolicy: Keep the existing exception rule configuration and do not modify it.

FollowOrigin

Follow the origin site configuration for cache.
Name
Type
Required
Description
Switch
String
Yes
Follow the origin site configuration switch, values as follows:
on: Enable.
off: Disable.
DefaultCache
String
No
Cache/no-cache switch when the origin server does not return a Cache-Control header. When Switch is on, this field is required. When Switch is off, no need to specify this field. If filled, it does not take effect. Values are as follows:
on: Cache.
off: Do not cache.
DefaultCacheStrategy
String
No
Use/do not use default caching policy switch when the origin server does not return a Cache-Control header. When DefaultCache is on, this field is required, otherwise it is ineffective. When DefaultCacheTime is not 0, this field must be off. Values are as follows:
on: Use default caching policy.
off: Do not use default caching policy.
DefaultCacheTime
Integer
No
Default cache time in seconds when the origin server does not return a Cache-Control header. Value range: 0-315360000. When DefaultCache is on, this field is required, otherwise it is ineffective. When DefaultCacheStrategy is on, this field must be 0.

ForceRedirectHTTPSParameters

Access protocol forced HTTPS redirect configuration.
Name
Type
Required
Description
Switch
String
No
Access forced redirection configuration switch, values as follows:
on: Enable.
off: Disable.
RedirectStatusCode
Integer
No
Redirection status code. When Switch is on, this field is required, otherwise it is ineffective. Values are as follows:
301: 301 redirect.
302: 302 redirect.

FrequentScanningProtection

High-frequency scan protection configuration options. When a visitor's frequent requests hit a managed rule configured for interception, all requests from that visitor will be blocked within a period of time.
Name
Type
Required
Description
Enabled
String
No
Whether the high-frequency scan protection rule is enabled. Values are as follows:
on: Enable high frequency scan protection rule to take effect.
off: Disable high frequency scan protection rule.
Id
String
No
The rule ID of high-frequency scan protection, only returned in output.
Action
No
Handling action for high-frequency scan protection. This field is required when Enabled is on. SecurityAction Name supports:
Deny: Block and respond with an interception page.
Monitor: Observe without processing requests, record security events in logs.
JSChallenge: JavaScript challenge, respond with a JavaScript challenge page.
CountBy
String
No
Request statistics match mode. This field is required when Enabled is on. Values are as follows:
http.request.xff_header_ip: client ip (priority match xff header);
http.request.ip: client IP.
BlockThreshold
Integer
No
This parameter specifies the threshold for high-frequency scan protection, which is the cumulative number of interceptions when managed rules configured as blocklist are hit within the time range set by CountingPeriod. The value ranges from 1 to 4294967294, such as 100. When exceeding this statistical value, subsequent requests will trigger the handling action set by Action. This field is required when Enabled is on.
CountingPeriod
String
No
This parameter specifies the statistical time window for high-frequency scan protection, which is the time window for counting requests that hit managed rules configured as blocklist. The value ranges from 5 to 1800, and the measurement unit is only supported in seconds (s), such as 5s. This field is required when Enabled is on.
ActionDuration
String
No
This parameter specifies the duration of the handling Action set by the Action parameter for high-frequency scan protection. The value ranges from 60 to 86400, and the unit is only supported in seconds (s), such as 60s. This field is required when Enabled is on.

GrpcParameters

gRPC configuration item.
Name
Type
Required
Description
Switch
String
No
gRPC configuration switch, values as follows:
on: Enable.
off: Disable.

HeaderAction

HTTP header setting rule.
Name
Type
Required
Description
Action
String
Yes
HTTP header setting method. Values are as follows:
set: Set. Update the specified header to the configured value.
del: Delete. Remove the specified header parameter.
add: Add. Add the specified header parameter.
Name
String
Yes
HTTP header name.
Value
String
No
HTTP header value. This parameter is required when Action is set or add; not required when Action is del.

HostHeaderParameters

Host Header rewrite config
Name
Type
Required
Description
Action
String
No
Execution action. The values are as follows:
followOrigin: Follow source site domain.
custom: Custom. Customize.
ServerName
String
No
Host Header rewrite, need to fill in complete domain name.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

HostName

Access URL redirection HostName configuration parameters.
Name
Type
Required
Description
Action
String
No
Target HostName configuration. Values are as follows:
follow: Follow request.
custom: Custom. Customize.
Value
String
No
Target HostName custom value, maximum length 1024.
Note: This field is required when Action is custom. When Action is follow, it is ineffective.

HostPolicy

Domain policy binding configuration defines the type of security policy and its corresponding content for a single domain.
Configuration Field
Type
Required
Description
Host
String
Yes
The domain name to which the security policy is applied. It must be a domain name that has been added under the current site.
PolicyType
String
Yes
The policy type used by the domain name, which determines the source of the policy configuration. Values as follows:
ZoneDefault: Use the site-level default policy, which is the policy configuration defined in WebSecurity.ZoneDefaultPolicy. In this case, the Policy and TemplateId fields are invalid.
Custom: Use a domain-level custom policy. In this case, you must also configure the Policy field to specify the independent policy configuration for this domain.
Template: Use a policy template. In this case, you must also configure the TemplateId field to specify the policy template ID bound to this domain.
Policy
No
The domain-level custom policy configuration. It is valid and required only when PolicyType is Custom. This configuration takes effect only for the current domain.
TemplateId
String
No
The ID of the policy template bound to the domain name. It is valid and required only when PolicyType is Template. The template must have been defined in the WebSecurity.Templates list.

Note: When referencing a policy template across sites, append the target site ID after the template ID using the "@" separator, in the format {TemplateId}@{ZoneId}.

HSTSParameters

HSTS configuration parameters.
Name
Type
Required
Description
Switch
String
No
HSTS toggle on/off, values as follows:
on: Enable.
off: Disable.
Timeout
Integer
No
Cache HSTS header time in seconds, range: 1-31536000.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.
IncludeSubDomains
String
No
Whether to allow other subdomains to inherit the same HSTS header, values as follows:
on: Allow other subdomains to inherit the same HSTS header.
off: Do not allow other subdomains to inherit the same HSTS header.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.
Preload
String
No
Whether to allow the browser to preload HSTS header, values are as follows:
on: Allow the browser to preload HSTS header.
off: Do not allow the browser to preload HSTS header.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

HTTP2Parameters

HTTP2 access configuration parameters.
Name
Type
Required
Description
Switch
String
No
HTTP2 access configuration switch, values are as follows:
on: Enable.
off: Disable.

HttpDDoSProtection

HTTP Anti-DDoS configuration.
Name
Type
Required
Description
AdaptiveFrequencyControl
No
Specific configuration of adaptive frequency control.
ClientFiltering
No
Specific configuration of intelligent client filter.
BandwidthAbuseDefense
No
Specific configuration of bandwidth abuse protection.
SlowAttackDefense
No
Specific configuration of slow attack protection.

HTTPResponseParameters

HTTP response configuration parameters.
Name
Type
Required
Description
StatusCode
Integer
No
Response status code. Support 2XX, 4XX, 5XX, excluding 499, 514, 101, 301, 302, 303, 509, 520-599.
ResponsePage
String
No
Response page ID.

HTTPUpstreamTimeoutParameters

Layer 7 origin pull timeout configuration.
Name
Type
Required
Description
ResponseTimeout
Integer
No
HTTP response timeout, in seconds, value: 5–600.

IPReputation

IP Intelligence Database (formerly Client Profile Analytics) configuration.
Name
Type
Required
Description
Enabled
String
No
IP threat intelligence library (formerly client Profile Analytics). Valid values are:
on: Enable.
off: Disable.
IPReputationGroup
No
Specific configuration content of the IP threat intelligence library (formerly client Profile Analytics).

IPReputationGroup

Specific configuration for the IP Intelligence Database (formerly Client Profile Analytics).
Name
Type
Required
Description
BaseAction
No
The execution action for the IP threat intelligence library (formerly client Profile Analytics). The Name field of SecurityAction supports the following values:
Deny: Block.
Monitor: Monitor.
Disabled: Not enabled, disable specified rule.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
BotManagementActionOverrides
No
The specific configuration of the IP threat intelligence library (formerly client Profile Analytics), used to override the default configuration in BaseAction. The Ids field of BotManagementActionOverrides can be filled with the following values:
IPREP_WEB_AND_DDOS_ATTACKERS_LOW: Network Attack - General Confidence.
IPREP_WEB_AND_DDOS_ATTACKERS_MID: Network Attack - Medium Confidence.
IPREP_WEB_AND_DDOS_ATTACKERS_HIGH: Network Attack - High Confidence.
IPREP_PROXIES_AND_ANONYMIZERS_LOW: Network Proxy - General Confidence.
IPREP_PROXIES_AND_ANONYMIZERS_MID: Network Proxy - Medium Confidence.
IPREP_PROXIES_AND_ANONYMIZERS_HIGH: Network Proxy - High Confidence.
IPREP_SCANNING_TOOLS_LOW: Scanner - General Confidence.
IPREP_SCANNING_TOOLS_MID: Scanner - Medium Confidence.
IPREP_SCANNING_TOOLS_HIGH: Scanner - High Confidence.
IPREP_ATO_ATTACKERS_LOW: Account Takeover Attack - General Confidence.
IPREP_ATO_ATTACKERS_MID: Account Takeover Attack - Medium Confidence.
IPREP_ATO_ATTACKERS_HIGH: Account Takeover Attack - High Confidence.
IPREP_WEB_SCRAPERS_AND_TRAFFIC_BOTS_LOW: Malicious BOT - General Confidence.
IPREP_WEB_SCRAPERS_AND_TRAFFIC_BOTS_MID: Malicious BOT - Medium Confidence.
IPREP_WEB_SCRAPERS_AND_TRAFFIC_BOTS_HIGH: Malicious BOT - High Confidence.

IPv6Parameters

IPv6 access configuration.
Name
Type
Required
Description
Switch
String
No
IPv6 access feature configuration, values as follows:
on: Enable IPv6 access feature.
off: Disable IPv6 access feature.

KnownBotCategories

Configuration for commercial or open-source tool UA signatures (formerly known as UA signature rules).
Name
Type
Required
Description
BaseAction
No
Handling method for access requests from known commercial tools or open-source tools. The Name parameter of SecurityAction supports:
Deny: Block.
Monitor: Monitor.
Disabled: Not enabled, disable specified rule.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
Allow: Pass (to be deprecated).
BotManagementActionOverrides
No
Specifies the handling method for access requests from known commercial tools or open-source tools.

ManagedRuleAction

Managed rule configuration
Name
Type
Required
Description
RuleId
String
Yes
Specific items under the managed rule group, used to rewrite the configuration content of this single rule. Refer to product documentation.
Action
Yes
Specify the handling action for the managed rule item in RuleId. Supported Name values for SecurityAction:
Deny: Block and respond with an interception page.
Monitor: Observe without processing requests, record security events in logs.
Disabled: Not activated, skip scan requests, skip the rule.

ManagedRuleAutoUpdate

Managed rule automatic update option
Name
Type
Required
Description
AutoUpdateToLatestVersion
String
Yes
Whether automatic update to the latest version is enabled. Values are as follows:
on: Enable
off: Disable
RulesetVersion
String
No
Currently used version, format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z, empty by default, output only.

ManagedRuleDetail

Managed rule detail
Name
Type
Required
Description
RuleId
String
No
Managed rule Id
RiskLevel
String
No
Protection level of managed rule. Values are as follows:
low: Low risk, this rule poses lower risk and is suitable for access scenarios under strict control. This severity rule may cause considerable false alarms.
medium: Medium-risk, means this rule poses normal risk and applies to strict protection scenarios.
high: High-risk, means this rule poses relatively high risk and will not generate false alarms in most scenarios.
extreme: Ultra-high risk, means this rule poses extremely high risk and will not generate false alarms.
Description
String
No
Rule description.
Tags
Array of String
No
Rule tag. Some types of rules do not have tags.
RuleVersion
String
No
Rule ownership version.

ManagedRuleGroup

Managed rule group configuration.
Name
Type
Required
Description
GroupId
String
Yes
The group name of the managed rule. Unspecified configuration rules will be processed based on the default configuration. Refer to product documentation for the specific value of GroupId.
SensitivityLevel
String
Yes
Protection level of the managed rule group. Values are as follows:
loose: Loose, includes only ultra-high risk rules. In this mode, you must configure Action, and RuleActions configuration is invalid.
normal: Normal, includes ultra-high risk and high-risk rules. In this mode, you must configure Action, and RuleActions configuration is invalid.
strict: Strict, includes ultra-high risk, high-risk, and medium-risk rules. In this mode, you must configure Action, and RuleActions configuration is invalid.
extreme: Ultra-strict, includes ultra-high risk, high-risk, medium-risk, and low-risk rules. In this mode, you must configure Action, and RuleActions configuration is invalid.
custom: Custom, a granular policy. Configure handling methods per rule. In this mode, the Action field is invalid. Use RuleActions to configure the granular policy for individual rules.
Action
Yes
Handling actions for the managed rule group. Supported Name values for SecurityAction:
Deny: Block and respond with an interception page.
Monitor: Observe without processing requests, record security events in logs.
Disabled: Not activated, skip scan requests and the rule.
RuleActions
No
Configuration of rule items under the managed rule group takes effect only when SensitivityLevel is set to custom.
MetaData
No
Information of the managed rule group, only returned in output.

ManagedRuleGroupMeta

Managed rule group information
Name
Type
Required
Description
GroupDetail
String
No
Managed rule group description, only returned in output.
GroupName
String
No
Managed rule group name, only returned in output.
RuleDetails
No
Information of all sub-rules under the current managed rule group, only returned in output.

ManagedRules

Web Security Managed Rules
Name
Type
Required
Description
Enabled
String
Yes
Whether the managed rule is enabled. Values as follows:
on: turn on, all managed rules take effect as configured.
off: turn off, all managed rules are disabled.
DetectionOnly
String
Yes
Whether the evaluation mode is enabled. Valid when the Enabled parameter is on. Values are as follows:
on: enable, indicating all managed rules take effect in observation mode.
off: turn off, indicating all managed rules take effect with actual configuration.
SemanticAnalysis
String
No
Whether the semantic analysis option for managed rules is enabled. Valid when the Enabled parameter is on. Values are as follows:
on: enable, perform semantic analysis on the request and process it.
off: turn off, skip semantic analysis and process the request directly.

Default off.
AutoUpdate
No
Managed rule automatic update option.
ManagedRuleGroups
No
Configuration of managed rule groups. If this structure passes an empty array or GroupId is not included in the list, it will be handled based on the default method.
FrequentScanningProtection
No
High-frequency scan protection configuration options. When a visitor's frequent requests hit a managed rule configured for interception, all requests from that visitor will be blocked within a period of time.

MaxAgeParameters

Browser cache TTL config.
Name
Type
Required
Description
FollowOrigin
String
No
Follow the origin server Cache-Control switch, values as follows:
on: follow the origin site, ignore CacheTime time setting.
off: do not follow the origin site, use CacheTime time setting.
CacheTime
Integer
No
Custom cache time value in seconds, range: 0–315360000.
Note: When FollowOrigin is off, it means not following the origin server and using CacheTime to set the cache time, otherwise it is ineffective.

MaxNewSessionTriggerConfig

The trigger threshold for verification in Bot management.
Name
Type
Required
Description
MaxNewSessionCountInterval
String
No
Time window for threshold-triggered statistics. Valid values:
5s: Within 5 seconds;
10s: Within 10 seconds;
15s: Within 15 seconds;
30s: Within 30 seconds;
60s: Within 60 seconds;
5m: Within 5 minutes;
10m: Within 10 minutes;
30m: Within 30 minutes;
60m: Within 60 minutes.
MaxNewSessionCountThreshold
Integer
No
Cumulative quantity for threshold-triggered statistics. Valid range: 1 to -100000000.

MinimalRequestBodyTransferRate

Minimum Body Transfer Rate threshold configuration.
Name
Type
Required
Description
MinimalAvgTransferRateThreshold
String
Yes
Minimum Body Transfer Rate threshold. Only bps is supported as the unit.
CountingPeriod
String
Yes
Statistical time range for Minimum Body Transfer Rate, values are as follows:
10s: 10 seconds
30s: 30 seconds
60s: 60 seconds
120s: 120 seconds
Enabled
String
Yes
Whether the Minimum Body Transfer Rate threshold is enabled. Values are as follows:
on: Enable.
off: Disable.

ModifyOriginParameters

Modify origin server configuration parameters.
Name
Type
Required
Description
OriginType
String
No
Origin server type. Values as follows:
IPDomain: IPv4, IPv6, or domain name type origin server;
OriginGroup: Origin server group type origin server;
LoadBalance: Load balancing. This feature is in beta test. If needed, submit a ticket;
Tencent Cloud COS: Cloud Object Storage origin server;
AWSS3: Supports ALL object storage origin servers with AWS S3 protocol.
Origin
String
No
Origin server address is divided into following scenarios based on OriginType value.

When OriginType = IPDomain, specify this parameter as an IPv4 address, IPv6 address, or domain name.
When OriginType = COS, specify this parameter as the cos bucket access domain;
When OriginType = AWSS3, specify this parameter as the S3 bucket access domain;
When OriginType = OriginGroup, specify this parameter as the origin server group ID. When it is an output parameter and references an origin server group from another site, the format is {origin server group ID}@{ZoneID}. For example: og-testorigin@zone-38moq1z10wwwy;
When OriginType = LoadBalance, specify this parameter as the CLB instance ID. This feature is currently available only to the allowlist. When it is an output parameter and references a CLB from another site, the format is {CLB ID}@{ZoneID}. For example: lb-2rxpamcyqfzg@zone-38moq1z10wwwy.
OriginProtocol
String
No
Protocol configuration for origin request. This parameter is required when OriginType value is IPDomain, OriginGroup, or LoadBalance. Valid values:

http: use HTTP protocol;
https: use HTTPS protocol;
follow: follow protocol.
HTTPOriginPort
Integer
No
HTTP origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is http or follow.
HTTPSOriginPort
Integer
No
HTTPS origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is https or follow.
PrivateAccess
String
No
Whether access to the private Cloud Object Storage origin server is allowed. This parameter is required when the origin server type OriginType = COS or AWSS3. Valid values:

on: enable private authentication;
off: Do not use private authentication.
PrivateParameters
No
Private authentication parameter. This parameter is valid only when OriginType = AWSS3 and PrivateAccess = on.
Note: This field may return null, indicating no valid value.

ModifyRequestHeaderParameters

Modify HTTP back-to-origin request header configuration.
Name
Type
Required
Description
HeaderActions
Array of HeaderAction
No
HTTP header setting rule list.
Note: This field may return null, indicating no valid value.

ModifyResponseHeaderParameters

Modify HTTP node response header configuration.
Name
Type
Required
Description
HeaderActions
Array of HeaderAction
No
HTTP origin-pull header rule list.
Note: This field may return null, indicating no valid value.

NetworkErrorLoggingParameters

Network error log recording configuration items.
Name
Type
Required
Description
Switch
String
No
Network error log configuration switch, values are as follows:
on: Enable.
off: Disable.

NoCache

No cache configuration
Name
Type
Required
Description
Switch
String
Yes
No cache configuration switch, values as follows:
on: Enable.
off: Disable.

OCSPStaplingParameters

OCSP stapling configuration parameters.
Name
Type
Required
Description
Switch
String
No
OCSP stapling configuration switch, values as follows:
on: Enable.
off: Disable.

OfflineCacheParameters

Whether offline cache is enabled.
Name
Type
Required
Description
Switch
String
No
Offline cache switch, values as follows:
on: Enable.
off: Disable.

OriginAuthenticationParameters

Origin authentication parameters.
Name
Type
Required
Description
RequestProperties
Yes
Origin authentication request properties.

OriginAuthenticationRequestProperties

Origin authentication request attributes.
Name
Type
Required
Description
Type
String
Yes
Authentication parameter type for origin authentication. Valid values:
QueryString: Indicates that the origin authentication parameter type is set to query string.
Header: Indicates that the origin authentication parameter type is set to request header.
Name
String
Yes
Parameter name for the origin authentication type.
Value
String
Yes
Parameter value for the origin authentication type.

OriginPrivateParameters

COS origin server private authentication parameter.
Name
Type
Required
Description
AccessKeyId
String
Yes
Access Key ID.
SecretAccessKey
String
Yes
Secret Access Key.
SignatureVersion
String
Yes
Authentication version. Valid values:
v2: v2 version.
v4: v4 version.
Region
String
No
bucket region

OriginPullProtocolParameters

HTTPS back-to-origin configuration parameters.
Name
Type
Required
Description
Protocol
String
No
Origin-pull protocol configuration, values as follows:
http: use HTTP protocol for origin retrieval.
https: use HTTPS protocol for origin retrieval.
follow: follow protocol.

PostMaxSizeParameters

POST request upload file streaming transmission maximum limit.
Name
Type
Required
Description
Switch
String
No
Whether to enable file upload limit for POST requests, in bytes. The platform default limit is 32 * 220 bytes. Values are as follows:
on: Enable limitation.
off: Disable limit.
MaxSize
Integer
No
Maximum limit for file streaming transmission in POST requests. This field is valid only when Switch is on, with a value between 1MB and 800MB in bytes.

QUICParameters

QUIC configuration item.
Name
Type
Required
Description
Switch
String
No
QUIC configuration switch, values as follows:
on: Enable.
off: Disable.

RangeOriginPullParameters

Range-based origin pull configuration parameters.
Name
Type
Required
Description
Switch
String
No
Range-based origin pull switch, values as follows:

on: Enable.
off: Disable.

RateLimitingRule

Specific rate limit configuration.
Name
Type
Required
Description
Id
String
No
Precise rate limit ID.

Different rule configurations can be supported through the rule ID:

Add new rule: ID is empty or no specified ID parameter.
Modify existing rule: specify the rule ID to be updated/modified.
Delete existing rules: Existing rules not included in the Rules list of RateLimitingRules parameters will be deleted.
Name
String
No
Name of the precise rate limit.
Condition
String
No
The content of the precise rate limit must comply with expression grammar. For details, refer to the product document.
Mode
String
No
Rate limiting method. Within the statistical time window CountingPeriod, the following rate limiting methods can be configured for requests that meet the CountBy feature:
Block: Block the access source. When the count exceeds the threshold MaxRequestThreshold, the system performs the Action on all subsequent requests that meet the criteria for the duration of ActionDuration.
Throttle: Only handle excess requests. When the number of requests exceeds the threshold MaxRequestThreshold, the system performs the Action only on requests that exceed the threshold and stops handling them after the window ends. In this case, the ActionDuration parameter is ignored.

Default value: Block.
CountBy
Array of String
No
Rate threshold request feature match mode. This field is required when Enabled is on.


When there are multiple conditions, composite conditions will be used to perform statistics calculation. The maximum of conditions is 5. Valid values:

http.request.ip: client IP;
http.request.xff_header_ip: client ip (priority match xff header);
http.request.uri.path: request access path;
http.request.cookies['session']: Cookie named 'session', where 'session' can be replaced with a user-specified parameter;
http.request.headers['user-agent']: HTTP header named 'user-agent', where 'user-agent' can be replaced with a user-specified parameter;
http.request.ja3: JA3 fingerprint of the request;
http.request.uri.query['test']: URL query parameter named 'test', where 'test' can be replaced with a user-specified parameter.
MaxRequestThreshold
Integer
No
Precise rate limiting intercept count within the specified time range. The value ranges from 1 to 100000.
CountingPeriod
String
No
Statistical time window. Valid values:
1s: 1 second
5s: 5 seconds;
10s: 10 seconds;
20s: 20 seconds;
30s: 30 seconds;
40s: 40 seconds;
50s: 50 seconds;
1m: 1 minute;
2m: 2 minutes;
5m: 5 minutes;
10m: 10 minutes;
1h: 1 hour.
ActionDuration
String
No
Duration of Action. Supported measurement units:
s: seconds, value ranges from 1 to 120.
m: minutes, value ranges from 1 to 120.
h: hr, value ranges from 1 to 48.
d: days, value ranges from 1 to 30.
When Mode is Throttle, this parameter is ignored and does not take effect.
Action
No
Precision rate limiting handling method. Valid values:
Monitor: Monitor.
Deny: Block. Within DenyActionParameters, the Name parameter supports Deny and ReturnCustomPage.
Challenge: Challenge. Within ChallengeActionParameters, the Name parameter supports JSChallenge and ManagedChallenge.
Redirect: Redirect to URL.
Priority
Integer
No
Priority of precision rate limiting, ranging from 0 to 100. Default is 0.
Enabled
String
No
Precision rate limiting rule is enabled or not. Valid values:
on: Enable.
off: Disable.

RateLimitingRules

Precision rate limiting configuration
Name
Type
Required
Description
Rules
No
Definition list of precision rate limiting. Use ModifySecurityPolicy to modify Web protection configuration:
If the Rules parameter is not specified or has a length of zero: Clear all precision rate limiting configurations.
If the RateLimitingRules parameter value is not specified in SecurityPolicy: Keep the existing custom rule configuration and do not modify it.

RedirectActionParameters

Web security redirect additional parameter
Name
Type
Required
Description
URL
String
Yes
The URL for redirection.

RequestBodyTransferTimeout

Body transfer timeout duration configuration.
Name
Type
Required
Description
IdleTimeout
String
Yes
Body transfer timeout duration takes value from 5 to 120, and the measurement unit is only supported in seconds (s).
Enabled
String
Yes
Whether body transfer timeout is enabled. Valid values:
on: Enable.
off: Disable.

RequestFieldsForException

Skip field configuration in exception rule
Name
Type
Required
Description
Scope
String
Yes
Skip specific field. Supported values:


body.json: parameter content in JSON requests. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "body.json", "Condition": "", "TargetField": "key"}, which means ALL parameters in JSON requests skip WAF scan.

cookie: Cookie. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "cookie", "Condition": "${key} in ['account-id'] and ${value} like ['prefix-']", "TargetField": "value"}, which means cookie parameter name equals account-id and parameter value wildcard matches prefix- skip WAF scan.

header: HTTP header parameters. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "header", "Condition": "${key} like ['x-auth-']", "TargetField": "value"}, which means header parameter name wildcard matches x-auth- skip WAF scan.

uri.query: URL encoded content/query parameters. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "uri.query", "Condition": "${key} in ['action'] and ${value} in ['upload', 'delete']", "TargetField": "value"}, which means URL encoded content/query parameter name equals action and parameter value equals upload or delete skip WAF scan.

uri: Request path URI. At this point, Condition must be empty, TargetField supports query, path, and fullpath, such as {"Scope": "uri", "Condition": "", "TargetField": "query"}, which indicates the request path URI only skips WAF scan for query parameters.

body: Request body content. At this point, Condition must be empty, TargetField supports fullbody and multipart, such as {"Scope": "body", "Condition": "", "TargetField": "fullbody"}, which indicates the request body content is the full request body and skips WAF scan.
Condition
String
Yes
Skip specific field expression must comply with expression grammar.


Condition supports expression configuration syntax.
Write filter conditions in syntax writing, with support for references to key and value.
Supports in, like operators, and logical combination with and.

For example:
${key} in ['x-trace-id']: parameter name equals x-trace-id.
${key} in ['x-trace-id'] and ${value} like ['Bearer *']: parameter name equals x-trace-id and parameter value wildcard matches Bearer *.
TargetField
String
Yes
When the Scope parameter takes different values, the supported values in the TargetField expression are as follows:

body.json: supports key, value
cookie: supports key, value
header: supports key, value
uri.query: supports key, value
uri: supports path, query, fullpath
body: supports fullbody, multipart

ResponseSpeedLimitParameters

Download speed limit configuration parameter for single connection.
Name
Type
Required
Description
Mode
String
Yes
Download speed limit mode. Valid values:

LimitUponDownload: download speed limit for the entire process
LimitAfterSpecificBytesDownloaded: starts rate limiting after downloading specific bytes at full speed
LimitAfterSpecificSecondsDownloaded: starts rate limiting after downloading for a specified time at full speed.
MaxSpeed
String
Yes
Speed limit, specify the speed limit size, fill in the value or variable with unit. Currently supported units: KB/s.
StartAt
String
No
Speed limit start value can be download size or specified duration. Fill in the value or variable with unit, assign download size or specify duration.
When the Mode is set to LimitAfterSpecificBytesDownloaded, the unit is: KB.
When the Mode is set to LimitAfterSpecificSecondsDownloaded, the unit is: s.

ReturnCustomPageActionParameters

Web security custom page additional parameter
Name
Type
Required
Description
ResponseCode
String
Yes
Response status code.
ErrorPageId
String
Yes
Custom error page ID for the response.

RuleBranch

Sub-rule branch.
Name
Type
Required
Description
Condition
String
No
Actions
No
Note: Actions and SubRules cannot be empty at the same time.
Note: This field may return null, indicating no valid value.
SubRules
No
Sub-rule list. Multiple rules exist in the list and execute in order from top to bottom.
Note: SubRules and Actions cannot be empty at the same time. Currently only support one level of SubRules.
Note: This field may return null, indicating no valid value.

RuleEngineAction

Rule engine operation.
Name
Type
Required
Description
Name
String
Yes
Operation name. The name must correspond to the parameter structure, for example, if Name=Cache, then CacheParameters is required.

Cache: node cache TTL;
CacheKey: custom Cache Key;
CachePrefresh: cache pre-refresh
AccessURLRedirect: URL redirection;
UpstreamURLRewrite: origin-pull URL rewrite;
QUIC:QUIC;
WebSocket:WebSocket;
Authentication: Token authentication;
MaxAge: browser cache TTL;
StatusCodeCache: status code cache TTL;
OfflineCache: Offline cache;
SmartRouting: Smart acceleration;
RangeOriginPull: range-based origin pull;
UpstreamHTTP2: HTTP2 origin pull;
HostHeader: host header rewrite;
ForceRedirectHTTPS: access protocol forced HTTPS redirect configuration;
OriginPullProtocol: HTTPS origin pull;
Compression: intelligent compression configuration;
HSTS:HSTS;
ClientIPHeader: Storage of client request IP header information configuration;
OCSPStapling: OCSP stapling;
HTTP2: HTTP2 integration;
PostMaxSize: Maximum limit configuration for POST request upload file streaming transmission;
ClientIPCountry: Carry client IP region information during origin pull;
UpstreamFollowRedirect: Parameter configuration for upstream follow redirect;
UpstreamRequest: Origin-pull request parameter;
Shield: Origin server offload configuration;
TLSConfig: SSL/TLS security
ModifyOrigin: Modify origin server;
SiteFailover: origin server failover;
HTTPUpstreamTimeout: Layer 7 origin pull timeout configuration;
HttpResponse: HTTP response;
ErrorPage: Custom error page;
ModifyResponseHeader: Modify HTTP node response header;
ModifyRequestHeader: Modify HTTP node request header;
ResponseSpeedLimit: Download speed limit for a single connection;
SetContentIdentifier: Set content identifier;
Vary: Vary feature configuration.
ContentCompression: Content compression configuration;
OriginAuthentication: Origin authentication configuration.
CacheParameters
No
Node cache TTL config. When Name value is Cache, this parameter is required.
Note: This field may return null, indicating no valid value.
CacheKeyParameters
No
Custom Cache Key config. When Name value is CacheKey, this parameter is required.
Note: This field may return null, indicating no valid value.
CachePrefreshParameters
No
Cache pre-refresh config. When Name value is CachePrefresh, this parameter is required.
Note: This field may return null, indicating no valid value.
AccessURLRedirectParameters
No
Access URL redirection configuration parameter. When Name value is AccessURLRedirect, this parameter is required.
Note: This field may return null, indicating no valid value.
UpstreamURLRewriteParameters
No
Origin-pull URL rewrite configuration parameter. When Name value is UpstreamURLRewrite, this parameter is required.
Note: This field may return null, indicating no valid value.
QUICParameters
No
QUIC configuration parameter. When Name value is QUIC, this parameter is required.
Note: This field may return null, indicating no valid value.
WebSocketParameters
No
WebSocket configuration parameter. When Name value is WebSocket, this parameter is required.
Note: This field may return null, indicating no valid value.
AuthenticationParameters
No
Token authentication configuration parameter. When Name value is Authentication, this parameter is required.
Note: This field may return null, indicating no valid value.
MaxAgeParameters
No
Browser cache TTL config. When Name value is MaxAge, this parameter is required.
Note: This field may return null, indicating no valid value.
StatusCodeCacheParameters
No
Status code cache TTL config. When Name value is StatusCodeCache, this parameter is required.
Note: This field may return null, indicating no valid value.
OfflineCacheParameters
No
Offline cache config. When Name value is OfflineCache, this parameter is required.
Note: This field may return null, indicating no valid value.
SmartRoutingParameters
No
Smart acceleration config. When Name value is SmartRouting, this parameter is required.
Note: This field may return null, indicating no valid value.
RangeOriginPullParameters
No
Fragment-based origin pull configuration parameters. When Name value is RangeOriginPull, this parameter is required.
Note: This field may return null, indicating no valid value.
UpstreamHTTP2Parameters
No
HTTP2 origin-pull configuration parameter. When Name value is UpstreamHTTP2, this parameter is required.
Note: This field may return null, indicating no valid value.
HostHeaderParameters
No
Host Header rewrite config. When Name value is HostHeader, this parameter is required.
Note: This field may return null, indicating no valid value.
ForceRedirectHTTPSParameters
No
Access protocol forced HTTPS redirect configuration. When Name value is ForceRedirectHTTPS, this parameter is required.
Note: This field may return null, indicating no valid value.
OriginPullProtocolParameters
No
HTTPS back-to-origin configuration parameters. When Name value is OriginPullProtocol, this parameter is required.
Note: This field may return null, indicating no valid value.
CompressionParameters
No
Intelligent compression configuration. When Name value is Compression, this parameter is required.
Note: This field may return null, indicating no valid value.
HSTSParameters
No
HSTS configuration parameters. When Name value is HSTS, this parameter is required.
Note: This field may return null, indicating no valid value.
ClientIPHeaderParameters
No
Storage of client request IP header information configuration. When Name value is ClientIPHeader, this parameter is required.
Note: This field may return null, indicating no valid value.
OCSPStaplingParameters
No
OCSP stapling configuration parameters. When Name value is OCSPStapling, this parameter is required.
Note: This field may return null, indicating no valid value.
HTTP2Parameters
No
HTTP2 access configuration parameter. When Name value is HTTP2, this parameter is required.
Note: This field may return null, indicating no valid value.
PostMaxSizeParameters
No
POST request upload file streaming transmission maximum limit configuration. When Name value is PostMaxSize, this parameter is required.
Note: This field may return null, indicating no valid value.
ClientIPCountryParameters
No
Back-to-origin configuration parameter carrying client IP address regional information. When Name value is ClientIPCountry, this parameter is required.
Note: This field may return null, indicating no valid value.
UpstreamFollowRedirectParameters
No
Upstream Follow Redirect parameter configuration. When Name value is UpstreamFollowRedirect, this parameter is required.
Note: This field may return null, indicating no valid value.
UpstreamRequestParameters
No
Upstream Request parameter configuration. When Name value is UpstreamRequest, this parameter is required.
Note: This field may return null, indicating no valid value.
ShieldParameters
No
Origin site offload configuration parameter. When Name value is Shield, this parameter is required.
Note: This field may return null, indicating no valid value.
TLSConfigParameters
No
SSL/TLS security configuration parameters. When Name value is TLSConfig, this parameter is required.
Note: This field may return null, indicating no valid value.
ModifyOriginParameters
No
Modify origin server configuration parameters. When Name value is ModifyOrigin, this parameter is required.
Note: This field may return null, indicating no valid value.
SiteFailoverParameters
No
Origin site failover configuration parameter. When Name value is SiteFailover, this parameter is required.
Note: This field may return null, indicating no valid value.
HTTPUpstreamTimeoutParameters
No
Layer-7 origin-pull timeout. When Name value is HTTPUpstreamTimeout, this parameter is required.
Note: This field may return null, indicating no valid value.
HttpResponseParameters
No
HTTP response configuration parameter. When Name value is HttpResponse, this parameter is required.
Note: This field may return null, indicating no valid value.
ErrorPageParameters
No
Custom error page configuration parameter. When Name value is ErrorPage, this parameter is required.
Note: This field may return null, indicating no valid value.
ModifyResponseHeaderParameters
No
Modify HTTP node response header configuration. When Name value is ModifyResponseHeader, this parameter is required.
Note: This field may return null, indicating no valid value.
ModifyRequestHeaderParameters
No
Modify HTTP node request header configuration. When Name value is ModifyRequestHeader, this parameter is required.
Note: This field may return null, indicating no valid value.
ResponseSpeedLimitParameters
No
Download speed limit configuration parameter for single connection. When Name value is ResponseSpeedLimit, this parameter is required.
Note: This field may return null, indicating no valid value.
SetContentIdentifierParameters
No
Content identification configuration parameter. When Name value is SetContentIdentifier, this parameter is required.
Note: This field may return null, indicating no valid value.
VaryParameters
No
Vary feature configuration parameter. When Name value is Vary, this parameter is required.
ContentCompressionParameters
No
Content compression configuration parameter. When Name value is ContentCompression, this parameter is required. This parameter is an allowlist feature. If needed, contact Tencent Cloud Engineers.
OriginAuthenticationParameters
No
Origin authentication configuration parameter. When Name value is OriginAuthentication, this parameter is required. This parameter is an allowlist feature. If needed, contact Tencent Cloud Engineers.

RuleEngineSubRule

Sub-rule.
Name
Type
Required
Description
Branches
Array of RuleBranch
No
Sub-rule branch
Note: This field may return null, indicating no valid value.
Description
Array of String
No
Rule annotation.

Rules

Rules are matched and executed in top-down order. Matching stops once a minimum unit is matched. Lower rules can override settings for the same configuration items in higher rules. Rule Engine Configuration is enabled by default after import.
RuleName
String
No
Rule name. The name length limit is no more than 255 characters.
Description
Array of String
No
Rule annotation. Multiple annotations can be filled.
Branches
Array of RuleBranch
No
Sub-rule branch. This list currently only supports filling in one rule. Multiple entries are invalid.
Note: This field may return null, indicating no valid value.

SearchEngineBots

Search engine rule configuration.
Name
Type
Required
Description
BaseAction
No
Execution action for requests from search engine crawlers. Supported Name values for SecurityAction:
Deny: Block.
Monitor: Monitor.
Disabled: Not enabled, disable specified rule.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
Allow: Pass (to be deprecated).
BotManagementActionOverrides
No
Specifies the handling method for requests from search engine crawlers.

SecurityAction

Execute the action securely.
Name
Type
Required
Description
Name
String
Yes
Safe execution actions. Valid values:

Deny: Block and block request access to site resources.
Monitor: Monitor, only record logs.
Redirect: Redirect to URL.
Disabled: Not enabled, disable specified rule.
Allow: Allow access, but delay processing requests.
Challenge: Challenge, respond to challenge content.
BlockIP: To be deprecated, IP block.
ReturnCustomPage: To be deprecated, use the specified page to block.
JSChallenge: To be deprecated, JavaScript challenge.
ManagedChallenge: To be deprecated, managed challenge.
DenyActionParameters
No
Additional parameters when Name is Deny.
RedirectActionParameters
No
Additional parameters when Name is Redirect.
AllowActionParameters
No
Additional parameters when Name is Allow.
ChallengeActionParameters
No
Additional parameters when Name is Challenge.
BlockIPActionParameters
No
To be deprecated, additional parameters when Name is BlockIP.
ReturnCustomPageActionParameters
No
To be deprecated, additional parameters when Name is ReturnCustomPage.

SecurityPolicy

Configuration for the security policies.
Name
Type
Required
Description
CustomRules
No
Custom rule configuration.
ManagedRules
No
Managed rule configuration.
HttpDDoSProtection
No
HTTP DDoS protection configuration.
RateLimitingRules
No
Rate limiting rule configuration.
ExceptionRules
No
Exception rule configuration.
BotManagement
No
Bot management configuration.
BotManagementLite
No
Basic Bot management configuration.
DefaultDenySecurityActionParameters
No
Default blocking action configuration.

SecurityWeightedAction

SecurityAction allocated by weight.
Name
Type
Required
Description
SecurityAction
No
Action for Bot custom rules. Valid values:
Allow: Allow access. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters are supported.
Deny: Block. Within DenyActionParameters, the BlockIP, ReturnCustomPage, and Stall configurations are supported.
Monitor: Monitor.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
Redirect: Redirect to URL.
Weight
Integer
No
The weight of the current SecurityAction. It supports only values from 10 to 100, which must be multiples of 10. The sum of all Weight parameters must equal 100.

SessionRateControl

Configuration for session rate and periodic characteristic validation.
Name
Type
Required
Description
Enabled
String
No
Whether the session rate and periodic characteristic verification configuration is enabled. Valid values are:
on: Enable
off: Disable
HighRateSessionAction
No
The execution action for high-risk session rate and periodic characteristic verification. SecurityAction Name parameter supports:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
MidRateSessionAction
No
The execution action for medium-risk session rate and periodic characteristic verification. SecurityAction Name parameter supports:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.
LowRateSessionAction
No
The execution action for low-risk session rate and periodic characteristic verification. SecurityAction Name parameter supports:
Deny: Block. Within DenyActionParameters, the Stall configuration is supported.
Monitor: Monitor.
Allow: Respond after a delay. Within AllowActionParameters, the MinDelayTime and MaxDelayTime parameters must be configured.

SetContentIdentifierParameters

Content identification configuration parameters.
Name
Type
Required
Description
ContentIdentifier
String
No
Content identifier ID

ShieldParameters

Unload origin server configuration parameters.
Name
Type
Required
Description
ShieldSpaceId
String
Yes
Origin site offload space ID.

SiteFailover

Origin Server Failover Configuration Parameter Internal Structure.
Name
Type
Required
Description
Mode
String
Yes
Origin failover type. Values as follows:

FailoverToHost: fall back to the specified IP address/domain;
FailoverToCOS: fall back to Tencent Cloud COS;
FailoverToS3CompatibleObjectStorage: fall back to S3-compatible object storage;
FailoverRedirectToURL: Redirect to the specified URL.
FailoverCustomResponsePage: Uses a custom response page.
Origin
String
No
Origin server address is divided into following scenarios based on Mode value:

When Mode = FailoverToHost, specify this parameter as an IPV4 address, IPV6 address, or domain name.
When Mode = FailoverToCOS, specify this parameter as the access domain of the COS bucket.
When Mode = FailoverToS3CompatibleObjectStorage, specify this parameter as the access domain for the S3 bucket.
OriginProtocol
String
No
Origin protocol configuration. This parameter is required when Mode value is FailoverToHost. Valid values:

http: use HTTP protocol;
https: use HTTPS protocol;
follow: follow protocol.
HTTPOriginPort
Integer
No
HTTP origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is http or follow.
HTTPSOriginPort
Integer
No
HTTPS origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is https or follow.
UpstreamHostHeader
No
Origin Host Header rewrite configuration
UpstreamURLRewrite
No
Origin-pull URL rewrite configuration.
UpstreamRequestParameters
No
Origin-pull request parameters configuration.
UpstreamHTTP2Parameters
No
HTTP2 origin-pull configuration parameters.
PrivateAccess
String
No
Specifies whether access to the private Cloud Object Storage origin server is allowed. This parameter is required when the origin server type Mode = FailoverToCOS or FailoverToS3CompatibleObjectStorage. Valid values:

on: enable private authentication;
off: Do not use private authentication.
PrivateParameters
No
Private authentication parameter. This parameter takes effect only when Mode = FailoverToS3CompatibleObjectStorage and PrivateAccess = on.
RedirectURL
String
No
Redirect target URL. This parameter is required when Mode value is FailoverRedirectToURL.
ResponsePageId
String
No
Response page ID. This parameter is required when Mode value is FailoverCustomResponsePage.
StatusCode
Integer
No
Response status code. This parameter is required when Mode value is FailoverRedirectToURL or FailoverCustomResponsePage. Valid values:

When Mode = FailoverRedirectToURL, this parameter must be set to one of the following values: 301, 302, 303, 307, or 308.
When Mode = FailoverCustomResponsePage, this parameter must be set to one of the following values: 400, 403, 404, 405, 414, 416, 451, 500, 501, 502, 503, or 504.

SiteFailoverParameters

Origin Server Failover Configuration Parameters.
Name
Type
Required
Description
SiteFailoverStatusCodes
Array of Integer
Yes
Status codes for origin site failover conditions. Origin site failover is executed according to SiteFailoverParams only when the response status code returned by the origin site matches the value in this field. The value of this parameter is either 4xx or 5xx.
SiteFailoverParams
Array of SiteFailover
Yes
List of origin failover configuration parameters. The minimum length is 1, and the maximum length is 2.

SlowAttackDefense

Specific configuration of slow attack protection.
Name
Type
Required
Description
Enabled
String
Yes
Slow attack protection is enabled. Valid values:
on: Enable.
off: Disable.
Id
String
No
The rule ID of slow attack protection, only returned in output.
Action
No
The handling method of slow attack protection. This field is required when Enabled is on. SecurityAction Name supports:
Monitor: Monitor.
Deny: Block.
MinimalRequestBodyTransferRate
No
Minimum Body Transfer Rate threshold configuration. This field is required when Enabled is on.
RequestBodyTransferTimeout
No
Body transfer timeout duration configuration. This field is required when Enabled is on.

SmartRoutingParameters

Intelligent acceleration configuration.
Name
Type
Required
Description
Switch
String
No
Smart acceleration configuration switch. Valid values:

on: Enable.
off: Disable.

SourceIDC

Specific content of IDC rule configuration.
Name
Type
Required
Description
BaseAction
No
Handling method for access requests from a specified IDC. The Name parameter of SecurityAction supports:
Deny: Block.
Monitor: Monitor.
Disabled: Not enabled, disable specified rule.
Challenge: Challenge. Within ChallengeActionParameters, the ChallengeOption parameter supports JSChallenge and ManagedChallenge.
Allow: Pass (to be deprecated).
BotManagementActionOverrides
No
Specifies the handling method for requests from a specified IDC.

StandardDebugParameters

Debug the struct.
Name
Type
Required
Description
Switch
String
No
Debug feature switch, valid values:

on: Enable.
off: Disable.
AllowClientIPList
Array of String
No
Allowed client source. Supports filling in IPv4 and IPv6 IP ranges. 0.0.0.0/0 indicates that all IPv4 clients are allowed for debugging; ::/0 indicates that all IPv6 clients are allowed for debugging. 127.0.0.1 cannot be filled in.
Note: When the Switch field is on, this field is required and the number of writes must be 1–100. When Switch is off, this field is not required. If filled, it does not take effect.
Expires
No
Debug feature expiry time. If the set time is exceeded, the feature will be disabled.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

StatusCodeCacheParam

Status code cache TTL config internal structure.
Name
Type
Required
Description
StatusCode
Integer
No
Status code, value is one of 400, 401, 403, 404, 405, 407, 414, 500, 501, 502, 503, 504, 509, 514.
CacheTime
Integer
No
Cache time value in seconds, range: 0–31536000.

StatusCodeCacheParameters

Status code cache TTL config.
Name
Type
Required
Description
StatusCodeCacheParams
No
Status code cache TTL.
Note: This field may return null, indicating no valid value.

Templates

Policy template configuration defines a security policy that can be reused by multiple domains. By specifying PolicyType as Template and referencing TemplateId in HostPolicy, you can enable multiple domains to share the same policy configuration.
Configuration Field
Type
Required
Description
Id
String
Yes
The unique identifier ID of the policy template. This ID is referenced by the TemplateId field in HostPolicy to bind a domain name to this policy template.
Policy
Yes
The policy configuration of the policy template. This configuration takes effect for all domain names bound to this template through HostPolicy. Modifying the template policy configuration synchronously affects all associated domain names.

TLSConfigParameters

SSL/TLS security configuration parameters.
Name
Type
Required
Description
Version
Array of String
No
TLS version. At least one must be filled in. If multiple, they need to be consecutive version numbers, for example: enable TLS 1, 1.1, 1.2, and 1.3. You cannot only enable 1 and 1.2 while disabling 1.1. Valid values:
TLSv1: TLSv1 version.
TLSv1.1: TLSv1.1 version.
TLSv1.2: TLSv1.2 version.
TLSv1.3: TLSv1.3 version.
CipherSuite
String
No
Cipher suite. For details, see TLS version and cipher suite specifications.
Valid values:
loose-v2023: loose-v2023 cipher suite.
general-v2023: general-v2023 cipher suite.
strict-v2023: strict-v2023 cipher suite.

UpstreamFollowRedirectParameters

Upstream Follow Redirect parameter configuration.
Name
Type
Required
Description
Switch
String
No
Upstream Follow Redirect configuration switch, values as follows:
on: Enable.
off: Disable.
MaxTimes
Integer
No
Maximum number of redirects. Value is 1-5.
Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect.

UpstreamHTTP2Parameters

HTTP2 origin-pull configuration.
Name
Type
Required
Description
Switch
String
No
HTTP2 origin-pull configuration switch, values are as follows:

on: Enable.
off: Disable.

UpstreamRequestCookie

Cookie configuration for origin-pull request parameters.
Name
Type
Required
Description
Switch
String
No
Cookie configuration switch for origin-pull request parameters, values are as follows:
on: Enable.
off: Disable.
Action
String
No
Cookie mode for origin-pull request parameters. When Switch is on, this parameter is required. Values are as follows:
full: Retain all.
ignore: Ignore all.
includeCustom: Retain some parameters.
excludeCustom: Ignore some parameters.
Values
Array of String
No
Specify parameter values. This parameter takes effect only when the query string mode Action is includeCustom or excludeCustom, used to specify parameters to keep or ignore. Supports a maximum of 10 parameters.

UpstreamRequestParameters

Configuration parameters for origin-pull requests.
Name
Type
Required
Description
QueryString
No
Query string configuration. Optional configuration. Leave blank for no configuration.
Note: This field may return null, indicating no valid value.
Cookie
No
Cookie configuration. Optional configuration. Leave blank for no configuration.
Note: This field may return null, indicating no valid value.

UpstreamRequestQueryString

Parameter query for origin-pull request string configuration.
Name
Type
Required
Description
Switch
String
No
Parameter query string configuration switch for origin-pull requests, values as follows:
on: Enable.
off: Disable.
Action
String
No
Query string mode. When Switch is on, this parameter is required. Values are as follows:
full: Retain all.
ignore: Ignore all.
includeCustom: Retain some parameters.
excludeCustom: Ignore some parameters.
Values
Array of String
No
Specify parameter values. This parameter takes effect only when the query string mode Action is includeCustom or excludeCustom, used to specify parameters to keep or ignore. Supports a maximum of 10 parameters.

UpstreamURLRewriteParameters

Origin-pull URL rewrite configuration parameters.
Name
Type
Required
Description
Type
String
No
Origin-pull URL rewrite type. Only supports filling in Path.
Action
String
No
Origin-pull URL rewrite action. Values as follows:

replace: replace the full Path. Use to replace the complete request URL Path with the specified Path.
addPrefix: add path prefix. Use to add specified path prefix to request URL Path.
rmvPrefix: remove path prefix. Use to remove specified path prefix from request URL Path.
regexReplace: replace full path with regular expression. Use to match and replace the complete path using Google RE2 regular expressions.
Value
String
No
Origin-pull URL rewrite value. Should meet URL Path standard and ensure the rewritten Path starts with / to prevent modification of the origin-pull URL Host, length range 1–1024. When Action is addPrefix, it cannot end with /; when Action is rmvPrefix, * cannot exist; when Action is regexReplace, $NUM can be used to refer to a regular expression capture group, where NUM represents the group number, such as $1, supporting up to $9.
Regex
String
No
Origin-pull URL rewrite is used for regex replacement to match the full path regular expression. Should meet Google RE2 specification, length range 1–1024. When Action is regexReplace, this field is required, otherwise not required.

URLPath

Access URL redirection path configuration parameters.
Name
Type
Required
Description
Action
String
No
Execution action. The values are as follows:
follow: Follow request.
custom: Custom. Customize.
regex: Regular expression matching.
Regex
String
No
Regular expression matching, length range 1–1024.
Note: This field is required when Action is regex. When Action is follow or custom, no need to specify this field. If filled, it does not take effect.
Value
String
No
Target URL for redirection, length range 1–1024.
Note: This field is required when Action is regex or custom. When Action is follow, no need to specify this field. If filled, it does not take effect.

VaryParameters

Vary feature configuration parameter.
Name
Type
Required
Description
Switch
String
Yes
Vary feature configuration switch, values as follows:
on: Enable.
off: Disable.

WebSecurity

Web Security Protection Configuration Group defines the site-level default policy, domain-specific policy binding relationships, and policy templates.
Configuration Field
Type
Required
Description
ZoneDefaultPolicy
Yes
The default security policy configuration at the site level. This policy serves as the default policy for the current site and takes effect for all domain names whose policy type is not explicitly specified in HostPolicy.
HostPolicy
Array of HostPolicy
Yes
The list of domain name policy bindings. It defines the type of security policy (site-level policy, domain-level custom policy, or policy template) used by each domain name under the current site. Domain names not present in this list automatically use the site-level default policy in ZoneDefaultPolicy.
Templates
Array of Templates
Yes
The list of policy templates. It defines all reusable security policy templates under the current site. These templates can be referenced by multiple domain names via the TemplateId in HostPolicy.

WebSocketParameters

WebSocket configuration.
Name
Type
Required
Description
Switch
String
No
WebSocket timeout configuration switch. Valid values:

on: Use Timeout as the WebSocket timeout period.
off: The platform still supports WebSocket connections, using the system default 15-second timeout period.
Timeout
Integer
No
Timeout period in seconds, maximum timeout time 120 seconds.
Note: When Switch is on, this field is required, otherwise it is ineffective.

ZoneConfig

Site Acceleration Configuration.
Name
Type
Required
Description
SmartRouting
No
Intelligent acceleration configuration.
Note: This field may return null, indicating no valid value.
Cache
No
Cache expiration time configuration.
Note: This field may return null, indicating no valid value.
MaxAge
No
Browser cache configuration.
Note: This field may return null, indicating no valid value.
CacheKey
No
Node cache key configuration.
Note: This field may return null, indicating no valid value.
CachePrefresh
No
Cache pre-refresh configuration.
Note: This field may return null, indicating no valid value.
OfflineCache
No
Offline cache configuration.
Note: This field may return null, indicating no valid value.
Compression
No
Intelligent compression configuration.
Note: This field may return null, indicating no valid value.
ForceRedirectHTTPS
No
Access protocol forced HTTPS redirect configuration.
Note: This field may return null, indicating no valid value.
HSTS
No
HSTS configuration.
Note: This field may return null, indicating no valid value.
TLSConfig
No
TLS configuration.
Note: This field may return null, indicating no valid value.
OCSPStapling
No
OCSP stapling configuration.
Note: This field may return null, indicating no valid value.
HTTP2
No
HTTP2 configuration.
Note: This field may return null, indicating no valid value.
QUIC
No
QUIC access configuration.
Note: This field may return null, indicating no valid value.
UpstreamHTTP2
No
HTTP2 origin-pull configuration.
Note: This field may return null, indicating no valid value.
IPv6
No
IPv6 access configuration.
Note: This field may return null, indicating no valid value.
WebSocket
No
WebSocket configuration.
Note: This field may return null, indicating no valid value.
PostMaxSize
No
POST request transmission configuration.
Note: This field may return null, indicating no valid value.
ClientIPHeader
No
Client IP HTTP Request Headers configuration.
Note: This field may return null, indicating no valid value.
ClientIPCountry
No
Configuration for whether to carry client IP address regional information during back-to-origin.
Note: This field may return null, indicating no valid value.
Grpc
No
The gRPC protocol supports configuration.
Note: This field may return null, indicating no valid value.
NetworkErrorLogging
No
Network error logging configuration.
Note: This field may return null, indicating no valid value.
AccelerateMainland
No
Accelerate and optimize configurations in the Chinese mainland.
Note: This field may return null, indicating no valid value.
StandardDebug
No
Standard Debug configuration.
Note: This field may return null, indicating no valid value.














Previous Topic: OverviewNext Topic: Condition

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback