Web Workflow Validation and Enforcement Using ERL Penalty Box

Fastly’s Edge Rate Limiting Product is great for protecting against attacks such as DDOS.

Since ERL does maintain a limited amount of state, there are other creative things you can do with ERL. In this example, I’ll explain how ERL can be used to perform workflow validation for your web application. Workflow validation involves defining the correct sequence of actions or steps that a legitimate user should follow when using the application. This could be anything from user registration, logging in, accessing specific resources, to performing transactions. The defined workflows should align with business logic and security requirements.

The Edge Rate Limiting penalty box entry can be used to manage limited amounts of ephemeral state. The following fiddle shows how you can make an entry into the penalty box for a client identifier.The test requests demonstrate failing and passing the workflow validation.


The first request in the above example fails because a penalty box entry does not exist in the penalty box for the client identifier. Once the requests are sent to create entries in the penalty box, the client will be able to send requests further in the workflow.

The client identifier used in the fiddle is the HTTP request header rl-key, but it could very easily be client.ip, a cookie value, or some other information available within the request or response. A more robust solution to leverage workflow validation would involve setting state in an encrypted client cookie such as a JWT. Here is a great tutorial on JWTs using Fastly, Decoding JSON Web Tokens (VCL) | Fastly Documentation. The advantage of having the client maintain state instead of the ERL Penalty box, is that the state is managed for each client instead of something more broad such as an IP address.