X-SigSci-* request headers

X-SigSci-* headers are added to incoming requests. The end user (your customers) can't see them. However, your internal application can use these headers for various integrations.

Headers that are automatically added

The Next-Gen WAF automatically adds the following X-SigSci- headers to requests:

• X-SigSci-AgentResponse: a code that indicates the Next-Gen WAF agent's decision to allow or block a request to your web application. This header only applies to Core WAF deployments.

  The 200 agent response code indicates the request should be allowed, and agent response codes greater than or equal to 301 indicate the request should be blocked. For more information, check out our About agent response codes guide.

• X-SigSci-RequestID: a request ID used to uniquely identify a request. Not all requests will be assigned an ID.

• X-SigSci-Tags: a CSV string of comma-separated signals that are associated with a request. The header includes both system and custom signals (e.g., SQLI, XSS, NOUA, TOR, SITE.CUSTOM-SIGNAL).

  NOTE

  Do not use the IMPOSTOR signal as an indicator of malicious intent. Anything that appears to be a mainstream search engine is tagged with this signal and the exact identification is done upstream.

Adding headers to customize inspection for Edge WAF deployments

If you have an Edge WAF deployment, you can use X-SigSci-* headers to customize when the Next-Gen WAF inspects traffic.

Forcing inspection

When testing your Next-Gen WAF deployment, you can use the curl command line tool to force the Next-Gen WAF to inspect a request by adding the x-sigsci-force-inspection header to the request:

$ curl ${REQUEST_URL} -H 'x-sigsci-force-inspection: true'

Disabling inspection

The x-sigsci-no-inspection header prevents the Next-Gen WAF from inspecting requests that meet user-defined conditions. For example, you can use this header to bypass the WAF and allow traffic to access static content.

To disable inspection for select requests, add the x-sigsci-no-inspection header to your service and then associate a condition to the header:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Content.

5. In the Headers area, click Create a header.

   

6. Fill out the Create a header fields as follows:

   • In the Name field, enter x-sigsci-no-inspection.
   • From the Type menu, select Request, and from the Action menu, select Set.
   • In the Destination field, enter http.x-sigsci-no-inspection.
   • In the Source field, enter true.
   • From the Ignore if set menu, select No.
   • In the Priority field, enter the order the header rules execute.

7. Click Create.

8. In the Headers area, click Attach a condition next to the x-sigsci-no-inspection header.

   

9. Fill out the Create a new response condition fields as follows:

   • In the Name field, enter a descriptive name for the new condition (for example, x-sigsci-no-inspection condition).
   • In the Apply if field, enter the appropriate request condition that will be applied. For example, req.url.ext ~ "(?i)^(html|css|js|gif|png|jpg|jpeg|svg|woff|woff2|ttf|eot|otf)$" disables inspection for requests with a static file extension.

10. Click Save and apply to. The new condition for the header is created.

11. Click Activate to deploy your configuration changes.

Skipping initial inspection

The x-sigsci-skip-inspection-once header tells the Next-Gen WAF to skip initial inspection and only inspect requests when the vcl_miss or vcl_pass subroutines are called. Adding this header is helpful when you want an additional security integration to handle preflight requests and then the Next-Gen WAF to inspect the request.

To skip initial inspection, add the x-sigsci-skip-inspection-once header to your service and then associate a condition to the header:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Content.

5. In the Headers area, click Create a header.

   

6. Fill out the Create a header fields as follows:

   • In the Name field, enter x-sigsci-skip-inspection-once.
   • From the Type menu, select Request, and from the Action menu, select Set.
   • In the Destination field, enter http.x-sigsci-skip-inspection-once.
   • In the Source field, enter true.
   • From the Ignore if set menu, select No.
   • In the Priority field, enter the order the header rules execute.

7. Click Create.

8. In the Headers area, click Attach a condition next to the x-sigsci-skip-inspection-once header.

   

9. Fill out the Create a new response condition fields as follows:

   • In the Name field, enter a descriptive name for the new condition (for example, x-sigsci-skip-inspection-once condition).
   • In the Apply if field, enter the appropriate request condition that will be applied. For example, enter req.restarts < 1 && req.url.path ~ "skip-waf-once" to restart inspection of requests with the skip-waf-once path. The restart condition enables preflight requests to enrich a request before being sent to the Next-Gen WAF and origin.

10. Click Save and apply to. The new condition for the header is created.

11. Click Activate to deploy your configuration changes.