Edge Security Acceleration:Configure managed transforms

Feature availability

HTTP request headers

Add the "ali-real-client-ip" header

If you turn on the Add "ali-real-client-ip" Header switch, ESA includes the custom header ali-real-client-ip in origin requests to specify the real client IP addresses.

Add visitor location headers

If you turn on the Add Visitor Location Headers switch, ESA retrieves content from the origin server with the custom header ali-ip-country included. This header specifies the geographical location of the client.

When you set the value of the header, you must specify 2-letter alpha-2 country or region codes that follow the ISO 3166-1 standard. For example, if you set the value of the ali-ip-country header to cn, the client is located in the Chinese mainland.

Add security request headers

If you turn on the Add Security Request Headers switch, ESA adds bot-related HTTP headers to origin requests. The headers can specify whether a request comes from a verified bot and may contain a JA3 fingerprint or TLS fingerprint.

HTTP response headers

Add security response headers

If you turn on the Add Security Response Headers switch, ESA adds the following security HTTP response headers for cross-site scripting (XSS) protection when responding to clients:

• x-content-type-options: nosniff

• x-xss-protection: 1; mode=block

• x-frame-options: SAMEORIGIN

• referrer-policy: same-origin

• expect-ct: max-age=86400, enforce

Configure a managed transform rule

1. Log on to the ESA console.

2. In the left-side navigation pane, click Websites.

3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

4. In the left-side navigation tree, choose Rules > Transform Rules.

5. Click the Managed Transforms tab.

6. Turn on Add "ali-real-client-ip" Header, Add Visitor Location Headers, Add Security Request Headers, and Add Security Response Headers as needed.