Security Shortcuts
Firewall Security Shortcuts
Security Shortcuts provide a fast and effective way to apply common firewall protections. Each shortcut represents a predefined rule template for common use cases, such as blocking abusive IPs or enforcing request methods on APIs. Users can customise each rule before applying it.
Use Cases
- Quickly block scraping bots or automated login attempts.
- Enforce secure behaviour for APIs and login forms.
- Exclude internal services from security mechanisms like rate limiting.
- Prevent access to backup, config, or sensitive files.
- Protect WordPress admin paths and restrict admin access.
Available Shortcuts
IP Blocking
Condition: IP Source Address is in a specific IP set
Action: Block (Returns 403 error)
Use Case: Prevent access from specific IP addresses or networks.
Geo Blocking
Condition: Request Origin Country is in the selected list
Action: Block (Returns 403 error)
Use Case: Block traffic from high-risk or unsupported regions.
Login Path Protection
Condition: URL Path starts with /login or /admin
Action: JavaScript Challenge
Use Case: Prevent brute-force or automated login attempts.
Anti Scraping
Condition: User-Agent matches scraping tools or is empty
Action: JavaScript Challenge
Use Case: Mitigate content scraping by automated bots.
Form Submission Protection
Condition: URL Path contains /form AND Method is not POST
Action: Block (Returns 403 error)
Use Case: Prevent misuse of form endpoints by enforcing proper HTTP methods.
Hostname Filtering
Condition: Host header is not equal to the configured domain name
Action: Block (Returns 403 error)
Use Case: Reject traffic not explicitly targeting your domain.
Hotlink Protection
Condition: Referer is not empty AND not from your domain
Action: Block (Returns 403 error)
Use Case: Block websites that embed your images or videos without permission.
Exclude from WAF
Condition: URL Path starts with /example-path
Action: Bypass WAF inspection
Use Case: Allow third-party services to communicate without WAF interference.
Block WP-Admin Access
Condition: URL Path starts with /wp-admin AND IP not in allowlist
Action: Block (Returns 403 error)
Use Case: Restrict WordPress admin area to trusted IPs only.
Cookie Challenge for Abused IPs
Condition: IP address in threat intelligence list
Action: Cookie Challenge
Use Case: Slow down or deter malicious IPs with JavaScript verification.
CAPTCHA Challenge for Abused IPs
Condition: IP address in high-risk list or flagged by anomaly scoring
Action: CAPTCHA Challenge
Use Case: Present CAPTCHA to users from IPs with confirmed abuse.
Block Sensitive File Types
Condition: URL Path ends with .sql, .log, .env, .bak, etc.
Action: Block (Returns 403 error)
Use Case: Prevent accidental exposure of sensitive files.
API POST Enforcement
Condition: URL contains /api AND Method is not POST
Action: Block (Returns 403 error)
Use Case: Protect APIs from improper access methods like GET or PUT.
Bypass Rate Limit for Internal APIs
Condition: URL contains /health or /status
Action: Bypass Rate Limit
Use Case: Allow internal systems to call APIs without hitting rate limits.
Best Practices & Considerations
- Use shortcuts for rapid deployment: These rules are designed to cover the most common attack vectors without the need to create complex expressions.
- Adjust based on traffic behaviour: Monitor your traffic patterns and selectively disable or bypass shortcuts that cause false positives.
- Stack with custom rules: You can still create advanced firewall expressions that run in combination with shortcuts.
- Order of evaluation: Shortcuts are evaluated with high priority. Be mindful if they overlap with custom rules.
- Always test changes: Before deploying to production, test shortcut impacts in staging environments.
Related Articles
Steps to Create a Secure Link
Overview VergeCloud allows you to generate secure links for files that are protected from unauthorized access. The process involves creating a hash based on the visitor's IP, file path, expiry timestamp, and a secret key. This document will guide you ...Setting Up a Subdomain with CNAME on VergeCloud
VergeCloud CNAME Setup The CNAME setup feature in VergeCloud enables you to route traffic for a specific subdomain through VergeCloud’s Content Delivery Network (CDN) without changing your existing Authoritative DNS settings. This setup gives you ...Organization
Organizations The Organization feature in VergeCloud allows users to collaborate in teams with clearly defined roles and access scopes. It serves as the foundational unit for managing access, billing, and user permissions across all VergeCloud ...Getting Started
Step-by-Step Guide: Configure Your Domain on VergeCloud Once you’ve created your VergeCloud account and signed in, you can proceed to set up your domain for CDN and security services. If you haven’t created an account yet, please start here: Account ...Cloud Firewall
VergeCloud Firewall Settings The VergeCloud Firewall allows you to control HTTP requests to your website or application, providing flexible configuration options to secure your online resources. Introduction The VergeCloud Firewall helps users define ...