By editing a domain’s default settings, you can configure automated responses to thwart attacks against your entire site and its content. You can also tailor specific settings for individual paths.
To access content protection settings for an API path:
- Log in to the Distil Portal.
- Click API Security on the top banner menu, then select Web & Mobile App API.
- Select an API URL from your API URLs dashboard.
- Click Settings on the banner menu.
- Click Edit Settings by Path in the Content Protection section.
Content protection settings are organized by tabs, including:
- Automated Threats Policy – No Distil identifier and known threat detection.
- Rate Limiting Policy – Requests per minute and requests per session.
- Mobile Policy – Bad client and invalid or expired token.
NOTE: The Mobile Policy tab is only available for mobile SDK URLs.
You can activate multiple threat responses for Distil to use in automatically mitigating threats.
NOTE: All of these settings default to monitor-only mode for new customers.
Automated threat responses for dynamic web APIs include:
- Monitor – Identify bots without taking any action. Distil automatically runs our entire detection suite, but does not take action. However, Distil does embed an X-Distil bot header that identifies the type of bot and the different threats that it failed, if applicable.
- Drop – Distil serves a drop page to the requester with the associated violation indicating their access to the API has been blocked.
Drop (Unless CAPTCHA Cleared) – Distil serves a drop code to the requester with the associated violation indicating their access to the API has been blocked, unless the requestor has successfully cleared a CAPTCHA form triggered by a Web Security violation during their visit.
If the visitor has successfully cleared a CAPTCHA form during their visit, Distil logs the request with the associated violation but does not block or impede the request from accessing your API.
For example, if you configure a web page to serve a CAPTCHA form to requests with violations, but the web page also makes AJAX requests to protected API paths, you may want to allow those API requests made by visitors who have successfully cleared CAPTCHA.