Edge Security Acceleration (ESA) inspects and filters traffic at PoPs through edge WAF, bot management, DDoS protection, and origin protection—blocking malicious attacks before they reach your origin server, protecting your data center, and improving access speed and user experience.
Features
Feature | Description | |
Security analytics shows WAF and bot management data, including blocked, observed, and other request metrics. Use this data to fine-tune your protection rules. | ||
Event analysis aggregates and analyzes security event data, helping you identify threats, assess risks, and respond accordingly. | ||
Intelligent protection | Smart Rate Limiting enhances Rate Limiting Rules with the ESA AI engine. Instead of manually analyzing traffic and defining rules, you select a protection level. The system trains a baseline from your site's past seven days of traffic and updates it daily. | |
The ESA abuse prevention feature combines global monitoring of anomalous traffic with an open-source IP reputation database updated daily. This feature effectively mitigates traffic abuse from sources like Peer-to-Peer CDN (PCDN) platforms and automated scripts, helping you avoid substantial financial losses. | ||
If your website requires custom access control policies, you can create custom rules. A custom rule allows you to define match conditions for incoming requests and specify an action, such as block or monitor, for matching requests. This gives you flexible control over the content users can access. | ||
Rate limiting in Edge Security Acceleration (ESA) lets you control requests that match specific features. For example, if a client IP accesses your site at a high frequency, you can use this feature to apply a slider challenge or block the IP for a specified period after a threshold is exceeded. | ||
Managed rules are intelligent built-in ESA protection rules that defend against OWASP attacks and the latest origin server vulnerabilities, including SQL injection, XSS, code execution, CRLF, remote file inclusion, and WebShell. Enable protection without manual rule configuration or updates. | ||
Scan protection identifies scanner behavior and signatures to block large-scale scans against your website, then blocks or blacklists the attack source to reduce intrusion risk and unwanted traffic. | ||
Whitelist rules let specific requests bypass all or selected WAF protection modules, preventing false positives from internal services or known partners. | ||
IP access rules let you allow, challenge, or block traffic by source IP, ASN, or geographic location. HTTP (Layer 7) IP access rules are available to all plans. TCP/UDP (Layer 4) IP access rules require an Enterprise plan. | ||
ESA provides two modes, Smart Mode and Professional Mode, for different protection needs. | ||
ESA monitors traffic in real time to identify attack patterns like SYN floods, ACK floods, and CC attacks. When it detects unusual traffic, ESA promptly blocks malicious requests while allowing legitimate traffic to pass, ensuring business continuity. | ||
Rapid business iterations often introduce core pain points such as unclear API assets, unknown attack surfaces, and decentralized security policy management. The API Security feature of Edge Security Acceleration (ESA) is designed to address these issues. It helps you build a unified API security barrier at the edge layer. This feature provides automatic discovery, continuous monitoring, and security protection for your business APIs by analyzing access requests that flow through points of presence (POPs) and using machine learning models. | ||
Add the list of ESA node IP addresses to the firewall rules of your origin server. This protects your origin server by allowing only requests or traffic from the IP addresses in the allowlist to access it. | ||
On the security settings page, you can define how ESA identifies client IP addresses, adjust the global security level for threat challenges, and configure the request body detection limit for security rule matching. | ||
Intelligent rate limiting levels
Loose: Use when false positives occur. You can enable loose mode or disable intelligent rate limiting entirely. Initial limit: 4,000 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.
Medium: Recommended for daily operations. Initial limit: 200 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.
Strict: Recommended during active abuse or malicious traffic. Initial limit: 40 requests per 10 seconds per IP. Auto-adjusts every 24 hours based on historical data.
Actions
Block: Blocks matching requests and returns a block page to the client.
NoteCustomize block pages through Configure custom pages.
Monitor: Allows matching requests to pass but logs the event. Use monitor mode to test new rules and check WAF logs for false positives. After confirming no false positives, change the action to Block.
NoteYou must enable Log Service to use the log query feature.
JavaScript Challenge: ESA returns a JavaScript snippet to the client. If the browser executes the script successfully,ESA allows all subsequent requests from that client for a default period of 30 minutes without another challenge. Otherwise, the request is blocked.
Slider CAPTCHA: ESA returns a slider CAPTCHA page. If the client solves the CAPTCHA, ESA allows all subsequent requests from that client for a default period of 30 minutes. Otherwise, the request is blocked.
NoteRequests that pass the Slider CAPTCHA are billed; blocked requests are not.
JavaScript Challenge and Slider CAPTCHA for WAF custom rules and rate limiting rules apply only to static pages. For asynchronous APIs (
XMLHttpRequestandFetch), enable these challenges in Bots. When a matching request passes the challenge, ESA adds aCookie acw_sc__v2oracw_sc__v3to the HTTP header to mark the client as verified.
Strict Slider CAPTCHA: In strict CAPTCHA mode, each client request must pass verification (unlike the Slider CAPTCHA which allows a 30-minute pass-through for previously verified clients). Enable with caution. Strict Slider CAPTCHA is available only for Enterprise plans upon request.
Availability by plan
The tables below show plan support for intelligent protection, bots, DDoS, and origin protection. WAF availability is detailed in WAF plan details.
Intelligent protection
Category | Feature | Free (CNY 0/month) | Basic (CNY 9.9/month) | Standard (CNY 375/month) | Advanced (CNY 3600/month) | Enterprise (Contact sales for custom pricing) |
smart protection | ||||||
WAF
Feature category | Feature | Free (CNY 0/month) | Basic (CNY 9.9/month) | Standard (CNY 375/month) | Advanced (CNY 3,600/month) | Enterprise (Contact sales for pricing) |
5 | 10 | 50 | 100 | 100 | ||
1 | 1 | 3 | 5 | 10 | ||
Rate limiting: Counting periods | 10 seconds |
|
|
|
| |
Rate limiting: Action durations | 10 seconds |
|
|
|
| |
Rate limiting: Characteristics | client IP |
|
|
|
| |
Rate limiting on cached requests | ||||||
50 | 200 | 300 | 400 | 400 | ||
1 | 2 | 3 | 5 | 10 | ||
Supports basic rules | Supports basic rules | Supports all rules | Supports all rules | Supports all rules | ||
5 | 10 | 20 | ||||
Strict CAPTCHA | ||||||
An account-level quota applies, with a default limit of 10 rules. | ||||||
DDoS alerting | ||||||
Layer 4 proxy (including Layer 4 DDoS protection) | ||||||
DDoS
Feature category | Detailed feature | Free (CNY 0/month) | Basic (CNY 9.9/month) | Standard (CNY 375/month) | Advanced (CNY 3600/month) | Enterprise (contact sales for custom pricing) |
basic DDoS protection | ||||||
unlimited protection | Contact sales for customization | |||||
HTTP DDoS attack protection | ||||||
deep learning and protection | ||||||
scenario-based policies |
Bots
Feature category | Feature | Free (CNY 0/month) | Basic (CNY 9.9/month) | Standard (CNY 375/month) | Advanced (CNY 3600/month) | Enterprise (contact sales for custom pricing) |
Definite Bots | (actions limited to observation and allow) | (actions limited to observation and allow) | (actions limited to observation and allow) | |||
Likely Bots | (actions limited to observation and allow) | (actions limited to observation and allow) | (actions limited to observation and allow) | |||
Verified Bots | ||||||
Static Resource Protection | ||||||
JavaScript Detection | ||||||
Number of bot management rulesets | 10 |
Origin protection
Feature category | Detailed feature | Free (CNY 0/month) | Basic (CNY 9.9/month) | Standard (CNY 375/month) | Advanced (CNY 3600/month) | Enterprise (Contact sales for custom pricing) |