Product Security Feature Alpha
Product Security Feature Alpha (PSFA) allows you to manage traffic to your services with configurable rules. It helps you protect your tenant and conserve your rate limits against potential threats, such as denial-of-service (DoS) attacks, and ensures that only legitimate users access your applications.
How it works
When your tenant receives a request, PSFA processes that request and then determines how to respond based on the rules you have configured.
For example, if you are adopting the Model Context Protocol (MCP) in your tenant, you could use the dcr scope to avoid risks like unauthorized application registration or phishing attempts using misleading application names. To learn more, read References.
Rules
Rules are the building blocks of the PSFA feature. A rule is composed of the following elements:
- Signal: The signal is an identifying piece of information that is provided by the incoming request, such as IP address, geolocation, or user agent.
- Condition: The condition is the combination of an operator and a set of values (such as a list of IP addresses).
- Action: The action is the directive that your rule executes if criteria are met, such as
allow,block, orredirect. - Scope: The scope indicates which sets of endpoints that the rule is enforced for.
- Priority: The priority defines the order in which the rule runs relative to other rules.
Importance of priority
It’s important to determine the correct priority of your rules, because there is strict execution logic you must follow:
- Evaluation order: PSFA evaluates rules in numerical order, with smaller numbers executing first. For example, a rule with priority 1 runs before priority 2, and priority 3 runs before priority 4.
- Match termination: If a rule’s conditions are met, PSFA performs the rule’s action immediately and does not evaluate subsequent rules and lists.
- Monitoring mode exception: If a rule’s conditions are met but it’s in monitoring mode, PSFA performs no action and skips to the next rule.
Careful assignment of priorities allows you to create granular access control policies tailored specific to your needs.
Monitoring mode
When a rule is in monitoring mode, PSFA evaluates that rule as it normally would and emits a tenant log event, but does not execute the rule’s action and does not terminate evaluation of subsequent rules and lists.
Monitoring mode is the best way to test how your PSFA rule would affect incoming traffic without interfering with your current PSFA configuration. You can toggle monitoring mode for a rule by updating the action object. To learn more, read Configure Rules.
Logging
A log event (psfa_summary) is created every 2 minutes for each PSFA rule with details of how that rule is affecting traffic.
object
optional
string
optional
Internal identifier of the rule.
Example: psfa_dkFJiujerKKjo09JK
string
optional
Description of the rule.
Example: Allow traffic that originates from the United States.
number
optional
Order in which the rule executes.
Example: 1
object
optional
Action that the rule executes.
Example: { "allow": true }
object
optional
number
optional
Total number of requests that the rule successfully matched.
Example: 1
object
optional
number
optional
Total number of requests that the rule successfully evaluated.
Example: 3
string
optional
Datetime stamp of when the log counting period started.
Example: 2025-03-19T16:11:07.429Z
string
optional
Datetime stamp of when the log counting period ended.
Example: 2025-03-19T16:21:07.429Z
Restrictions and limitations
- Customers on the Large plan can create 5 PSFA rules.
- Customers on the Large plan with the ExtraSecurity add-on can create up to 100 PSFA rules.
- Each PSFA rule can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).
- The User Agent identifier is not supported when using a custom domain.
- The
auth0-forwarded-for headeris not supported.