Skip to main content

Protocol validation

The protocol validation policy group verifies the HTTP and HTTPS protocols used by clients to request content from your website's origin server. If the request meets the protocol-specific requirements, the transaction is allowed, while all non-compliant transactions are blocked.

Info

Bot Management, which includes this policy group, is available in the Pro and Enterprise plans. More details on the Security pricing page.

Configure protocol validation rules

You can review and configure protocol validation rules in the CDB Technical Web Portal:

1. Navigate to WAAP > Bot Management.

2. In the domain dropdown at the top of the page, select the needed domain.

3. The Bot Attacks tab contains the Service protocol validation and Prevent malformed request methods policies.

Service protocol validation is enabled by default. Prevent malformed request methods is disabled by default. To change the policy mode, click the Mode dropdown and select Protection or Disabled.

Service protocol validation

Block clients that try to interfere with the service's internal calls, such as tampering with cookies or request headers.

Prevent malformed request methods

Enforce HTTP RFC requirements that define how the client is supposed to interact with the server. If the requests don't meet the RFC standards, the client will be challenged with CAPTCHA or JavaScript validation. Clients that fail to pass the validation will be blocked.

The Policies endpoints manage Protocol Validation rules — blocking HTTP requests that violate protocol standards. Response examples include only the fields used in each step.

An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples. Bot Management, which includes this policy group, is available on the Pro and Enterprise WAAP plans.

export GCORE_API_KEY="{YOUR_API_KEY}"
export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"

Protocol Validation policies are stored under the advanced-api-protection resource group in the API. When querying rule sets, filter by resource_slug == "advanced-api-protection" and then select policies S3008978 and S3008980.

View policy states

Retrieve the current mode of the Protocol Validation policies for a domain.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

rule_sets = client.waap.domains.list_rule_sets(domain_id)
adv_set = next(
    rs for rs in rule_sets if rs.resource_slug == "advanced-api-protection"
)

protocol_ids = {"S3008978", "S3008980"}
for policy in adv_set.rules:
    if policy.id in protocol_ids:
        status = "enabled" if policy.mode else "disabled"
        print(f"{policy.name}: {status} ({policy.id})")
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    gcore "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

    protocolIDs := map[string]bool{"S3008978": true, "S3008980": true}

    ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
    for _, rs := range *ruleSets {
        if rs.ResourceSlug == "advanced-api-protection" {
            for _, policy := range rs.Rules {
                if protocolIDs[policy.ID] {
                    status := "disabled"
                    if policy.Mode {
                        status = "enabled"
                    }
                    fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
                }
            }
        }
    }
}
curl -X GET "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/rule-sets" \
  -H "Authorization: APIKey ${GCORE_API_KEY}" \
  | jq '.[] | select(.resource_slug == "advanced-api-protection") | .rules[] | select(.id == "S3008978" or .id == "S3008980") | {name, id, mode}'

The response includes each policy with its ID and current state. mode: true means enabled; mode: false means disabled.

Toggle a policy

Use the policy ID returned by View policy states, or one of the IDs listed in the Policy reference table below.

This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

# Toggle Service protocol validation (S3008978)
# Replace with S3008980 for Prevent malformed request methods
result = client.waap.domains.policies.toggle("S3008978", domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Service protocol validation is now {status}")
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    gcore "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
    "github.com/G-Core/gcore-go/waap"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

    // Toggle Service protocol validation (S3008978)
    // Replace with S3008980 for Prevent malformed request methods
    result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), "S3008978", waap.DomainPolicyToggleParams{DomainID: domainID})
    status := "disabled"
    if result.Mode {
        status = "enabled"
    }
    fmt.Printf("Service protocol validation is now %s\n", status)
}
# S3008978 = Service protocol validation
# S3008980 = Prevent malformed request methods
export POLICY_ID="S3008978"

curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
  -H "Authorization: APIKey ${GCORE_API_KEY}"

The API returns the updated policy object. mode: true confirms the policy is now enabled; mode: false confirms disabled.

Policy reference