Detect requests that contain submitted passwords and use a service to determine whether the password has leaked before allowing the request to proceed to origin (data from haveibeenpwned).
Solution recipes for finance
Our recipe library is an always-evolving set of code samples to do just about anything on the Fastly edge cloud. Have a browse or search for a keyword to find the perfect, ready-made solution you can paste into your service or adapt and customize for your own needs. Using Fastly Fiddle, play with any recipe and take advantage of the Fastly edge cloud, all without registering or affecting any existing account.
Set TTLs at the edge based on the type of resource. Better done at origin, but this can be a great 'quick fix' or a solution if you don't control the origin.
Send request to different origin servers based on the URL path.
If origin responds with 500 internal server error, modify status to 503 and serve a 'safe' error message.
Browsers send OPTIONS requests before performing cross-origin POSTs. You can answer these requests directly from the edge.
Load balance requests randomly across multiple backends, dropping them automatically if they become unhealthy.
Emit logging data to your chosen log endpoint from any VCL stage, not just vcl_log.
Make URLs expire after a configurable period.
Go from an F to an A grade on securityheaders.io by adding security policy headers to your responses at the edge.
Fastly can easily read and write HTTP headers at multiple stages of the request/response cycle.
Quickly fetch the user's public IP from an API endpoint on your own domain, with no origin.
Read individual cookies, set new cookies in response.
By default, Fastly does not cache responses to POST requests. But you can enable this if you wish.
Block a list of IP address ranges from accessing your service.
Access the body of a POST request in Base64-encoded form.
PCI-compliant caching requires caching only in volatile storage, which you can enable with beresp.pci in VCL.
Send a copy of your traffic to a test origin before returning a response from production.
Ensure resources are not cached on the front end, while allowing caching within Fastly.
Remove headers added by backends that you don't want to emit to the browser, like amz- or goog- headers.
Redirect any requests that come in on insecure HTTP, to the equivalent TLS endpoint.
Protect clients from redirects by chasing them internally at the edge, and then return the eventual non-redirect response.
If a backend returns a 429, cache it for the requesting IP but continue to allow other clients to use origin.
Return different objects based on the presence of a cookie.
Use the new Sec-Fetch-Dest header or URL patterns to identify assets that should not allow querystrings to be part of the cache key.
Group countries to cache content by custom regions or reject requests from some regions entirely.
The web application firewall catches a variety of different types of malicious requests including cross-site scripting (XSS), SQL injection, remote and local file inclusion (RFI, LFI), remote command execution (RCE) and session fixation.
The web application firewall has thousands of rules built in, but you can augment these with your own.
The web application firewall runs only on traffic to your origin, but you can further refine when it should be invoked.
Strip the last octet or compute a hash of client IP address for anonymization.
Convert a password sent by the client in the querystring into a Authorization header to your origin server.
Unknown data in URL paths can result in invalid URLs, but base64url is designed to be URL-safe.
Block or identify syntactically invalid requests at the edge by using a hash function of your choice.
A totally stateless solution to hold back new users for a minimum waiting period to smooth out spikes in traffic.
All code on this page is provided under both the BSD and MIT open source licenses.