Security overview

更新时间:
复制 MD 格式

Edge Security Acceleration (ESA) inspects and filters traffic at PoPs through edge WAF, bot management, DDoS protection, and origin protection—blocking malicious attacks before they reach your origin server, protecting your data center, and improving access speed and user experience.

Features

Feature

Description

Security analytics

Security analytics shows WAF and bot management data, including blocked, observed, and other request metrics. Use this data to fine-tune your protection rules.

Event analysis

Event analysis aggregates and analyzes security event data, helping you identify threats, assess risks, and respond accordingly.

Intelligent protection

Intelligent rate limiting

Smart Rate Limiting enhances Rate Limiting Rules with the ESA AI engine. Instead of manually analyzing traffic and defining rules, you select a protection level. The system trains a baseline from your site's past seven days of traffic and updates it daily.

One-click abuse prevention

The ESA abuse prevention feature combines global monitoring of anomalous traffic with an open-source IP reputation database updated daily. This feature effectively mitigates traffic abuse from sources like Peer-to-Peer CDN (PCDN) platforms and automated scripts, helping you avoid substantial financial losses.

WAF

Custom rules

If your website requires custom access control policies, you can create custom rules. A custom rule allows you to define match conditions for incoming requests and specify an action, such as block or monitor, for matching requests. This gives you flexible control over the content users can access.

Rate limiting rules

Rate limiting in Edge Security Acceleration (ESA) lets you control requests that match specific features. For example, if a client IP accesses your site at a high frequency, you can use this feature to apply a slider challenge or block the IP for a specified period after a threshold is exceeded.

Managed rules

Managed rules are intelligent built-in ESA protection rules that defend against OWASP attacks and the latest origin server vulnerabilities, including SQL injection, XSS, code execution, CRLF, remote file inclusion, and WebShell. Enable protection without manual rule configuration or updates.

Scanning protection rules

Scan protection identifies scanner behavior and signatures to block large-scale scans against your website, then blocks or blacklists the attack source to reduce intrusion risk and unwanted traffic.

Whitelist rules

Whitelist rules let specific requests bypass all or selected WAF protection modules, preventing false positives from internal services or known partners.

IP access rules

IP access rules let you allow, challenge, or block traffic by source IP, ASN, or geographic location. HTTP (Layer 7) IP access rules are available to all plans. TCP/UDP (Layer 4) IP access rules require an Enterprise plan.

Bot management

ESA provides two modes, Smart Mode and Professional Mode, for different protection needs.

DDoS

ESA monitors traffic in real time to identify attack patterns like SYN floods, ACK floods, and CC attacks. When it detects unusual traffic, ESA promptly blocks malicious requests while allowing legitimate traffic to pass, ensuring business continuity.

API security

Rapid business iterations often introduce core pain points such as unclear API assets, unknown attack surfaces, and decentralized security policy management. The API Security feature of Edge Security Acceleration (ESA) is designed to address these issues. It helps you build a unified API security barrier at the edge layer. This feature provides automatic discovery, continuous monitoring, and security protection for your business APIs by analyzing access requests that flow through points of presence (POPs) and using machine learning models.

Origin protection

Add the list of ESA node IP addresses to the firewall rules of your origin server. This protects your origin server by allowing only requests or traffic from the IP addresses in the allowlist to access it.

Other security settings

On the security settings page, you can define how ESA identifies client IP addresses, adjust the global security level for threat challenges, and configure the request body detection limit for security rule matching.

Intelligent rate limiting levels

  • Loose: Use when false positives occur. You can enable loose mode or disable intelligent rate limiting entirely. Initial limit: 4,000 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.

  • Medium: Recommended for daily operations. Initial limit: 200 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.

  • Strict: Recommended during active abuse or malicious traffic. Initial limit: 40 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.

Actions

  • Block: Blocks matching requests and returns a block page to the client.

    Note

    Customize block pages through Configure custom pages.

  • Monitor: Allows matching requests to pass but logs the event. Use monitor mode to test new rules and check WAF logs for false positives. After confirming no false positives, change the action to Block.

    Note

    You must enable Log Service to use the log query feature.

  • JavaScript Challenge: ESA returns a JavaScript snippet to the client. If the browser executes the script successfully,ESA allows all subsequent requests from that client for a default period of 30 minutes without another challenge. Otherwise, the request is blocked.

  • Slider CAPTCHA: ESA returns a slider CAPTCHA page. If the client solves the CAPTCHA, ESA allows all subsequent requests from that client for a default period of 30 minutes. Otherwise, the request is blocked.

    Note
    • Requests that pass the Slider CAPTCHA are billed; blocked requests are not.

    • JavaScript Challenge and Slider CAPTCHA for WAF custom rules and rate limiting rules apply only to static pages. For asynchronous APIs (XMLHttpRequest and Fetch), enable these challenges in Bots. When a matching request passes the challenge, ESA adds a Cookie acw_sc__v2 or acw_sc__v3 to the HTTP header to mark the client as verified.

  • Strict Slider CAPTCHA: In strict CAPTCHA mode, each client request must pass verification (unlike the Slider CAPTCHA which allows a 30-minute pass-through for previously verified clients). Enable with caution. Strict Slider CAPTCHA is available only for Enterprise plans upon request.

Availability by plan

The tables below show plan support for intelligent protection, bots, DDoS, and origin protection. WAF availability is detailed in WAF plan details.

Intelligent protection

Category

Feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3600/month)

Enterprise (Contact sales for custom pricing)

smart protection

Enable smart rate limiting

Supported

Supported

Supported

Supported

Supported

one-click abuse prevention

Supported

Supported

Supported

Supported

Supported

WAF

Feature category

Feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3,600/month)

Enterprise (Contact sales for pricing)

WAF

Custom rules

5

10

50

100

100

Rate limiting rules

1

1

3

5

10

Rate limiting: Counting periods

10 seconds

  • 10 seconds

  • 15 minutes

  • 10 seconds

  • 1 minute

  • 15 minutes

  • 10 seconds

  • 1 minute

  • 2 minutes

  • 5 minutes

  • 10 minutes

  • 15 minutes

  • 5 seconds

  • 10 seconds

  • 1 minute

  • 2 minutes

  • 5 minutes

  • 10 minutes

  • 15 minutes

  • 1 hour

Rate limiting: Action durations

10 seconds

  • 10 seconds

  • 1 hour

  • 10 seconds

  • 1 minute

  • 10 minutes

  • 1 hour

  • 10 seconds

  • 1 minute

  • 2 minutes

  • 5 minutes

  • 10 minutes

  • 1 hour

  • 10 seconds

  • 1 minute

  • 2 minutes

  • 5 minutes

  • 10 minutes

  • 1 hour

  • 1 day

Rate limiting: Characteristics

client IP

  • hostname

  • client IP

  • hostname

  • client IP

  • header

  • URI query string

  • cookie value

  • hostname

  • client IP

  • header

  • URI query string

  • cookie value

  • URI

  • URI path

  • ASN number

  • hostname

  • client IP

  • header

  • URI query string

  • cookie value

  • URI

  • URI path

  • ASN number

  • Specific URI query parameter

  • HTTP version

  • User Agent

  • X-Forwarded-For

  • MIME type

Rate limiting on cached requests

Not supported

Not supported

Supported

Supported

Supported

IP access rules

50

200

300

400

400

Allowlist rules

1

2

3

5

10

Managed rules

Supports basic rules

Supports basic rules

Supports all rules

Supports all rules

Supports all rules

Scanning protection rules

Not supported

Not supported

5

10

20

JavaScript challenge

Not supported

Supported

Supported

Supported

Supported

Slider CAPTCHA

Not supported

Not supported

Supported

Supported

Supported

Strict CAPTCHA

Not supported

Not supported

Not supported

Not supported

Supported

Scenario-specific policies

An account-level quota applies, with a default limit of 10 rules.

Custom pages

Custom rule groups

IP CIDR blocks/groups

DDoS alerting

Not supported

Not supported

Not supported

Not supported

Supported

Layer 4 proxy (including Layer 4 DDoS protection)

Not supported

Not supported

Not supported

Not supported

Supported

DDoS

Feature category

Detailed feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3600/month)

Enterprise (contact sales for custom pricing)

DDoS

basic DDoS protection

Supported

Supported

Supported

Supported

Supported

unlimited protection

Not supported

Not supported

Not supported

Not supported

Contact sales for customization

HTTP DDoS attack protection

Not supported

Not supported

Not supported

Not supported

Supported

deep learning and protection

Not supported

Not supported

Not supported

Not supported

Supported

scenario-based policies

Not supported

Not supported

Not supported

Not supported

Supported

Bots

Feature category

Feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3600/month)

Enterprise (contact sales for custom pricing)

basic bot management

Definite Bots

Supported (actions limited to observation and allow)

Supported (actions limited to observation and allow)

Supported (actions limited to observation and allow)

Supported

Supported

Likely Bots

Supported (actions limited to observation and allow)

Supported (actions limited to observation and allow)

Supported (actions limited to observation and allow)

Supported

Supported

Verified Bots

Not supported

Not supported

Supported

Supported

Supported

Static Resource Protection

Not supported

Not supported

Not supported

Not supported

Supported

JavaScript Detection

Not supported

Not supported

Not supported

Not supported

Supported

Advanced Bot Management

Number of bot management rulesets

Not supported

Not supported

Not supported

Not supported

10

Origin protection

Feature category

Detailed feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3600/month)

Enterprise (Contact sales for custom pricing)

Origin protection

Not supported

Supported

Supported

Supported

Supported