Condition fields reference¶
The language used in Peakhour.IO supports various condition fields to evaluate requests and responses. These fields can be divided into several categories: Standard request fields, Standard response fields, GeoIP fields, User agent fields, Bot fields and Fingerprint ML fields.
Standard request fields¶
Standard request fields provide information about the incoming request. These fields can be used to make decisions based on the request parameters.
| field | description |
|---|---|
| http.host | Value of the Host header |
| http.referer | Value of Referer request header. |
| http.request.cookies | Map of cookie names to values. |
| http.request.headers | Map of lowercase header names to array of bytes. |
| http.request.method | Request method ("GET"). |
| http.request.timestamp.sec | Approximate time when request was received (UNIX time in seconds). |
| http.request.uri | Full path with query ("/path?query=value"). |
| http.request.uri.path | Path only without query ("/path"). |
| http.request.uri.query | Query only without starting ? ("query=value"). |
| http.request.version | HTTP version ("HTTP/1.1"). |
| http.user_agent | Value of User-Agent request header. |
| ip.src | IP address. ("127.0.0.1"). |
| ssl | Whether the request is over TLS. |
For example, the field http.user_agent can be used to check for user-agents with the word curl present.
Standard response fields¶
Standard response fields provide information about the outgoing response. These fields can be used to make decisions based on the response parameters.
| field | description |
|---|---|
| http.response.code | HTTP response code as integer. |
| http.response.content_type.media_type | The Content-Type header value, lowercase, with parameters stripped. |
| http.response.headers | Map of lowercase header names to array of bytes. |
For example, the field http.response.code can be used to check if the response code is equal to a certain value:
GeoIP fields¶
GeoIP fields provide information about the geographical location of the request's origin. These fields can be used to make decisions based on the request's origin.
| field | description |
|---|---|
| ip.geoip.asnum | int, AS number |
| ip.geoip.country | country code |
For example, the field ip.geoip.country can be used to check if the request originates from a specific country:
User agent fields¶
User agent fields provide information about the client making the request. These fields can be used to make decisions based on the client's user agent string.
| field | description | |---------------------|--------------------------------------------------------------------------------------------------------------------------------------| | user_agent.bot | boolean. True if parsed user agent is detected as bot | | user_agent.bot.type | none, other, google, yandex, bing, facebook, alexa, apple, pinterest, petal, yahoo, duckduckgo, stripe, letsencrypt, ahrefs, semrush | | user_agent.mobile | boolean | | user_agent.software | unknown, browser, app, site-monitor, search-bot, bot | | user_agent.type | unknown, browser, mobile, bot, search-bot, email |
For example, the field user_agent.mobile can be used to check if the client is making the request from a mobile device:
Bot fields¶
Bot fields provide information about whether the client making the request is a bot. These fields can be used to make decisions based on the client's bot status.
| field | description |
|---|---|
| bot.verified | boolean. True if bot is verified. |
| bot.verification_state | unknown, verifying, error, unverified, verified |
For example, the field bot.verified can be used to check if the client's bot is verified:
WAF Fields¶
WAF fields provide information from the Web Application Firewall about the request.
| field | description |
|---|---|
| peakhour.waf.exposed_password | Boolean. True if WAF rules detected an exposed password. |
Error Response Fields¶
Error response fields provide information about errors that occurred during response processing.
| field | description |
|---|---|
| peakhour.response.error | The type of error that occurred (e.g., waf). |
Fingerprint Fields¶
Fingerprint fields provide information about the client's network characteristics, which can be used to identify and classify traffic. For a detailed explanation, see Network Fingerprinting.
| field | description |
|---|---|
| fingerprint.http | HTTP fingerprint. |
| fingerprint.http2 | HTTP/2 fingerprint. |
| fingerprint.ml | Map of class names (string) to score (0-100) from machine learning models. |
| fingerprint.tcp | TCP fingerprint. |
| fingerprint.tls | TLS fingerprint. |
| fingerprint.tls.ja4 | JA4 TLS fingerprint. |
| fingerprint.tls.v3 | TLS fingerprint with sorted ciphers. |
Origin Shield Fields¶
Origin Shield Fields are used to identify and interact with origin shields that protect the origin servers from direct public traffic.
| Field | Description |
|---|---|
backend.is_shield |
Boolean. True if runs on shield. |
Peakhour Fields¶
Peakhour Fields provide insights specific to the Peakhour platform, such as user session information and proxy detection.
| Field | Description |
|---|---|
peakhour.request.session |
Bytes. Value of the request session, either extracted from client cookies or generated by RP. |
peakhour.client.proxy |
Boolean. True if the client is detected to be behind a residential proxy. |
Peakhour Server Fields¶
Peakhour Server Fields deliver details regarding the server configurations and locations within the Peakhour system.
| Field | Description |
|---|---|
peakhour.server.name |
Bytes. The POP server name that handled the request |