I noticed that many rules are available for “request” headers, but I don’t believe there are any filters for response headers. I know that we can use the API to create global allow/block rules, but I was wondering if the origin server could return a special response header that would result in a time-limited denial for a requesting IP address that causes abuse that is not caught by Edgio?
For example, a request that contained a Log4J exploit in the user agent slipped through the Edgio WAF. When we detect this, we can block based on the IP address, but we’ve discovered that IPv6 addresses often translated to an internal IPv4 EdgioIP instead of the actual end user’s IPv4 address. We don’t want to penalize Edgio, but would like to let Edgio know that the original requesting IP should be put on a temporary X-minute timeout and prevented from performing additional requests.
Without having to manually add rules or use the API, if a custom response header is returned by the origin server, set a timeout to that many seconds. Here’s a basic response header example for 10 minute penalty.