Managed transforms

How it works

After you enable managed transforms, ESA adds origin request Headers and security response Headers at points of presence (POPs):

• HTTP request Headers (Client → ESA → Origin server): When a POP receives a client request, it adds the following HTTP request Headers before forwarding the request to the origin server:

  Type	Included Headers	Description
  Add real client IP Header	ali-real-client-ip	Records the originating IP address of the client that established the TCP connection. Added by ESA at the POP, this header is more reliable than X-Forwarded-For, which can be forged by the client.
  Add visitor location header	ali-ip-country ali-ip-city	Adds the client's country/region and city codes based on IP geolocation. Values use ISO 3166-1 Alpha-2 codes. For example, ali-ip-country=cn indicates the client is in the Chinese mainland.
  Add security request header	Tls-Hash Tls-Ja3 Tls-Ja4	Generates JA3 and JA4 TLS fingerprints from the client's handshake, used to identify client types or detect bots. Includes Tls-Hash, Tls-Ja3, and Tls-Ja4. The TLS fingerprint Headers have values only for sites on the Enterprise plan.
  Account security risk information	Esa-User-Risk	Sends the account identifier and risk score to the origin server. Example: account_name:test****@gmail.com;risk_coefficient:85, where account name is test****@gmail.com and risk score is 85. Automatically added after you enable the Account Security (ATO) feature. No configuration is needed on the Managed Transforms page.

• HTTP response Headers (ESA → Client): When ESA receives a response from the origin server, it adds standard security response Headers before returning the response to the client.

  Note

  If the origin server's response already contains a same-name security header, ESA overwrites the origin value by default to ensure policy consistency.

  Type	Included Headers	Description
  Add security response Headers	x-content-type-options: nosniff	Prevents MIME type confusion attacks by requiring the browser to strictly follow the Content-Type response header. The nosniff value activates strict mode.
  	x-xss-protection: 1; mode=block	Protects against reflected cross-site scripting (XSS) attacks, where malicious scripts are injected through URL parameters. 1 enables XSS filtering; mode=block prevents page rendering if an attack is detected.
  	x-frame-options: SAMEORIGIN	Prevents clickjacking by restricting page embedding. SAMEORIGIN allows embedding only by same-origin pages. For example, example.com pages can only be embedded in other example.com pages.
  	referrer-policy: same-origin	Controls Referer header leakage to prevent exposing user behavior paths in cross-origin requests. same-origin sends the full Referer only for same-origin requests. The Referer is not sent for cross-origin requests.
  	expect-ct: max-age=86400, enforce	Detects abnormal certificates. max-age=86400 sets the policy validity to 24 hours. enforce forces the browser to reject connections that fail Certificate Transparency requirements.

Add client information to origin requests

Automatically add HTTP Headers containing the client's IP address, geolocation, and TLS fingerprint to origin requests, giving your origin application more client context.

Add security Headers to client responses

Automatically add standard security Headers to client responses to protect against XSS, clickjacking, and other attacks.