- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Billing Overview
- Basic Service Fees
- Value-added Service Fees
- Related Tencent Cloud Services
- Extra Package Description (Prepaid)
- Subscriptions
- Renewals
- Overdue and Expiration Policies
- Refund Policy
- Usage Cap Policy
- EdgeOne Plan Upgrade Guide
- Comparison of EdgeOne Plans
- About "clean traffic" billing instructions
- Getting Started
- Domain Service
- Site Acceleration
- Origin Configuration
- Edge Functions
- Overview
- Getting Started
- Operation Guide
- Runtime APIs
- Sample Functions
- Returning an HTML Page
- Returning a JSON Object
- Fetch Remote Resources
- Authenticating a Request Header
- Modifying a Response Header
- Performing an A/B Test
- Setting Cookies
- Performing Redirect Based on the Request Location
- Using the Cache API
- Caching POST Requests
- Responding in Streaming Mode
- Merging Resources and Responding in Streaming Mode
- Protecting Data from Tampering
- Rewriting a m3u8 File and Configuring Authentication
- Adaptive Image Resize
- Image Adaptive WebP
- Custom Referer Anti-leeching
- Remote Authentication
- HMAC Digital Signature
- Naming a Downloaded File
- Obtaining Client IP Address
- Best Practices
- Security Protection
- Overview
- DDoS Protection
- DDoS Protection Overview
- Exclusive DDoS Protection Usage
- Configuration of Exclusive DDoS protection Rules
- Web Protection
- Bot Management
- Rules Template
- IP and IP Segment Grouping
- Origin Protection
- Alarm Notification
- Rule Engine
- L4 Proxy
- Data Analysis&Log Service
- Tool Guide
- Best Practices
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Site APIs
- Acceleration Domain Management APIs
- Site Acceleration Configuration APIs
- Alias Domain APIs
- Security Configuration APIs
- Layer 4 Application Proxy APIs
- CreateL4Proxy
- ModifyL4Proxy
- ModifyL4ProxyStatus
- DescribeL4Proxy
- DeleteL4Proxy
- CreateL4ProxyRules
- ModifyL4ProxyRules
- ModifyL4ProxyRulesStatus
- DescribeL4ProxyRules
- DeleteL4ProxyRules
- CreateApplicationProxy
- ModifyApplicationProxy
- ModifyApplicationProxyStatus
- DescribeApplicationProxies
- DeleteApplicationProxy
- CreateApplicationProxyRule
- ModifyApplicationProxyRule
- ModifyApplicationProxyRuleStatus
- DeleteApplicationProxyRule
- Content Management APIs
- Data Analysis APIs
- Log Service APIs
- Billing APIs
- Certificate APIs
- Load Balancing APIs
- Diagnostic Tool APIs
- Version Management APIs
- Data Types
- Error Codes
- FAQs
- Agreements
- TEO Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Billing Overview
- Basic Service Fees
- Value-added Service Fees
- Related Tencent Cloud Services
- Extra Package Description (Prepaid)
- Subscriptions
- Renewals
- Overdue and Expiration Policies
- Refund Policy
- Usage Cap Policy
- EdgeOne Plan Upgrade Guide
- Comparison of EdgeOne Plans
- About "clean traffic" billing instructions
- Getting Started
- Domain Service
- Site Acceleration
- Origin Configuration
- Edge Functions
- Overview
- Getting Started
- Operation Guide
- Runtime APIs
- Sample Functions
- Returning an HTML Page
- Returning a JSON Object
- Fetch Remote Resources
- Authenticating a Request Header
- Modifying a Response Header
- Performing an A/B Test
- Setting Cookies
- Performing Redirect Based on the Request Location
- Using the Cache API
- Caching POST Requests
- Responding in Streaming Mode
- Merging Resources and Responding in Streaming Mode
- Protecting Data from Tampering
- Rewriting a m3u8 File and Configuring Authentication
- Adaptive Image Resize
- Image Adaptive WebP
- Custom Referer Anti-leeching
- Remote Authentication
- HMAC Digital Signature
- Naming a Downloaded File
- Obtaining Client IP Address
- Best Practices
- Security Protection
- Overview
- DDoS Protection
- DDoS Protection Overview
- Exclusive DDoS Protection Usage
- Configuration of Exclusive DDoS protection Rules
- Web Protection
- Bot Management
- Rules Template
- IP and IP Segment Grouping
- Origin Protection
- Alarm Notification
- Rule Engine
- L4 Proxy
- Data Analysis&Log Service
- Tool Guide
- Best Practices
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Site APIs
- Acceleration Domain Management APIs
- Site Acceleration Configuration APIs
- Alias Domain APIs
- Security Configuration APIs
- Layer 4 Application Proxy APIs
- CreateL4Proxy
- ModifyL4Proxy
- ModifyL4ProxyStatus
- DescribeL4Proxy
- DeleteL4Proxy
- CreateL4ProxyRules
- ModifyL4ProxyRules
- ModifyL4ProxyRulesStatus
- DescribeL4ProxyRules
- DeleteL4ProxyRules
- CreateApplicationProxy
- ModifyApplicationProxy
- ModifyApplicationProxyStatus
- DescribeApplicationProxies
- DeleteApplicationProxy
- CreateApplicationProxyRule
- ModifyApplicationProxyRule
- ModifyApplicationProxyRuleStatus
- DeleteApplicationProxyRule
- Content Management APIs
- Data Analysis APIs
- Log Service APIs
- Billing APIs
- Certificate APIs
- Load Balancing APIs
- Diagnostic Tool APIs
- Version Management APIs
- Data Types
- Error Codes
- FAQs
- Agreements
- TEO Policy
- Contact Us
- Glossary
Security protection provides secure policy configuration and security event alert options for applications integrating with EdgeOne. This helps you verify traffic and requests at the edge, preventing external attacks and security risks from impacting your business and sensitive data.
After integrating with EdgeOne's security acceleration service and subscribing to relevant security protection services, you can configure the following security policies:
Note:
DDoS protection is designed for network-layer defense against DDoS attacks and is suitable for L4 proxy applications (TCP/UDP applications). Configuration for DDoS protection is only available for users with Exclusive DDoS Protection Usage enabled.
If you need to configure Referer blocklist/allowlist, User-Agent (UA) blocklist/allowlist, IP blocklist/allowlist, or region blocking through Web protection, please navigate to Web Protection > Custom Rules >Basic Access Control. For more details, see Web Protection - Custom Rules.
The available rule configurations and execution methods may vary based on the EdgeOne plan you have subscribed to. See Comparison of EdgeOne Plans for package specifications.
Category | Function | Application Scenario | Default Configuration |
| | Automatic protection cleansing for DDoS attacks targeting L4 services (TCP/UDP applications). For example: Daily Protection: Utilize the Moderate protection level to discard traffic exhibiting clear DDoS attack characteristics. Emergency recovery during attack bypass: Implement the Strict protection level to discard all traffic suspected of DDoS attacks. | Protection Level: Moderate |
| | Discard or permit traffic from specified IP addresses. For example: Internal Call Permit: Permit the internal service IP 11.11.11.11, allowing high-frequency access between services. | None |
| | Block client access from specified regions. For example: Ban access from overseas: Discard traffic with source IPs located outside mainland China. | None |
| | Discard or allow traffic based on specified source/destination ports. For example: Discard high-risk reflection port: Drop traffic with source port matching UDP 53, prohibiting access to private UDP protocol applications. | None |
| | Discard traffic containing specified data or parameters. For example: Discard unusually long UDP packets: Discard UDP traffic with a length exceeding 500. | None |
| | Discard traffic of specified IP protocols. For example: Block external PING commands: Configure blocking of ICMP protocol traffic. | None |
| | Intercept abnormal TCP behaviors such as high-frequency connections and abnormal connections. | None |
| | Mitigate HTTP/HTTPS DDoS attacks, including high-frequency access and slow request attacks. | High-Frequency Access Request Limit Limit Level: Adaptive Loose - Disposal Method: JavaScript Challenge Slow Attack Protection Disabled Intelligent Client Filtering Disposal Method: JavaScript Challenge |
| | Intercept vulnerabilities targeting web applications (SQL injection, cross-site scripting, remote code execution, etc.). For example: Intercept Apache log4j vulnerabilities: Enable rules related to log4j vulnerabilities in open-source components for interception. | All rules are enabled for observation mode. |
| | Handle requests based on header content and IP. For example: Hotlink Protection: Intercept requests based on Referer header matching. Regional Blocking: Intercept requests from clients with IP matching specified regions. IP Blocklist: Intercept based on specified IP or IP groups. | None |
| | Intercept clients accessing beyond preset access rates. For example: Intercept clients causing a large number of errors in a short time at the origin: Set the rate allowed for each IP causing origin errors and intercept IP access beyond the threshold. Intercept account ID with excessively high access frequency to a specific API: Set the frequency allowed for each account (specified account ID position) to access a specific API, intercepting account access beyond the threshold. Intercept clients with excessively high access frequency fingerprints (JA3 fingerprints): Set the access rate for each JA3 fingerprint (i.e., TLS fingerprint) and intercept access with the same fingerprint beyond the threshold. | None |
| | Skip protection rules in web protection by module. For example: Allow internal services: Set the internal service IP list and specified API paths to allow clients on the list unrestricted access to that path. | None |
| | Skip specified managed rules. For example: Allow user content uploads: Configure business paths and false-positive rules to allow requests when parameters contain user-written content. | None |
| | Intercept bot requests based on risk levels. (Suitable for quickly enabling bot management strategies and establishing bot access profiles). For example: Intercept misuse of CDN resources (scraping): Intercept malicious bot requests. | None |
| | Handle crawlers for search engines, open-source development tools, and commercial purposes. For example: Allow Google search engine crawlers: Use search engine feature rule libraries to configure allowing Google search engine crawlers. Intercept cURL tool access: Use UA feature libraries to intercept access from web development tools. | None |
| | Handle requests from clients with a history of malicious behavior or high-risk characteristics based on IP threat intelligence. For example: Intercept VPN/proxy requests: Intercept clients identified as malicious proxies, fast-dial IPs, or proxy IP pools. | None |
| | Intercept requests with abnormal browser runtime environments and access behavior. For example: Cookie Challenge: Enable cookie verification to intercept clients not supporting cookies. Intercept automated tool access: Enable client behavior verification to identify JavaScript runtime environment anomalies and abnormal access behavior in automated tools. | None |
| | Counteract bot tools based on the features, headers, and client IP of requests. The feature provides more disposal options for bot counteraction. For example: Counteract high-risk bots accessing sensitive business: Match based on access paths and client profiles, configure observation, silent, and response after waiting with certain weights. | None |
| | Skip various protection rules of bot management. For example: Allow internal crawl tools: Allow crawlers from internal service IPs to access specified APIs. | None |
Yes
No
Was this page helpful?