Back to blog

Follow and Subscribe

Custom response codes for Fastly WAF | Fastly

Blake Dournaee

Manager, Security Product Management, Fastly

Today we are introducing custom response codes. This feature enables our edge cloud network to pick up response codes from the Fastly Next-Gen WAF (powered by Signal Sciences) and take custom action at the edge without the need to create advanced rules — meaning more customized, efficient security for our customers. 

One of the most exciting things about shipping new features as a product manager is the concept of leverage. Sometimes small features done in the right way create huge value for our customers. This particular release reminds me of a famous quote from Archimedes: “Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.”

While I don’t want to be overdramatic, this feature is just so darn cool and we’re excited to be releasing it today for Professional and Premier Secure plan customers. It may not literally move the world, but it will move you toward a more sophisticated set of security layers for your most sensitive apps and APIs.

Custom responses at the edge

We have one of the most sophisticated WAFs on the market today, based on rich signal metadata that can be applied to HTTP traffic. Our next-gen WAF customers can write rules that block or rate limit requests based on extensive context about the request itself. Custom response codes work together with our edge cloud network to further improve your security posture. How? By blocking and mitigating attacks at the edge, pushing the enforcement from the application layer to the edge layer. 

Prior to custom response codes, every block simply returned HTTP 406. This meant that if you wanted to do something different upstream, you were limited. Not anymore! By adding the ability to specify a custom HTTP response code on a rule-by-rule basis, you can achieve custom enforcement at our worldwide edge network. This brings together the programmability and flexibility of the edge for both Compute@Edge and VCL applications working in coordination with the Fastly Next-Gen WAF. And did you know we have a host of great tools for enforcement at the edge such as tarpitting, ACLs, edge redirects, and edge rate limiting (with penalty boxes)? 

A few ways to use custom response codes

Here are some examples of what you can do with custom response codes:

  • Slow things down: We don’t often like to slow things down, but when we do, it’s for a good reason. Many sites with appointment pages (think doctor, zoos, museums, etc.) deal with automated traffic and while CAPTCHAs are a great tool, they are often bypassed and can add unnecessary friction and frustration to user sessions. Custom response codes can help by using rate limiting rules to identify bots and suspicious activity. When tripped, they send a custom response code to the edge to change the enforcement from a block to something more sophisticated such as a tarpit. This slows the HTTP response back to the client to a crawl, adding cost to the attacker, especially at scale (but doesn’t have an impact on the family making a legitimate Sunday appointment for the zoo). 

  • Deceive attackers: A common technique for attackers looking to break into software systems is to pay special attention to the behavior of those systems when they are under attack. Stack traces and server return codes are valuable information for an attacker to switch up techniques. With custom response codes configured for specific request rules that protect critical application paths the Fastly edge can rewrite HTTP responses to look like errors instead of blocked requests. This approach can fool attackers into thinking back-end systems are broken or inaccessible rather, further obfuscating the fact that their attack was actually caught by the Next-Gen WAF. In this example, the Fastly edge might return a 404 (Server Error) to the client when the Fastly Edge actually received a 406 (Block).

  • Block at the edge: When the internet brings out the worst, such as the widespread log4j vulnerability, it warrants stricter measures. Rather than block the request only at our Next-Gen WAF, a custom response code can inform the edge to add the offending IP to an ACL immediately or put the offending IP in the penalty box. The objective here is to keep the attacker as far away from the internal systems as possible with multiple layers of defense.

Get started today

The three examples above are designed to get ideas flowing and get the conversation started. There are many more ways to use custom response codes, and the only limit is your imagination. Fastly Next-Gen WAF Professional and Premier customers can use this new feature today. Here’s how to set a custom response code within the Fastly Next-Gen WAF: 

  1. From the Site Rules/Add menu, navigate to the Actions section and select Block.

  2. Beneath the Action type, click Change response. The Response code (optional) field appears.

  3. In the Response code (optional) field, enter the custom response code to return when the rule blocks a request. You can use any code between 400 and 499.

  4. Click Create site rule or Update site rule at the bottom of the rule editor.

Not yet a Fastly Next-Gen WAF customer? Learn more.