The protocol validation policy group verifies the HTTP and HTTPS protocols used by clients to request content from your website’s origin server. If the request meets the protocol-specific requirements, the transaction is allowed, while all non-compliant transactions are blocked.

Configure policy group

You can review the Protocol validation policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

2. Find the domain where you want to configure the policy group and click the domain name to open it.

3. On the Policies page that opens, click Protocol validation to expand the section and adjust the policies.

Info

All protocol validation policies are enabled by default. To enable or disable a policy, turn on the toggle near that policy.

Invalid user agent and unknown user agent

These two WAAP policies work together to identify and block requests that lack a standard user-agent parameter. If the agent is missing, this can indicate that an illegitimate client is being used.

Most browsers provide user agent information across the network to validate a client’s authenticity and purpose. User agent strings typically follow this syntax:

User-Agent: <product> / <product-version> <comment>

Where:

  • <product>: A product identifier—its name or development codename.

  • <product-version>: Version number of the product.

  • <comment>: Comments containing more details. For example, sub-product information.

Service protocol validation

Block clients that try to interfere with the service’s internal calls, such as tampering with cookies or request headers.

Prevent malformed request methods

Enforce HTTP RFC requirements that define how the client is supposed to interact with the server. If the requests don’t meet the RFC standards, the client will be challenged with CAPTCHA or JavaScript validation. Clients that fail to pass the validation will be blocked.