Skip to main content

Programmable Mitigation

Programmable mitigation inspects requests against custom conditions and applies actions such as blocking or rate limiting at the edge. It complements the managed AI-WAF: where the AI-WAF applies managed threat policies, programmable mitigation lets you express edge rules keyed on request attributes.

The page has two tabs: Web Access Control and Rate Limiting.

Plan feature

Programmable Mitigation is available on the Pro plan and above. On a lower plan you can open the pages, but Add … Rule shows an Upgrade required prompt instead of the rule editor — see Plans & settings.

Programmable Mitigation — upgrade required

Web Access Control

Restrict requests by specific key values, such as IP address or user agent.

Programmable Mitigation — Web Access Control

The rule table shows ID, Name, Description, Website, Operation. Click Add Web Access Control Rule to define a rule that matches on a request signal (IP, path, user agent…) and takes an action, then apply it to a website.

Rate Limiting

Restrict requests that excessively access the website — throttle abusive request rates.

Programmable Mitigation — Rate Limiting

Click Add Rate Limiting Rule to cap how often a client may hit a website (or path), and choose what happens when the limit is exceeded. Use it to blunt brute-force and scraping bursts.

tip

This is the programmable, rule-based rate limiter. There's also a per-website Rate Limit under the site's Access Control configuration — use whichever fits: site-scoped config vs. reusable programmable rules.